Release 5.33

February 2024

New in this release

Authentication Flows

IDaaS supports several authentication flows:

• The standard userID authentication flow where the user enters their userID and is then prompted for an optional first-factor password followed by a selection of second-factor authenticators.
• The Passkey authentication flow where the user uses their Passkey token to authenticate. Their userID is provided by the Passkey token.
• The Smart Login authentication flow where the user uses their Entrust Identity Smart Credential to authenticate to IDaaS. Their userID is provided by the smart credential.
• The Identity Provider (IDP) authentication flow where the user uses a third-party Identity Provider to authenticate. Their userID is provided by the IDP.

Prior to 5.33, some authentication flows (userID and Smart Login) were configured in the resource rules and some authentication flows (Passkey and IDP) were defined outside the resource rules in the applications. In 5.33, the authentication flows are now defined as a separate entity and linked to the resource rules. These changes provide the following benefits:

• Configuration of all authentication flows is the same.
• All authentication flows now support single-sign on and user registration and verification.
• Resource rule contexts, which can be used to deny access to an application apply to all the authentication flows. Prior to 5.33, Passkey and IDP authentication were not restricted by the context rules in the resource rule.
• Authentication flows can be shared with multiple resource rules.

The IDaaS portal authentication UI has been updated as part of this feature. Only the authentication flows defined for the application are shown. For example, the User portal can be configured so that only IDP authentication is shown.

The IDaaS user portal and administration portal can have different authentication flows. A user browsing to the account URL (ex: https://mycompany.us.trustedauth.com) will see the authentication flow for the user portal which may not be an authentication flow that allows access to the administration portal. In this scenario, a user wishing to access the administration portal can do so by adding ?action=admin to their URL. For example https://mycompany.us.trustedauth.com/#/?action=admin.

As part of these changes, the existing Resources menu has been split into two top-level menus. A new Security menu includes items related to authenticating to applications, including a new Authentication Flows menu item for managing authentication flows. The existing Resources menu includes items related to managing resources such as Grids, Tokens, and Smart Credentials.

When IDaaS 5.33 is deployed, existing resource rules will be converted. Where necessary, new authentication flows will be created and linked to resource rules.

Support Entrust Identity Mobile Hardware Storage for Smart Credentials

An upcoming version of Entrust Identity Mobile will support storing smart credential private keys in hardware. Hardware storage on iOS only supports Elliptic Curve (EC) keys. When configuring smart credentials in IDaaS, there is now an option to select EC as the key type in addition to RSA. Additionally, there is new policy for smart credentials to indicate to Entrust Identity Mobile that smart credential private keys must be stored in hardware storage or will be stored in hardware storage if available. Existing versions of Entrust Identity Mobile will fail to encode the smart credential if EC keys are specified and will not store private keys in hardware even if required by IDaaS policy.

FIDO2/Passkey Authenticator Improvements

An "Allowed Relying Party ID Hostnames" list has been added to FIDO2/Passkey policy. This list restricts the hostnames that can register FIDO2/Passkey tokens.

Strict Access Option for Resource Rules

In IDaaS if a user matches multiple resource rules, if one or more resource rules allows access then the user is allowed access using those resource rules. A new "Enable Strict Access for Application" option has been added to resource rules. If enabled and the resource rule denies access and the user is denied access even if other resource rules allow access.

Magic Link Redirect

An application creating an IDaaS Registration Magic Link can now include a redirect URL. After registration completes, the user's browser is redirected to that URL. The Magic Link policy now includes a policy to enable Redirect and to list URLs that are allowed for redirect.

Redirect URLs are only supported with Magic Links created using the administration API. They cannot be specified for Magic Links created from the administration portal.

Support Existing Entrust PKIaaS CAs

IDaaS has been supporting Entrust PKIaaS CAs created by IDaaS. Now customers can use Entrust PKIaaS CAs created from Entrust Certificate Services.

Customize Google Authenticator Name

Most 3rd-party soft tokens are compatible with Google Authenticator for activation and authentication. This means that customers using 3rd-party soft tokens with IDaaS can use the IDaaS Google Authenticator with those tokens. IDaaS now allows a customer to customize the name of the authenticator to match the token that the customer is using.

User Registration Enhancements

The following enhancements have been made to user registration:

• User registration can now include an option to create a new grid for the user.
• User registration can now include an option to perform password management for the user. If the user does not have a password, they can create a password. If the user has a password that is expired or set for forced update, the user can change it. Currently, password creation is only supported for IDaaS-managed passwords and not for AD passwords.

