Release 5.35

June 2024

New in this release

User Certificate Authentication

A new user certificate authenticator has been added to IDaaS. This authenticator can be used in a passwordless login flow or as a second-factor in User Login flow or IDP login flow.

User certificates can be either certificates issued by third-party CAs or certificates in IDaaS-issued smart credentials. The third-party CAs need to be added to the IDaaS Trusted CA list and marked as a user certificate CA. Additionally, to align with the new user certificate authenticator, issuing CAs will no longer be automatically used in device verification. A new option was added to allow specifying issuing CAs to be used in device verification.

User certificates issued by 3rd party CAs are matched against the user's attributes to locate the user in IDaaS. Supported certificate components for this matching process include subject DN, subject alternative Name, and serial number. For user attributes, user ID, user principal name, security ID, and custom attributes are supported. User certificates from IDaaS-issued smart credentials do not use the certificate matching process.

Device Verification Enhancements

IDaaS device verification has been enhanced to support verification performed using the forthcoming release of the Entrust Device Agent (formerly Identity Bluetooth Reader).

Support Microsoft Entra ID External Authentication Method (EAM)

IDaaS has added support for Microsoft Entra ID EAM where IDaaS can provide second-factor authentication for customers authenticating to Microsoft Entrust ID.

IDaaS Password, KBA and IDP authenticators are classified as knowledge type authenticators by IDaaS and so are not accepted by Microsoft Entra ID EAM as acceptable second-factor authenticators.

Directory Configuration Validation

A new Test action has been added for Directories. The Test action tests the directory configuration against the directory and reports on any errors found in the configuration.

Certificate Expiry Notification

When Notifications are enabled in IDaaS (Configuration > Notification) notifications are sent indicating when SAML and OIDC certificates are nearing expiry or have expired.

OIDC/SAML Enhancements

OIDC and SAML now support external authentication as a first-factor optionally without any second-factor authentication. SAML and OIDC applications can be configured to return to the client without user intervention when an error occurs during authentication. These capabilities allow a customer to configure their Service Provider to only use IDaaS risk capabilities to decide whether a user is allowed or denied access.

Customers should only use external authentication when they know that the client is performing first-factor authentication. Additionally, single sign-on should be disabled for a resource rule using external authentication.

When an OIDC authentication fails due to access denied, more error information can be included in the response returned to the client. This is controlled by the existing General setting "Enabled Enhanced Authentication Details."

IDaaS now supports the OAuth 2.0 Web Message Response Mode.

OIDC Authentication Context Class Reference (ACR) and Authentication Methods References (AMR) claims are now populated based on the authenticators used in IDaaS to authenticate the user.

External Risk Enhancements

Support for Generic External Risk Engines has been added to IDaaS. This allows customers to integrate their own risk engines with IDaaS.

Developer Portal Enhancements

The IDaaS Developer Portal has been enhanced with a new Docs section that includes documents describing how to integrate IDaaS with various services. New in this release is Protecting AWS API Gateway.

The IDaaS administration and authentication SDKs are now available by way of a private registry, facilitating easier integration into customer projects. Initially, Java, CSharp, and Python SDKs are available in the registry. Support for the Php SDK has been discontinued. The Python SDK now requires Python 3.7 or higher. The CSharp SDK has been updated to support .NET 8.0. For instructions on adding the private registry into your project, see the IDaaS Developer Portal.

Bulk Enhancements

The locale of the user can now be specified when creating or updating users.

Configure Allowed Smart Credential Definitions

When configuring smart credentials, an administrator can specify a list of allowed smart credential definitions. This allows an administrator to restrict which smart credential definitions can be selected when activating a smart credential.

Enhanced Configuration for IDaaS Desktop Application

When configuring an IDaaS Desktop Application, the administrator can now configure if the client application can determine whether the client IP address is used for Audits but not Resource Rule Conditions.

New Integrations

The following integrations have been added.

• A new SAML application template for Amazon Business.
• A new SAML application template for Confluent Cloud.
• A new SAML application template for SiteMinder.
• A new RADIUS application template for OpenVPN.

Fixed or changed in this release

1. Return a specific error grid_max_num_per_user when assigning a grid to a user who already has the maximum number of grids allowed. (33750)
2. Improvements to OIDC and IDP audits. (26886, 34533, 34538, 34907, 35123, 35180, 35353)
3. RADIUS push authentication does not properly handle repeated requests from VPN causing the authentication to be rejected. (35811)
4. Changes to the user authenticator page in 5.34 added a requirement for the SETTINGS:VIEW permission causing the page to fail to load for administrators without that permission. This permission is no longer required. (35424)
5. When a user selects a different locale during login they are given an option to set that locale as their default locale. If the user chose not to save that value in some scenarios, it would be saved regardless. (32335)
6. User list operation filtering for disabled users failed with error that the requested operation could not be performed. (34302)
7. Custom mail server error still present in UI after OAuth re-authentication. (35139)
8. URLs in message of the day may be truncated. (34523)
9. Updates to OTP default delivery settings not displayed in UI after save. (35179)
10. Alternate OTP delivery options ignored when authenticating for password. (35609)

Changes to Identity as a Service APIs

Authentication API

The following changes have been made to support user certificate authentication:

• The model UserCertificateChallenge has been added.
• The attribute userCertificateChallenge of type UserCertificateChallenge has been added to AuthenticatedResponse.
• The model UserCertificateResponse has been added.
• The attribute userCertificateResponse of type UserCertificateResponse has been added to UserAuthenticateParameters.
• The type USER_CERTIFICATE has been added as an allowed value where ever authentication types are specified.

Administration API

The type USER_CERTIFICATE has been added as an allowed value where ever authentication types are specified.

The type USER_CERTIFICATE_LOGIN has been added to the list of allowed Login Flow types.

New v2 versions of the following authentication APIs have been created to support the new USER_CERTIFICATE authentication type and the USER_CERTIFICATE_LOGIN login flow.

• GET /api/web/v2/authenticationflows (getAuthenticationFlowsUsingGET) - List authentication flows.
• POST /api/web/v2/authenticationflows (createAuthenticationFlowUsingPOST) - Create an authentication flow.
• DELETE /api/web/v2/authenticationflows/{id} (removeAuthenticationFlowUsingDELETE) - Delete an authentication flow.
• GET /api/web/v2/authenticationflows/{id} (getAuthenticationFlowUsingGET) - Get an authentication flow.
• PUT /api/web/v2/authenticationflows/{id} (updateAuthenticationFlowUsingPUT) - Modify an authentication flow.

The attribute allowIgnoreIpAddressForRba has been added to AuthApiApplication and AuthApiApplicationParms. This value specifies whether the client can specify that the client IP address is used for audits but not for resource rule conditions. This attribute only applies to IDaaS Desktop applications.

The following APIs have been added:

• GET /api/web/v1/scdefns/users/{userId} (listAllowedSCDefnsUsingGET) - List smart credential definitions that are allowed for the specified user.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Support for the following TLS Ciphers were removed in IDaaS 5.32.

TLSv1.2:

• TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.35 and the three previous releases 5.32, 5.33 and 5.34). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.