Entrust

Release 5.39

New in this release

Locking and Removal of Production Accounts with Expired Entitlements

Starting in this release, production accounts will be locked when their entitlements expire and removed after 6 months if the entitlement has not been renewed. IDaaS will send notification emails to account owners when entitlements approach the expiry date and then when they expire.

Customers can view the status of their account entitlements by clicking on the Entitlements icon on the Administration Portal Dashboard.

The default Customer Support Agent service provider administrator role has been modified to include permission to modify entitlements. This allows a support agent to address customer entitlement issues if their entitlement has expired.

SMS/Voice Entitlements Are Required

Starting in this release, entitlements are required to use SMS/Voice delivery for OTPs. Previously, accounts without an entitlement were allowed to use SMS/Voice delivery. Email delivery of OTPs does not require an entitlement.

Customers can view the status of their account entitlements by clicking on the Entitlements icon on the Administration Portal Dashboard.

SAML Identity Providers

IDaaS can be configured to support SAML Identity Providers in addition to the currently supported OIDC Identity Providers. The following are included as part of this new feature:

Flexible External Risk Engines

A new external risk engine type has been added to IDaaS. The new risk engine type allows the customer to integrate 3rd-party external risk engines into IDaaS with a no-code solution. IDaaS supports third-party risk engines that accept HTTPS requests and returns the risk results as a JSON formatted response.

Pass-through Authenticator

A new pass-through authenticator type has been added to IDaaS allowing the customer to integrate third-party authenticators into IDaaS with a no-code solution. The pass-through authenticator forwards the authentication requests from IDaaS to a customer-operated authentication service. This feature allows a customer to integrate an application using the IDaaS authentication API with existing authentication services.

Group Attribute Support

An attribute can be defined for IDaaS groups. This attribute can be mapped into SAML assertion attributes and OIDC claims depending on the group membership of the authenticating user.

These new capabilities include support for the Danish OIOSAML Web SSO Profile 3.0 for interoperation with Kombit Context Handler 2. Information defining privilege and constraint information can be defined in the IDaaS group attribute. This information can be encoded and returned in a SAML assertion as defined in OIOSAML and returned to Kombit Context Handler 2.

When defining a SAML attribute, the NameFormat can now be specified. Previously it was left undefined. This is required for OIOSAML but is applicable to any SAML attribute.

Maximum Password Length Policy

A new maximum password length policy has been added to Password settings. When set, this policy enforces the maximum length of the user's password when a new password is set. By default, IDaaS does not enforce a maximum password length.

A customer may want to enforce a maximum password length if they have clients that cannot accept longer passwords.

Outbound SCIM Provisioning Enhancements

Previously, IDaaS outbound SCIM provisioning only supported OAuth to authenticate to the service to which users were provisioned. Now, IDaaS also supports authentication using API keys.

Improved User/Audit Searching for Large Customers

For large customers, the list/search operations in the Administration portal have been redesigned to avoid timeouts that may be encountered. These issues are more likely when complicated search criteria are specified. The user experience of the administrator using the Administrator portal is unchanged.

Webhooks for User Creation

IDaaS now supports webhooks where IDaaS will send a signal to an external service when an event happens. In this release, webhooks are supported for user create events.

IDaaS JWT OIDC Grant Type

A new IDaaS JWT grant type has been added to OIDC and OAuth applications. This grant type allows a customer application to use the IDaaS authentication API to authenticate a user. When using this grant type, the client application does the following:

This new grant type provides the following capabilities not available with standard OIDC:

RADIUS Agent Caching

Recently some IDaaS customers have experienced attacks on their VPN servers where bad actors perform large numbers of authentication attempts using the same userid and different passwords in an attempt to find a valid userid and password. The error returned from IDaaS does not indicate if the error is because the user does not exist or if the password was invalid. This means that these attacks generate large numbers of IDaaS requests resulting in unknown user errors.

For customers whose VPN server or network infrastructure does not provide capabilities to filter out these kinds of requests before they reach the IDaaS RADIUS agent and then IDaaS, the IDaaS RADIUS agent now provides the following caches to block this traffic before it reaches IDaaS:

For customers that allow this traffic to reach IDaaS, Entrust may be forced to rate limit the authentication traffic for that account. This rate limiting would block both valid and invalid authentication requests.

