Release 5.39
New in this release
Locking and Removal of Production Accounts with Expired Entitlements
Starting in this release, production accounts will be locked when their entitlements expire and removed after 6 months if the entitlement has not been renewed. IDaaS will send notification emails to account owners when entitlements approach the expiry date and then when they expire.
Customers can view the status of their account entitlements by clicking on the Entitlements icon on the Administration Portal Dashboard.
The default Customer Support Agent service provider administrator role has been modified to include permission to modify entitlements. This allows a support agent to address customer entitlement issues if their entitlement has expired.
SMS/Voice Entitlements Are Required
Starting in this release, entitlements are required to use SMS/Voice delivery for OTPs. Previously, accounts without an entitlement were allowed to use SMS/Voice delivery. Email delivery of OTPs does not require an entitlement.
Customers can view the status of their account entitlements by clicking on the Entitlements icon on the Administration Portal Dashboard.
SAML Identity Providers
IDaaS can be configured to support SAML Identity Providers in addition to the currently supported OIDC Identity Providers. The following are included as part of this new feature:
- An Authentication Flow that enables identity providers to select either OIDC or SAML identity providers, or both.
- Global and Group-Based User Verification Policies that configure identity providers can select either OIDC or SAML identity providers, or both.
Flexible External Risk Engines
A new external risk engine type has been added to IDaaS. The new risk engine type allows the customer to integrate 3rd-party external risk engines into IDaaS with a no-code solution. IDaaS supports third-party risk engines that accept HTTPS requests and returns the risk results as a JSON formatted response.
Pass-through Authenticator
A new pass-through authenticator type has been added to IDaaS allowing the customer to integrate third-party authenticators into IDaaS with a no-code solution. The pass-through authenticator forwards the authentication requests from IDaaS to a customer-operated authentication service. This feature allows a customer to integrate an application using the IDaaS authentication API with existing authentication services.
Group Attribute Support
An attribute can be defined for IDaaS groups. This attribute can be mapped into SAML assertion attributes and OIDC claims depending on the group membership of the authenticating user.
These new capabilities include support for the Danish OIOSAML Web SSO Profile 3.0 for interoperation with Kombit Context Handler 2. Information defining privilege and constraint information can be defined in the IDaaS group attribute. This information can be encoded and returned in a SAML assertion as defined in OIOSAML and returned to Kombit Context Handler 2.
When defining a SAML attribute, the NameFormat can now be specified. Previously it was left undefined. This is required for OIOSAML but is applicable to any SAML attribute.
Maximum Password Length Policy
A new maximum password length policy has been added to Password settings. When set, this policy enforces the maximum length of the user's password when a new password is set. By default, IDaaS does not enforce a maximum password length.
A customer may want to enforce a maximum password length if they have clients that cannot accept longer passwords.
Outbound SCIM Provisioning Enhancements
Previously, IDaaS outbound SCIM provisioning only supported OAuth to authenticate to the service to which users were provisioned. Now, IDaaS also supports authentication using API keys.
Improved User/Audit Searching for Large Customers
For large customers, the list/search operations in the Administration portal have been redesigned to avoid timeouts that may be encountered. These issues are more likely when complicated search criteria are specified. The user experience of the administrator using the Administrator portal is unchanged.
Webhooks for User Creation
IDaaS now supports webhooks where IDaaS will send a signal to an external service when an event happens. In this release, webhooks are supported for user create events.
IDaaS JWT OIDC Grant Type
A new IDaaS JWT grant type has been added to OIDC and OAuth applications. This grant type allows a customer application to use the IDaaS authentication API to authenticate a user. When using this grant type, the client application does the following:
- Calls the OIDC/OAuth authorize endpoint to begin authentication specifying the new grant type. This will return an authRequestKey value.
- Calls the IDaaS authentication APIs to authenticate the user. The authRequestKey is passed as an argument. The authentication API will return an IDaaS JWT when the user is authenticated.
- Calls the OIDC/OAuth token endpoint to get an OAuth access token. The IDaaS JWT and authRequestKey are passed as arguments. This call returns an OAuth access token that can be used to interact with the customer's backend service.
This new grant type provides the following capabilities not available with standard OIDC:
- The customer can implement their own authentication UI allowing them to customize the UI to meet their requirements.
- The customer can access IDaaS risk authentication capabilities, such as transaction verification that require customer transaction values to be provided. When transaction values are provided, the returned OAuth access token can be configured to include these transaction values as a claim.
