Release 5.37

October 2024

New in this release

Face Biometric Authentication with Entrust Identity Mobile

The IDaaS Face Biometric Authenticator has been enhanced to support Face Biometrics registered and authenticated from the Entrust Identity Mobile application. Face Biometric authenticators managed on the Entrust Identity Mobile application can be configured so that the user's biometric information is stored on the mobile device rather than in the Onfido cloud.

Face Biometric authentication using the Entrust Identity Mobile app has a user experience similar to token push authentication.

• The user gets a notification on the mobile device.
• The mobile app is launched.
• From the mobile app, the user performs a workflow that does a motion capture of the user's face.
• The user is authenticated if the motion capture matches their previously registered biometric.

Face Biometric authentication has the option to include a mutual authentication challenge to prevent the user from accidentally responding to an attacker's authentication request.

User Certificate Authentication Matching Policy Update

IDaaS has enhanced its User Certificate Authentication matching policy, enabling fine-grained control for user matching.
The new settings allow the configuration of one-to-one mappings between certificate components and user attributes.

The list of supported certificate components has been expanded to include both strong and weak components:

• Strong components: securityId, sha256PublicKey, subjectKeyIdentifier, serialNumber
• Weak components: commonName, rfc822Name, userPrincipalName, directoryName, subjectDN

Entrust highly recommends using strong components for user matching. When only weak components are configured, all
matching rules must be satisfied to successfully authenticate a user.

In addition, the settings support specifying mandatory and prohibited certificate policy OIDs, ensuring that only
certificates with the appropriate policies can be used. This applies to both certificates issued by trusted Certificate
Authorities and IDaaS-issued smart credentials.

Support for Entrust Identity Mobile Features

The following changes have been made to IDaaS to support new functionality in Entrust Identity.

• The latitude and longitude of push notification transactions are included in the information sent to the mobile app so that it can display the location from which the transaction was launched.
• A new policy "Allow Device Biometric Authentication" has been added for Entrust Soft Tokens. This allows an administrator to disable the use of the device biometric for unlocking the mobile app.

User Portal / Admin Portal Enhancements

An end user can select favorite applications in the user portal. Favorite applications are displayed first on the Applications page.

The admin portal has been enhanced to support searching the menu.

Microsoft Entra ID Read-Only Authorization

When adding a Microsoft Entra ID directory to IDaaS for user synchronization, the option to select Read-Only Authorization is provided.

Authentication Notification Enhancements

When enabling User Authenticator Notifications, the administrator can now select which authenticators cause notifications.

FIDO/Passkey Enhancements

FIDO/Passkey authenticators now support subdomains for Relying Party IDs. For example, IDaaS can be configured so that an authenticator registered from register.mydomain.com can be used to authenticate from authenticate.mydomain.com. The Allowed Relying Party ID hostnames policy allows subdomains to be specified.

SAML/OIDC Enhancements

The following enhancements have been made for SAML and OIDC applications

• When configuring a SAML application, a new setting, SAML Max Authentication Age, can be specified. If configured, this setting specifies the maximum time before a user needs to reauthenticate.
• The ForceAuthn parameter in SAML authentication requests is now supported. If set to true, reauthentication by the user will be required.
• SAML ForceAuthn or OIDC max_age in a request that force a re-authentication will now preserve an existing IDaaS session.
• Resource rules that disable SSO no longer apply to reauthenticating the same SAML or OIDC application. Setting the application max authentication age to 0 will disable SSO for the application.
• If the IDP max authentication age is configured, then a SAML ForceAuthn or OIDC max _age request is propagated to third-party IDPs. The smaller value is used.
• A new option "Include Authentication Claims" has been added to the OAuth Resource Server configuration. If enabled The acr, amr, and auth_time claims are included in the OAuth access token.
• A new option "Show Login Redirect URL in My Profile" has been added to OIDC applications. This setting controls whether the OIDC application with the redirect URL displays in the User portal.
• OIDC applications with an expired or expiring certificate are now flagged with an icon in the Application List page.
• When SAML attribute encryption is enabled for a SAML application, the default algorithm is now RSA-OAEP instead of RSA version 1.5.

Token Report Enhancements

The token report now includes additional fields, including the platform for Entrust Soft Tokens and an indication of whether the token supports push notification.

Service Provider Role Updates

Permission to delete tenants has been added to the Service Provider On-boarding Administrator role.

New Integrations

The following integrations have been added.

• A new SAML application template for Air.
• A new SAML application template for Druva.
• A new SAML application template for Freshworks.
• A new OIDC application template for Freshworks.