Customers will need to upgrade to the 5.39 version of the Enterprise Service Gateway to have these features available.

Token Delete Bulk Operation

A new bulk operation to delete tokens has been added.

Administrator Portal Menu Search Improvements

The menu search capability now supports all levels of the Administrator portal menu instead of just the top level menus. The menu search field has been moved to the menu.

IDaaS Logo Change

The IDaaS logo displayed by default on the login page has changed.

Service Provider Tenant Management Improvements

When a service provider configures a tenant for tenant management, there is now an option to select the OIDC key/certificate to be used.

Improved OIDC Error Information

OIDC requests that fail due to configuration issues or due to unsupported requests now return additional information to the client in the error description indicating the cause of the error.

New Integrations

The following integrations have been added.

Fixed or changed in this release

  1. The Save button should be disabled in the password change UI if the New Password matches the Current Password. Submitting the request results in a server error as expected. (10826, 36622)
  2. User search criteria in the Administrator portal should not display the Organization filter for administrators who do not have permission to view Organizations. (37314)
  3. Changes to the Geolocation allow list in resource rules were not saved. (37856)
  4. User Certificate was missing from the User Authenticator Notifications settings. (37159)
  5. Allow the default OIDC certificate to be deleted if it is not used, and it is not the only OIDC key. (37728)
  6. Edit the Tenant Management configuration for a tenant from a service provider fails. (37982)
  7. The User Attributes VIEW permission has been added to the default SCIM Provisioning role. (37596)
  8. Remove sample values of API keys from IDaaS OpenAPI files. These sample values trigger customer vulnerability scanners. (38107)
  9. If Face Biometric registration is cancelled during User Registration it is marked complete. (37747)
  10. OIDC Server Application should not have the Show Login Redirect URL in My Profile option. (37646)
  11. Administrator in Helpdesk role was not allowed to remove groups from a user. (37459)
  12. Japanese version of Reset Password email is missing text. (10566)
  13. Localized versions of User State Change email contains English text. (33749)
  14. User created in IDaaS after authentication from an Identity Provider is ignored by SCIM outbound provisioning. (37635, 38082)
  15. If creation of a user in IDaaS after authentication from an Identity Provider fails, authenticators created for that user are left behind. (37636)
  16. Delete users bulk operation fails with "Bulk operation already started" error. (37353)
  17. When entering the name of an Organization, the UI does not validate if the name is a duplicate. This results in an error being returned from the server. (36439)
  18. Encoding smart credentials on YubiKey tokens with firmware version 5.7.1 or greater fails. (37412)
  19. In the Administrator Portal, the list of groups to add to a user were not sorted. (37408)
  20. When the Directory configuration has a list of SSL certificates, it now indicates which SSL certificate is being used. (37619)
  21. Unlocking a user fails if the user was locked out due to User Certificate authentication failure. (37153)
  22. Audits without an Error Description display a value of undefined. (37315)
  23. Smart credential encoding fails for PKIaaS CAs when the smart credential definition only specifies one digitalId Config. (38121)
  24. Magiclink fails when case of provided email address differs from user's email address. (38391)

Changes to Identity as a Service APIs

The CSharp SDK dropped support for .NET 6.0 in this release.

Authentication API

The following changes have been made to support the Pass-through Authenticator.

The following models have been added:

The following models have been updated:

The following changes have been made to support the IDaaS JWT OIDC Grant Type.

The following models have been updated:

Administration API

The following models related to authentication flows have been updated:

The following APIs have been added to manage identity providers:

The following models related to identity providers have been added:

The following APIs have been added to manage SAML identity providers:

The following models related to SAML identity providers have been added:

The following models related to webhooks have been added:

The following APIs have been added to manage Webhooks:

The following change has been made to other models:

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers.

TLSv1.3:

TSv1.2:

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.39 and the three previous releases 5.36, 5.37, and 5.38). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

  1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
  2. Add a new Gateway instance to the existing Gateway in IDaaS.
  3. Register the new Gateway instance with IDaaS.
  4. Disable the old Gateway instance.
  5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.