Release 5.38

November 2024

New in this release

Identity Verified Activation of Entrust Soft Tokens

IDaaS can be configured to require users to perform Face Biometric authentication when activating an Entrust Soft Token. Identity verification ensures that the expected user is activating the soft token.

Passkey/FIDO2 Enhancement to Block Synced Passkeys

Passkey/FIDO2 policy can now be configured to block synced passkeys from being registered. Customers may want to only allow their users to use passkeys, such as physical FIDO2 tokens, whose keys are not backed up to the cloud.

Locking and Removal of Production Accounts With Expired Entitlements

Starting in 5.39 release, production accounts will be locked when their entitlements expire and removed after 6 months. Accounts with entitlements that have already expired will be immediately locked and then removed after 6 months. IDaaS will send notification emails to account owners when entitlements approach the expiry date and then when they expire.

In 5.38, the expiry notifications will be sent to account owners, but the accounts will not be locked.

Identity Proofing Management Removed

The identity proofing management capabilities have been removed.

Directory and Gateway SSL Certificate Enhancements

The following enhancements related to SSL Certificate configuration have been made for Directories and Gateways that have SSL configured:

• The Directories and Gateways tiles on the dashboard indicate if any SSL certificates are expired.
• The status of the SSL certificate is shown in the Directory list.
• A new View SSL Certificates action is available that shows a list of all SSL certificates configured for the directory.
• A new View SSL Certificate action is available for each Gateway instance.
• Certificate expiry notification emails sent by IDaaS now include notifications for Directory and Gateway SSL Certificates.

New Integrations

The following integrations have been added.

• A new SAML application template for Keeper Security.
• A new SAML application template for LeaveWizard.
• A new SAML application template for ShareFile.

Fixed or changed in this release

1. ESG log not rolling over causing disk to fill. (37181, 37320)
2. ESG disks partition for /opt too small. Customers will need to reinstall ESG for this fix to apply. (37239)
3. When OTP Voice delivery is used, the wrong type displays on the user's login page. (37330, 37406)
4. The X-Xss-Protection header is no longer included in IDaaS API responses. (37455)
5. The sample value for the machine fingerprint value in the API was incorrect. (37329)
6. Validation of device certificate fails if it contains a ExtendedKeyUsage value marked critical. (36968)
7. Address issues with SCIM user provisioning. Some errors were not properly handled resulting in the operation not completing and preventing future operations from starting. (37187, 37228, 37240, 37262, 37305)
8. Enhance the User Authenticator Update email notification so that it can distinguish between an authenticator being locked and a user being locked. (37481)
9. Customized name for Google Authenticator is HTML encoded. (37531)
10. Face Biometric activation audit is missing mobile platform. (37261)
11. Group policy category list in Admin portal not sorted. (37238)
12. Face Biometric push transaction details are not translated. (37236)
13. Microsoft Azure AD has been renamed to Microsoft Entra ID. (37529)
14. Missing error message if Face Biometric authentication times out. (36456)
15. Save user profile with alias generates blank error message. (37302)
16. Password reset dialog has two scrollbars for some locales. (37223)
17. Pressing User Certificate login button twice generates an error. (37100)
18. Group names not sorted in Group Policies list. (36963)
19. Add extra contact info entry in Admin portal is too short. (36679)
20. When editing an application, the Next button should not be enabled if all authentication flows are disabled. (35322)

Changes to Identity as a Service APIs

Administration API

ID Proofing capabilities have been removed from IDaaS. The following methods have been removed from the Administration API.

• idProofingInitUsingPOST (POST /api/web/v1/idproofing/init).
• idProofingImageUsingPUT (PUT /api/web/v1/idproofing/{requestId}/image/{side}).
• idProofingCompleteSelfieUsingPUT (PUT /api/web/v1/idproofing/{requestId}/completeselfie).
• idProofingCompleteUsingPUT (PUT /api/web/v1/idproofing/{requestId}/complete).
• idProofingRequestUsingGET (GET /api/web/v1/idproofing/{requestId}).
• idProofingRequestsPagedUsingPOST (POST /api/web/v1/idproofing).

Token activation for Google Authenticator has been enhanced to support activation of a token with a specified token secret. This allows a customer to import existing Google Authenticator tokens into IDaaS. The following model has been changed.

• The attribute secret has been added to ActivateParms. If specified when activating a token, this attribute specifies the seed of a token.

Methods used to configure the Onfido account used for Face Biometric authenticator have been added to the Administration API. The following changes have been made.

• The method getFaceAccountSettingsUsingGET (GET /api/web/v1/settings/face/account) has been added. This method fetches the current Onfido account settings.
• The method setFaceAccountSettingsUsingPUT (PUT /api/web/v1/settings/face/account) has been added. This method updates the Onfido account settings.
• The model FaceAccountSettings has been added. This model contains the Onfido account settings.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.38 and the three previous releases 5.35, 5.36, and 5.37). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.