RADIUS Agent Caching
Recently some IDaaS customers have experienced attacks on their VPN servers where bad actors perform large numbers of authentication attempts using the same userid and different passwords in an attempt to find a valid userid and password. The error returned from IDaaS does not indicate if the error is because the user does not exist or if the password was invalid. This means that these attacks generate large numbers of IDaaS requests resulting in unknown user errors.
For customers whose VPN server or network infrastructure does not provide capabilities to filter out these kinds of requests before they reach the IDaaS RADIUS agent and then IDaaS, the IDaaS RADIUS agent now provides the following caches to block this traffic before it reaches IDaaS:
- An unknown user cache that blocks RADIUS authentication requests with a userid that previously generated a user not found error.
- A client IP rate limiter that restricts the number of RADIUS authentication requests that will be accepted from a client IP address.
For customers that allow this traffic to reach IDaaS, Entrust may be forced to rate limit the authentication traffic for that account. This rate limiting would block both valid and invalid authentication requests.
Customers will need to upgrade to the 5.39 version of the Enterprise Service Gateway to have these features available.
Token Delete Bulk Operation
A new bulk operation to delete tokens has been added.
Administrator Portal Menu Search Improvements
The menu search capability now supports all levels of the Administrator portal menu instead of just the top level menus. The menu search field has been moved to the menu.
IDaaS Logo Change
The IDaaS logo displayed by default on the login page has changed.
Service Provider Tenant Management Improvements
When a service provider configures a tenant for tenant management, there is now an option to select the OIDC key/certificate to be used.
Improved OIDC Error Information
OIDC requests that fail due to configuration issues or due to unsupported requests now return additional information to the client in the error description indicating the cause of the error.
New Integrations
The following integrations have been added.
Fixed or changed in this release
- The Save button should be disabled in the password change UI if the New Password matches the Current Password. Submitting the request results in a server error as expected. (10826, 36622)
- User search criteria in the Administrator portal should not display the Organization filter for administrators who do not have permission to view Organizations. (37314)
- Changes to the Geolocation allow list in resource rules were not saved. (37856)
- User Certificate was missing from the User Authenticator Notifications settings. (37159)
- Allow the default OIDC certificate to be deleted if it is not used, and it is not the only OIDC key. (37728)
- Edit the Tenant Management configuration for a tenant from a service provider fails. (37982)
- The User Attributes VIEW permission has been added to the default SCIM Provisioning role. (37596)
- Remove sample values of API keys from IDaaS OpenAPI files. These sample values trigger customer vulnerability scanners. (38107)
- If Face Biometric registration is cancelled during User Registration it is marked complete. (37747)
- OIDC Server Application should not have the Show Login Redirect URL in My Profile option. (37646)
- Administrator in Helpdesk role was not allowed to remove groups from a user. (37459)
- Japanese version of Reset Password email is missing text. (10566)
- Localized versions of User State Change email contains English text. (33749)
- User created in IDaaS after authentication from an Identity Provider is ignored by SCIM outbound provisioning. (37635, 38082)
- If creation of a user in IDaaS after authentication from an Identity Provider fails, authenticators created for that user are left behind. (37636)
- Delete users bulk operation fails with "Bulk operation already started" error. (37353)
- When entering the name of an Organization, the UI does not validate if the name is a duplicate. This results in an error being returned from the server. (36439)
- Encoding smart credentials on YubiKey tokens with firmware version 5.7.1 or greater fails. (37412)
- In the Administrator Portal, the list of groups to add to a user were not sorted. (37408)
- When the Directory configuration has a list of SSL certificates, it now indicates which SSL certificate is being used. (37619)
- Unlocking a user fails if the user was locked out due to User Certificate authentication failure. (37153)
- Audits without an Error Description display a value of undefined. (37315)
- Smart credential encoding fails for PKIaaS CAs when the smart credential definition only specifies one digitalId Config. (38121)
- Magiclink fails when case of provided email address differs from user's email address. (38391)
Changes to Identity as a Service APIs
The CSharp SDK dropped support for .NET 6.0 in this release.
Authentication API
The following changes have been made to support the Pass-through Authenticator.
The following models have been added:
PassthroughAuthenticationResponse
. This model defines information returned to the client application from a pass-through authenticator. It consists of a list ofPassthroughAuthenticationResultItems
. The list of items returned is defined in the Pass-through Authenticator configuration in IDaaS.PassthroughAuthenticatorParms
. This model defines information passed from the client application to the pass-through authenticator. The model consists of a list ofPassthroughAuthenticatorPlaceholder
. The Pass-through Authenticator configuration in IDaaS specifies how these values are mapped into the requests sent to the Pass-through Authenticator.