Support Multiple Smart Credential Definitions in User Portal

When activating a smart credential in the IDaaS User portal, if multiple smart credential definitions are configured, the user is now asked to choose which smart credential to use. The user no longer needs to choose between activating for mobile or physical smart credentials. That information is provided by the selected smart credential definition.

Enhance Password Expiry Notification

An upcoming version of Entrust Identity Mobile will support handling password expiry notifications. In IDaaS, support for delivering password expiry notifications to mobile has been added. This includes a new Mobile option for the Password Expiry Notifications policy.

Azure AD Directory Permission Changes

When authenticating to Azure AD, IDaaS no longer requests all the permissions required to perform all directory-related operations (synchronizing users and groups, changing or resetting user passwords). Instead, IDaaS requests minimal permissions and is given the permissions allowed for the authenticating directory credentials. If IDaaS does not have permission to perform an operation, the operation fails. This allows, for example, a customer to configure their directory to only provide read permissions supporting user synchronization without having write permission to support password change.

Enterprise Service Gateway (ESG) Platform Update

ESG has been updated to use a new OS. Versions of ESG prior to 5.33 are still supported for 3 versions after release, but they can not be upgraded in place. To upgrade existing ESGs to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

New Integrations

The following integrations have been added.

• A new SAML application template for FortiSIEM
• A new SAML application template for Gong
• A new SAML application template for Huddle
• A new SAML application template for Mimecast
• A new SAML application template for Netskope
• A new SAML application template for Ziflow

Fixed or changed in this release

1. Push authentication in RADIUS did not fall back to token authentication when the push transaction expired. (34332, 34308, 34196)
2. Administrators logging into the IDaaS portal using device certificate authentication were only given access to the User portal. (34190, 33919)
3. User attributes synchronized from AD should be read-only when editing the user profile in the Administrator or User portal. (34300, 34291)
4. Magic Link email not using user locale for email subject and expiry date. (33924, 33556)
5. Audits for IDP initiated SAML/OIDC logins now include the application name in the audit. (34099)
6. The IntelliTrust Desktop application can now be configured to support FIDO2/Passkey authentication. (33783)
7. The activation email for mobile smart credential now includes a link to the Entrust Identity mobile application instead of the old Entrust Smart Credential mobile application. (33676, 33621, 33512)
8. IDaaS did not correctly handle incoming SAML requests if the RelayState parameter was not URL encoded. (33673)
9. Hardware tokens were not unassigned as expected when a synchronized user is deleted because they were removed from the directory. (33627)
10. The Administrator portal removed spaces from user aliases that contained multiple spaces. (33209)
11. Smart login authentication not saved in location history or counted in the authentications per application statistics. (33166, 33169)
12. Passkey login authentication not saved in location history or counted in the authentications per application statistics. (33168, 33167)
13. Check that the same Trusted Certificate Authority is not added twice. (32614)
14. When directory synchronization was configured to synchronize "Group Matching Group Filter" and the group filter was empty, all groups were synchronized. It should not synchronize any groups. (33201)
15. Improvements to policy caching to ensure policy changes are applied immediately. (33773)
16. IDaaS allows groups in a directory group filter that differ only with leading or trailing whitespace. (22843)
17. Improve message in failure audit if authentication fails because there are no active resource rules. (34134)
18. IDaaS accounts with Standard bundle were unable to add SAML applications. (33852)
19. The basic authentication option has been removed from Secure Device Provisioning. (30691)
20. The refresh option on the managed service provider tenant list page now displays all tenants being created rather than just tenants created in the current session. (33652)
21. Improved error message of synchronization from Azure AD fails because authentication token has expired. (32283)
22. Improved error in change password indicating that the password has matched an alias. (31644)
23. OIDC Authorization should only be accessible in accounts with the PREMIUM bundle. (34481)

Changes to Identity as a Service APIs

Authentication API

The authentication type PASSKEY has been added to the AuthenticatorType enumerated type. Previously when performing PASSKEY authentication, the API POST /api/web/v1/authentication/passkey (requestPasskeyChallengeUsingPOST) was used. This API has been deprecated. Instead, call POST /api/web/v2/authentication/users/authenticate/{authenticator} (userChallengeUsingPOST) with authenticator set to PASSKEY. The parameter userId in UserChallengeParameters is now optional. It is required when calling non-passwordless authenticators but is not required for PASSKEY.

The attribute relyingParyId has been added to FIDOToken which is returned from the APIs completeFIDORegisterUsingPOST and getSelfFIDOTokenUsingGET.

