Release 5.36

August 2024

New in this release

Organizations

IDaaS has been enhanced to support organizations. An IDaaS user can belong to one or more organizations. When the user authenticates using a SAML or OIDC application, the authentication response indicates the organizations to which the user belongs. When a user belongs to multiple organizations, they are also asked to select the organization they are accessing.

Customer applications that support multiple tenants can map their tenants to IDaaS organizations and use this information to determine which tenant the authenticating user is accessing.

Domain-based Identity Provider Selection

Third-party Identity Providers can be configured to be associated with domains.

When an IDaaS authentication flow is configured to support external Identity Providers, they can be configured to use the external Identity Providers associated with a user's domain.

This allows a customer to define a single authentication flow that applies to users using different Identity Providers based on the user's domain.

Face Biometric Authenticator using Onfido

A new authenticator "Face Biometric" has been added to IDaaS. This authenticator uses Onfido technology to perform strong biometric authentication of a user. The Face Biometric authenticator is available when authenticating to SAML and OIDC applications, and to the IDaaS portal.

Step-up authentication for User Portal Update Operations

When configuring the resource rules for the User portal, a separate resource rule can now be specified for User portal update operations. This allows the customer to require separate authentication before a user is allowed to modify their user profile or manage their own authenticators.

User Portal Configuration Enhancements

The User portal can now be configured to restrict the actions are available to the end users. Additionally, the User portal configuration has been reorganized so that all the settings are accessed from the new Policies > User Portal menu.

SAML Enhancements

SAML IDP initiated authentication has been enhanced so that the request can specify the Service Provider the user is authenticated to using the Service Provider Entity ID and the Relay State (if required) by Relay State value. The URL would have the following format.

https://<tenant>/api/saml/SAML2/SSO?spentityid=<spentityid>&RelayState=<RelayState>

This feature allows a customer to generate IDP URLs that can be bookmarked.

Bulk Enhancements

A new bulk operation to delete grids has been added to IDaaS. This bulk operation can delete either assigned or unassigned grids.

Upcoming Cross-Origin Requests (CORS) Handling Changes

IDaaS will be making the following changes to how CORS is handled in IDaaS in a future release. In 5.36, IDaaS will track invalid requests and Entrust will notify customers that will be impacted by these changes.

• IDaaS will reject requests that contain an Origin header with a value of null.
• The IDaaS Configuration setting "Enable CORS" will be enabled by default meaning that applications that are making cross-origin requests to IDaaS APIs will need to define the list of allowed origins in IDaaS CORS configuration.

Service Provider Management Removed

The service provider management capabilities supported for Google and Box have been removed. User provisioning is now supported using SCIM.

New Integrations

The following integrations have been added.

• A new SAML application template for Alibaba Cloud.

Fixed or changed in this release

5.36.1 Patch

1. OTP authentication for step-up authentication fails under some conditions. (36822)
2. Default value of IDaaS Face Biometric Authentication Input Name policy does not match new Onfido value for default workflows. (36770)
3. IDaaS does not accept some valid values for Onfido API key when configuring Onfido. (36883)
4. When changing Onfido API key or Web Hook token configuration in IDaaS the wrong value is saved unless both values are changed. (36721)
5. Access to the User Portal Entrust Soft Token activate/reactivate operation now requires the Entrust Soft Token Edit permission instead of the Add permission. This means the user portal can be configured to allow end users to activate or reactivate existing tokens without allowing them to create new tokens. (36908)

5.36

1. When configuring the network proxy for ESG the Save button should be disabled when the proxy test fails. (36143)
2. Enterprise Service Gateway heartbeats might not be tracked correctly due to clock skew between ESG and IDaaS. (36066)
3. Mobile SmartCredential activation dialog updated to reference the Entrust Identity mobile app and not the old Entrust SmartCredential app. (35607)
4. User report fails for users that have not completed activation. (36626)
5. User verification fails with error service_authentication.email_template_not_found. (35956)
6. Authentication flow not displayed correctly in user portal when using Safari. (36058)
7. The attributes SecurityID and User Principal Name are no longer shown in the User Portal > User Profile. (35321)
8. Offline token download not working for Desktop Credential Provider. (36049)
9. Improved audits when a SAML or OIDC application is modified. (35662)
10. Rename Microsoft Azure AD to Microsoft Entra ID in the IDaaS documentation. (35518)
11. Administrator should be blocked from upgrading Managed Service Provider from Trial to Production if there are not entitlements available. (34708)
12. Fix log rotation configuration for Enterprise Service Gateway. (35661)
13. Directory Test action is now disabled for Gateways with versions prior to 5.35. (35900)
14. Authentication Flow graphics should not have connection dots for IDPs without second factor. (34972)
15. Fix sorting in User Certificate Settings page. (36630)
16. When password is changed from Entrust Identity mobile app, the IDaaS audit is missing the resource name. (34178)
17. IDaaS Developer Portal includes an extra newline in the section linking to the license. (35960)

Changes to Identity as a Service APIs

Authentication API

The following models have been added to support Face Biometric authentication.