The following models have been updated:
- The attribute
passthroughAuthenticationResponse
has been added toAuthenticatedResponse
. This attribute contains the information returned to the client application from a pass-through authenticator. - The attribute
passthroughAuthenticatorParms
has been added toUserChallengeParameters
andUserAuthenticateParameters
. This attribute contains the information passed from the client application for a pass-through authenticator.
The following changes have been made to support the IDaaS JWT OIDC Grant Type.
The following models have been updated:
- The attribute
authRequestKey
has been added toUserAuthenticateQueryParameters
. This attribute is provided by the OIDC/OAuth authorize endpoint when using the IDaaS JWT grant type and is required to use the IDaaS authentication APIs for that grant type. - The attribute
maxAge
has been added toUserAuthenticateQueryParameters
. If an existing authToken is provided, the maxAge parameter can be used to indicate if re-authentication is required for an authentication. If the specified requestTime (or current system time if requestTime is not specified) is more than maxAge seconds after the time which the authToken was issued then re-authentication will be required. - The attribute
requestTime
has been added toUserAuthenticateQueryParameters
. Used when comparing maxAge to the authToken issue time to determine if re-authentication is required. If not specified, the system current time is used. - The attribute
authRequestKey
has been added toUserAuthenticateParameters
. This attribute is provided by the OIDC/OAuth authorize endpoint when using the IDaaS JWT grant type and is required to use the IDaaS authentication APIs for that grant type.
Administration API
The following models related to authentication flows have been updated:
- An attribute
identityProviderIds
has been added toAuthenticationFlowParms
. This value specifies the identity providers associated with the authentication flow. The attributeoidcIdentityProviderIds
has been deprecated. - An attribute
identityProviders
has been added toAuthenticationFlow
. This value specifies the identity providers associated with the authentication flow. The attributeoidcIdentityProviders
has been deprecated.
The following APIs have been added to manage identity providers:
GET /api/web/v1/identityproviders (listIdentityProvidersUsingGET)
- List identity providers.
The following models related to identity providers have been added:
IdentityProvider
- The results returned from the list API.
The following APIs have been added to manage SAML identity providers:
GET /api/web/v1/identityproviders/saml (listSamlIdentityProvidersUsingGET)
- List identity providers.POST /api/web/v1/identityproviders/saml (createSamlIdentityProviderUsingPOST)
- Create an identity provider.DELETE /api/web/v1/identityproviders/saml/{id} (deleteSamlIdentityProviderUsingDELETE)
- Delete an identity provider.GET /api/web/v1/identityproviders/saml/{id} (getSamlIdentityProviderUsingGET)
- Get an identity provider.PUT /api/web/v1/identityproviders/saml/{id} (updateSamlIdentityProviderUsingPUT)
- Modify an identity provider.
The following models related to SAML identity providers have been added:
SamlIdentityProviderParms
- The parameters passed to the create and update APIs.SamlIdentityProvider
- The results returned from the create, get, list, and update APIs.
The following models related to webhooks have been added:
WebhookParms
- The parameters passed when creating or updating a webhook.Webhook
- The parameters returned when listing or getting a webhook.WebhookEvent
- Specifies the event types supported by the webhook. Currently for IDaaS, this will always be user.create.
The following APIs have been added to manage Webhooks:
GET /api/web/v1/webhooks (getWebhooksUsingGET)
- List all webhooks.POST /api/web/v1/webhooks (createWebhookUsingPOST)
- Create a webhook.POST /api/web/v1/webhooks/test/{id} (testWebhookUsingPOST)
- Test a webhook by trying to deliver a dummy payload.GET /api/web/v1/webhooks/{id} (readWebhookUsingGET)
- Get the specified webhook.PUT /api/web/v1/webhooks/{id} (updateWebhookUsingPUT)
- Update the specified webhook.DELETE /api/web/v1/webhooks/{id} (deleteWebhookUsingDELETE)
- Delete the specified webhook.
The following change has been made to other models:
- The attribute 'maximumLength' has been added to
UserPasswordSettings
which defines the maximum length of the password. - The attribute
attribute
has been added toGroup
andGroupParms
which provides access to the attribute value associated with a group.
Supported TLS Ciphers
IDaaS supports the following TLS Ciphers.
TLSv1.3:
- TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
- TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
- TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
TSv1.2:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.
TLSv1.2:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
Enterprise Service Gateway Deprecation
Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.39 and the three previous releases 5.36, 5.37, and 5.38). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.
In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:
- Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
- Add a new Gateway instance to the existing Gateway in IDaaS.
- Register the new Gateway instance with IDaaS.
- Disable the old Gateway instance.
- Repeat these steps to replace all the Gateway instances that use older versions of the ESG.
Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.
Browser Deprecation
Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.