Administration API

The following APIs have been added to manage authentication flows:

• GET /api/web/v1/authenticationflows (getAuthenticationFlowsUsingGET) - List authentication flows.
• POST /api/web/v1/authenticationflows (createAuthenticationFlowUsingPOST) - Create an authentication flow.
• DELETE /api/web/v1/authenticationflows/{id} (removeAuthenticationFlowUsingDELETE) - Delete an authentication flow.
• GET /api/web/v1/authenticationflows/{id} (getAuthenticationFlowUsingGET) - Get an authentication flow.
• PUT /api/web/v1/authenticationflows/{id} (updateAuthenticationFlowUsingPUT) - Modify an authentication flow.

The following models related to authentication flows have been added:

• AuthenticationFlowParms - The parameters passed to the create and update APIs.
• AuthenticationFlow- The results returned from the create, get, list, and update APIs.

The following APIs have been added to manage OIDC identity providers:

• GET /api/web/v1/identityproviders/oidc (listOidcIdentityProvidersUsingGET) - List identity providers.
• POST /api/web/v1/identityproviders/oidc (createOidcIdentityProviderUsingPOST) - Create an identity provider.
• POST /api/web/v1/identityproviders/oidc/configuration (fetchOidcConfigurationUsingPOST) - Get configuration information for an identity provider.
• DELETE /api/web/v1/identityproviders/oidc/{id} (deleteOidcIdentityProviderUsingDELETE) - Delete an identity provider.
• GET /api/web/v1/identityproviders/oidc/{id} (getOidcIdentityProviderUsingGET) - Get an identity provider.
• PUT /api/web/v1/identityproviders/oidc/{id} (updateOidcIdentityProviderUsingPUT) - Modify an identity provider.

The following models related to OIDC identity providers have been added:

• OidcIdentityProviderParms - The parameters passed to the create and update APIs.
• OidcIdentityProvider - The results returned from the create, get, list, and update APIs.
• OidcConfigurationParms - The parameters passed to the configuration API.
• OidcConfigurationResponse - The results returned from the configuration API.

A new version of the following APIs to manage resource rules have been created. The new v2 version of the APIs manage resource rules linked to authentication flows. The old v1 version of the APIs have been deprecated and will be removed in a future release.

• GET /api/web/v2/resourcerules (getResourceRulesUsingGET) - List all resource rules.
• POST /api/web/v2/resourcerules (createResourceRuleUsingPOST) - Create a resource rule.
• GET /api/web/v2/resourcerules/resource/{id} (getResourceRulesForResourceUsingGET) - List all resource rules for the specified resource.
• DELETE /api/web/v2/resourcerules/{id} (removeResourceRuleUsingDELETE) - Delete a resource rule.
• GET /api/web/v2/resourcerules/{id} (getResourceRuleUsingGET) - Get a resource rule.
• PUT /api/web/v2/resourcerules/{id} (updateResourceRuleUsingPUT) - Update a resource rule.

The models ResourceRule and ResourceRuleParms related to resource rules have been modified.

• The attributes highRiskAuthenticationFlow, mediumRiskAuthenticationFlow, and lowRiskAuthenticationFlow have been added. These attributes specified the authentication flows associated with this resource rule for the different risk levels. These attributes are managed by the v2 version of the resource rule APIs.
• The attributes highRiskEnableSmartLogin, highRiskFirstStep, highRiskSecondStep, mediumRiskEnableSmartLogin, mediumRiskFirstStep, mediumRiskSecondStep, lowRiskEnableSmartLogin, lowRiskFirstStepand lowRiskSecondStep have been deprecated. These attributes have been replaced by the corresponding authentication flow attributes and will be removed in a future release. These attributes are managed by the v1 version of the resource rule APIs.

Once a resource rule has been updated by the v2 version of the resource rule APIs (including the IDaaS Administrator portal), it can no longer be accessed by the v1 version of the APIs.

The following models have been changed:

• An attribute relyingPartyId has been added to FIDOToken. This value specifies the relying party from which the token was registered.
• The attribute passkeyEnabled in AuthApiApplication and AuthApiApplicationParms has been deprecated. It is no longer used.
• The attribute keyType has been added to DigitalIdConfigCertTemplate. This value specifies whether the key type RSA or ECC should be used.
• The attribute redirectUrl has been added to MagicLinkCreateParms. This value specifies the optional redirect URL that can be included in a Magic Link.
• The attributes lockedAuthenticatorTypes in User and type in UserAuthenticatorLockoutStatus have been updated to include the new authenticator types IDP, PASSKEY, and SMART_LOGIN.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.33 and the three previous releases 5.30, 5.31 and 5.32). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.