Release 5.34

March 2024

New in this release

IDP plus Second-Factor Authentication

When using a third-party identity provider for authentication, IDaaS second-factor authentication can now be included in the authentication flow.

Step-Up Authentication to Edit User Profile

The User portal can be configured to require step-up OTP authentication before a user is allowed to edit their user profile. The user attributes that receive the OTP can be configured in the policy.

OIDC Certificate Management

The certificates used for OIDC applications can now be managed, including having them certified by a Certificate Authority.

Grid Delivery Address Selection

When the end user or an administrator chooses to deliver a grid, the email address to use can now be selected. The allowed addresses can be configured in the policy.

Restrict OTP Delivery Types

The OTP delivery types that are available for OTP authentication can now be specified in the policy.

Administrator Support for Entrust Soft Token Manual Activation

When an administrator activates an Entrust Soft Token from the Administration portal, they now have the option to view the manual activation parameters.

Automatically Send Registration Magic Link

The Registration Magic Link can now be configured so that it is automatically delivered when a user is created.

User ID Quick Search

The user list in the admin portal now has a "Search for User ID" quick search option.

New Integrations

The following integrations have been added.

• A new RADIUS application template for PAM RADIUS Plug-in.
• A new SAML application template for Fastly
• A new SAML application template for Lucidchart
• A new SAML application template for Soloinsight

The following Identity as a Service integrations have been renamed from IntelliTrust to IDaaS:

• IDaaS AD FS Adapter
• IDaaS Apache Filter
• IDaaS Desktop
• IDaaS ISAPI Filter

The Identity as a Service integration IntelliTrust ForgeRock has been removed. The OIDC ForgeRock application is still available.

Fixed or changed in this release

1. When creating a tenant from a managed service provider, the country of the tenant and the mobile phone number of the first administrator are now optional. (34504)
2. When creating a tenant from a managed service provider, tenant creation fails if the service provider's entitlements are expired. The entitlement is now verified before trying to create the tenant. (34224)
3. Improved the performance of token queries and reports when the tenant has a large number of tokens. (34584, 34916)
4. Improved the performance of user export for tenants with a large number of users. (33632)
5. Device verification is now fully supported for Passkey, IDP, and Smart Login authentication. (34273, 34274, 34275)
6. Device verification caused unexpected errors if the user entered an invalid password during password change. (34528)
7. The tab titles in the User portal and Administration portal have been changed to use black instead of the primary account color. (34284)
8. Fixed the ESG setup_static_ip.sh script. (35025)
9. Previously an imported PKIaaS CA only supported OCSP for certificate revocation. Now CRLs are also supported. (34672)
10. Smart login now supports single sign-on. (33162)
11. The User portal operations to verify ownership of a phone number now consume SMS/Voice entitlements. (26751)
12. SAML metadata download fails when "All Certificates" is selected. (35034)
13. Addressed issues where travel velocity was performed for IP addresses without a location. (34364)
14. Improved the display of the Message of the Day in the login page on mobile devices. (34005)
15. Smart Login is now available for managed service provider tenants. (34581)
16. Fixed an issue with directory sync where errors could result in the user entitlement counts to be incorrect until the daily entitlement verification task was performed. (29178, 31441)
17. Addressed some issues in how authentication flows display in the Administration portal. (34807)
18. The subject name for a SYNCADD user audit should be clickable. (34478)
19. The IDP remove audit should not include all the details of the removed IDP. (34688)
20. Return a better error message when a duplicated trusted CA certificate is added. (33108)
21. Improve the formatting of authentication audits containing device certificate risk factor evaluation results so that the device certificate DN displays properly. (32896)
22. Improve the formatting of the Passkey button text on Safari. (34058)
23. Optional custom user attributes synchronized from the directory could be modified using the Administration API. (34402, 34405)
24. OTP authentication settings modify audit contained attributes whose values did not change. (34685, 34698)
25. The audit generated when a user is created or a soft token is created as part of user creation after an IDP authentication has the wrong subject name. (34524, 34534)
26. The audit generated when an inactive user authenticates with Passkey/FIDO2 was missing the Authenticator value. (31770)
27. PKIaaS CA actions on Issuing CA list page should be disabled for administrators that do not have permission to perform the action. Performing the action caused a permission denied error. (32930)
28. When configuring an Identity Provider, the JWKS Endpoint is now required for all IDPs except for Twitter. (34585)
29. The wrong error was displayed in the Administration portal if the administrator tried to remove a synchronized group from the user. (34379)
30. Passkey authentication did not work for managed service providers authenticating to a child account. (34277)
31. Some strings in the user portal were not translated for all locales. (34362, 34532)
32. Make the mobile application name consistent between the Activate Smart Credential and Activate Soft Token dialogs. (34648)
33. The "Add Client Credential Grant" option should be disabled for administrators that do not have permission to perform the operation. Performing the action results in a no permission error. (34509)
34. Improve the audit generated when a custom mail server is updated with a new password to indicate that the password was changed. (32904)
35. Fix password reset for AD passwords for users whose DN contains values that need to be escaped. (34285)
36. Only audits that have a subject name that are user IDs should be clickable. (34521)
37. The reset password audit shows the forceUpdate attribute even though it has not changed. (33042)
38. Changing the state of the ESG password agent could fail. (34641)
39. Creating a Generic Server OIDC Application is now only available in an account with the premium bundle. (34540)
40. Identity Provider configuration now supports acr values request. Supply a space separated list of acr values. If supplied then at least one of specified ones must be returned from the IDP to be successful. (34620)
41. If an OIDC request specifies a claims request for acr or amr as essential with specified values, then if at least one of the specified values cannot be achieved, the request wil fail. (34673)
42. Fixed an issue where the name and description of a resource rule containing groups synchronized from AD could not be updated. (34594)
43. Fixed an issue where the FIDOTOKEN add permission could not be set when creating or editing a role in the admin portal. (35259)
44. Updated phone number validation that was rejected phone numbers with new area codes for some countries. (35223)