• FaceChallenge specifies the attributes needed to launch a Face Biometric authentication.

The following attributes have been added to existing models to support Face Biometric authentication.

• the attribute faceChallenge has been added to AuthenticatedResponse.
• the attribute faceResponse has been added to UserAuthenticateParameters.

Administration API

The following methods have been added to support management of Face Biometric authenticators.

• DELETE /api/web/v1/face/{faceid} (deleteFaceUsingDELETE) - Delete the specified Face Biometric authenticator.
• POST /api/web/v1/users/{userid}/face (createFaceUsingPOST) - Create a Face Biometric for the given user.
• PUT /api/web/v1/users/{userid}/face (updateFaceUsingPUT) - Update the Face Biometric for the given user.
• GET /api/web/v1/users/{userid}/faces (getFacesUsingGET) - Get the Face Biometrics for the given user.
• GET /api/web/v1/users/{userid}/settings/face (getUserFaceSettingsUsingGET) - Get the Face Biometric settings for the given user.

The following models have been added for Face Biometric Authenticators.

• FaceAuthenticator specifies the attributes for a Face Biometric.
• FaceCreateParms specifies the attributes passed when creating a Face Biometric.
• FaceUpdateParms specifies the attributes passed when modifying an existing Face Biometric.
• UserFaceSettings specifies the settings for the Face Biometric authenticator.

The following methods have been added to support management of Organizations.

• POST /api/web/v1/organizations (createOrganizationUsingPOST) - Create an organization.
• GET /api/web/v1/organizations/{id} (getOrganizationUsingGET) - Get the specified organization.
• PUT /api/web/v1/organizations/{id} (putOrganizationUsingPUT) - Update the specified organization.
• DELETE /api/web/v1/organizations/{id} (deleteOrganizationUsingDELETE) - Delete the specified organization.
• POST /api/web/v1/organizations/{orgid}/users/{userid} (createUserOrganizationAssociationUsingPOST) - Add the specified user to the specified organization.
• DELETE /api/web/v1/organizations/{orgid}/users/{userid} (deleteUserOrganizationAssociationUsingDELETE) - Remove the specified user from the specified organization.
• POST /api/web/v1/organizationspaged (organizationsPagedUsingPOST) - List organizations matching the given search criteria.
• PUT /api/web/v1/users/{userid}/organizations (modifyUserAOrganizationAssociationsUsingPUT) - Modify the organizations for the specified user.

The following models have been added for Organizations.

• Organization specifies the attributes of an organization.
• OrganizationPage specifies a page of organizations returned from the list operation.
• OrganizationParms specifies the parameters passed when creating or modifying an organization.
• UserOrganizationParms specifies the parameters passed when modifying the organizations to which a user belongs.

The following changes to existing models have been made to support Organizations.

• the attribute organizationIdshas been added to OidcIdentityProvider and OidcIdentityProviderParms. This attribute specifies a list of organizations to which a user created after authenticating to an external IDP will be assigned.
• the attribute organizations has been added to User and UserParms. This attribute specifies a list of organizations to which the user belongs.

The following changes to existing models have been made to support Domain-based IDPs.

• the boolean attribute idpDomainBased has been added to AuthenticationFlow and AuthenticationFlowParms. This attribute indicates if the AuthenticationFlow will only use domain-based IDPs.
• the attribute domains has been added to OidcIdentityProvider and OidcIdentityProviderParms. This attribute specifies a space separated list of domains associated with the IDP.

When specifying a password value for a user the provided value can now be passed as cleartext (the existing behavior) or provided as a bcrypt protected value (new behavior). This allows a customer to import existing bcrypt protected passwords into IDaaS using the IDaaS administration API. To support this functionality the following changes have been made existing models.

• the attribute passwordFormat has been added to UserPasswordParms.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.36 and the three previous releases 5.33, 5.34 and 5.35). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.