Fixed or changed in this release

1. The FIDO/Passkey authenticator can now be chosen when configuring resource rules for IDaaS ADFS, IDaaS Apache Filter and IDaaS ISAPI application. (35988)
2. Add missing descriptions for various Email Template variables. (34070, 34069)
3. Generate audits for Onfido configuration errors detected when performing Face Biometric operations. (37017)
4. Improve wording of user/authenticator unlock notification email. (36506)
5. Audit for user portal settings change should not include settings that have not changed. (36654)
6. User provisioning using SCIM is now supported for accounts with the PLUS bundle. (36658)
7. Fix broken links and misleading steps in the Microsoft Entrust ID EAM integration guide. (36805)
8. Password expiry notification option to mobile should only be available when the user has a token supporting push notification. (34479)
9. When an option attribute is modified for a user synchronized from AD, the Security ID attribute gets modified to null. (34634)
10. In the User portal, step-up authentication should not be required to view the details of a Face Biometric authenticator. (36292)
11. The Dashboard shows the wrong count for expired applications if both OIDC and SAML applications have an expired certificate. (36445)
12. The SecurityID attribute can be modified using the Admin API when it is mapped from the directory. (34403, 33806)
13. The Option to add an Entrust Soft Token from the User portal was erroneously disabled when user was locked but lockout was expired. (36692)
14. IDaaS ESG package registry now includes net-snmp and net-snmp-utils for customers who want to install and configure these packages. (36882)
15. Offline tokens with Entrust Identity Desktop Credential Provider did not work for the Google Authenticator. (35917)
16. IDaaS Administration Guide now includes a description of the attributes that can be included in an audit. (36808)
17. Entrust Soft Token activation audit now includes the platform of the mobile device. (36302)
18. Add Face Biometric authenticator audit now includes state attribute. (36478)
19. Option to set Face Biometric authenticator expiry date to Never should not display a date. (36716)
20. Creating a domain-based Identity Provider is missing the option to select other Identity Providers. (36739)
21. Identity Provider initiated log in not showing organizations. (36665)
22. When configuring a Microsoft EAM OIDC application, the JSON configuration is missing the default application ID. (37164)

Changes to Identity as a Service APIs

Authentication API

The following changes have been made to the authentication API to support the enhancements made to Face Biometric authentication.

The following changes have been made to existing models:

• the attribute pushMutualChallenge has been added to the models AuthenticatedResponse and UserAuthenticateQueryResponse. This value contains the mutual authentication challenge that should be displayed to the user. This attribute applies to both token and face biometric authentication. This attribute replaces the existing attribute tokenPushMutualChallenge which still exists in both models but has been deprecated.
• the attribute pushMutualChallengeEnabled has been added to the models UserAuthenticateQueryParameters and UserChallengeParameters. This value indicates if the client supports mutual authentication challenges. This attribute applies to both token and face biometric authentication. This attribute replaces the existing attribute tokenPushMutualChallengeEnabled which still exists in both models but has been deprecated.
• the following changes have been made to FaceChallenge:
  • the attribute applicantId has been removed. It was not used in previous releases.
  • the attribute device has been added. This attribute indicates if the Face Biometric was registered on WEB or MOBILE.
  • the attributes id and qrCode have been added. These attributes are not used for authentication.
  • the attributes sdkToken and workflowRunId remain. When authenticating for a mobile Face Biometric authenticator, the sdkToken will be null and the workflowRunId will be the transactionId used to call the authenticate complete method to get the authentication response.

In addition to the changes made to support the enhancements to Face Biometric authentication, the following changes have also been made to the authentication API.

The following method deprecated in an earlier release has been removed:

• requestPasskeyChallengeUsingPOST (POST /api/web/v1/authentication/passkey)

The following model deprecated in an earlier release has been removed:

• PasskeyChallengeParameters

The following changes to existing models have been made:

• the attribute registeredCredentialsNameshas been added to FIDORegisterChallenge. This attribute specifies the names of FIDO tokens already registered to the user.

Administration API

The following changes have been made to the administration API to support the enhancements made to Face Biometric authentication.

The following method has been added:

• sendFaceActivationEmailUsingPUT (PUT /api/web/v1/face/{faceid}/activation). This method sends an email containing a QR code or link used to launch Face Biometric authenticator activation in the mobile app.

The following changes have been made to existing models:

• the following attributes have been added to FaceAuthenticator
  • created - the date the authenticator was created.
  • lastUsed - the date the authenticator was last used for authentication.
  • mobile - a flag indicating if the authenticator was registered in the mobile app.
  • serialNumber - an external identifier for the Face Authenticator.
• the attribute deliverActivationEmail has been added to FaceCreateParms. This flag indicates if an activation email will be sent when a Face Authenticator is created.
• the attribute id has been added to FaceUpdateParms. This attribute specifies which Face Biometric authenticator is to be updated. If not specified and the user has a single Face Biometric, that authenticator will be updated. If the user has multiple authenticators, an error will be returned.
• the attribute maxFacesPerUser has been added to GeneralSettings. This policy specifies the maximum number of Face Biometric authenticators a user can have.

In addition to the changes made to support the enhancements to Face Biometric authentication, the following changes have also been made to the administration API.

The following method has been added:

• deleteTenantEntitlementUsingDELETE (DELETE /api/web/v4/tenants/{tenantid}/entitlements/{type}). This method deletes the specified entitlement from the specified tenant of a service provider.

The following changes to existing models have been made:

• The attribute subscriptionLineId has been added to Entitlement. This setting is used internally for configuring entitlements of an account.
• The attribute allowDeviceBiometric has been added to EntrustSTAuthenticatorSettings. This setting specifies if an end user is allowed to use the device biometric to unlock the Entrust Soft Token in the Entrust Identity mobile app.
• The attribute registeredCredentialsNameshas been added to FIDORegisterChallenge. This attribute specifies the names of Passkey/FIDO2 tokens already registered to the user.
• The attribute overageType has been added to SmsVoice. This setting is used internally for configuring SMS/Voice entitlements of an account.
• The attribute deleteEntitlement has been added to SmsVoiceParms. This setting is used internally for configuring SMS/Voice entitlements of an account.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.37 and the three previous releases 5.34, 5.35 and 5.36). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

ESG was updated to use a new OS in 5.33. In place upgrade of ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions ESGs older than 5.33 to the new version use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances using older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can be deleted.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.