Changes to Identity as a Service APIs

Authentication API

The attribute ignoreIPAddressForRBA has been added to UserAuthenticateQueryParameters, UserChallengeParameters, and UserAuthenticateParameters. When this attribute is set to true, the IP address provided to an authentication request is included in authentication audits but is not used for risk-based authentication. By default, the IP address is used for both audits and risk-based authentication.

The attribute expires has been added to UserAuthenticateQueryResponse. It specifies the expiry time of the authentication token.

Administration API

The following changes have been made to support selecting which email attribute is used when delivering a grid to a user.

• The model EmailParms has been added.
• The API deliverAssignedGridByEmailUsingPOST now takes EmailParms as a parameter.
• The attribute emailParms of type EmailParms has been added to the model GridAssignParms. This attribute is used when calling the API assignGridByIdUsingPUT and assignGridBySerialNumberUsingPUT.
• The attribute emailParms of type EmailParms has been added to the model GridCreateParms. This attribute is used when calling the API createGridUsingPOST.

The following changes have been made to define the OTP Settings policy used to define which delivery types can be used to deliver OTPs.

• The model OTPDeliveryMethod has been added. It defines an OTP delivery method and indicates if that method can be used for delivering OTPs.
• The attribute deliveryMethodshas been added to the model OTPAuthenticatorSettings. It defines an ordered list of OTP delivery methods that can be used for delivery OTPs. The first entry in the list is the default delivery method.
• The attribute otpDefaultDelivery in the model OTPAuthenticatorSettings has been deprecated and is replaced by deliveryMethods.

The following changes have been made to support defining IDP plus second-factor authentication and other improvements to Identity Providers.

• The attribute idpLoginSecondStep has been added to AuthenticationFlow and AuthenticationFlowParms. This attribute defines the list of authenticators that are required for IDP second-factor authentication.
• The attribute acrValues has been added to OidcIdentityProvider and OidcIdentityProviderParms. This attribute defines a list of authentication context request values to include in the authentication request to the 3rd-party IDP.
• The attribute descriptions for OidcIdentityProvider and OidcIdentityProviderParms have been improved.

Other changes made to the Administration API:

• The attribute companyCountry in the model TenantParms is no longer required when creating a new tenant.
• The attribute mobile in the model UserParms used to create the first administrator of the tenant is no longer required when creating a new tenant.
• The version of the method createTenantAsyncUsingPOST has been updated from v4 to v5. The non-compatible changes requiring this change are not related to authentication clients and will not impact IDaaS customers.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.34 and the three previous releases 5.31, 5.32 and 5.33). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.