Release 5.40

April 2025

New in this release

Device Verified Entrust Soft Token Activation

Entrust Soft Token now supports device verification during activation. When enabled, the user's device must have a device certificate issued from a trusted Certificate Authority. This feature ensures token activation occurs only on authorized devices.

Application Verified Entrust Soft Token Activation

Entrust Soft Token now supports application verification during activation. When enabled, an attestation from Apple or Google is provided that validates the mobile application performing the activation. This feature ensures token activation occurs only from trusted mobile applications.

Disallow Previously Compromised Passwords

When setting a new password, IDaaS now blocks previously compromised passwords reported by HaveIBeenPwned. This addresses a NIST recommendation for password security documented in SP 800-63B.

IDaaS provides an option in the password settings to "Allow Compromised Passwords" but Entrust recommends that customers do not use this option unless necessary. As an example, customers who have very short passwords or passwords consisting of just digits may find all possible password values are compromised.

Previously compromised passwords are disallowed by default for existing customers. This means existing end users may encounter this new behavior after IDaaS 5.40 is deployed.

OTP Delivery using WhatsApp and WeChat

IDaaS now supports OTP delivery using WhatsApp and WeChat. Customers that want to use these capabilities must provide their own WhatsApp or WeChat business account.

Token Challenge/Response Authenticator

A new Token Challenge/Response authenticator has been added to IDaaS. In Token Challenge/Response authentication, IDaaS generates a challenge that is provided to the end user. The user enters the challenge into the token, and then the token uses the challenge to generate the OTP.

Only users who have been assigned hardware tokens that support Token Challenge/Response (like Entrust CR300 tokens) will have access to the Token Challenge/Response authenticator.

Token Challenge/Response authentication is supported by all IDaaS authentication applications, including the User portal, SAML applications, OIDC and OAuth applications, RADIUS applications, and Auth API applications. For RADIUS applications, the customer must update to the 5.40 Enterprise Service Gateway. For Auth API applications, the client application must be updated to support TOKENCR.

Override Certificate Lifetime for PKIaaS

When configuring smart credential digital IDs when using a PKIaaS CA, the customer can now configure the certificate lifetime in IDaaS if they want to override the lifetime configured by their CA.

Improvements for Desktop Credential Provider Offline Token

IDaaS provides the ability for the Entrust Desktop Credential Provider to download future token responses that can be used by DCP to allow offline login. This feature has been enhanced to support download of offline token responses when token authentication was not required by the resource rule. For example, if the resource rule requires password-only for low risk and password+token for high risk, offline token responses can now be downloaded in the low risk scenario.

This feature needs the upcoming release of Entrust Desktop Credential Provider before it can be used.

Mobile OIDC Developer Guide

A new document Integrating IDaaS OIDC with a mobile app using AppAuth has been added to the IDaaS Developer Portal. This document describes how OIDC authentication using IDaaS can be added to a customer's mobile application.

Increase size of IP List

An IP List can now include up to 2000 IP addresses. Previously the limit was 500.

New Passkey/FIDO2 Algorithms

IDaaS PassKey/FIDO2 now supports the Ed25519 & RS256 algorithms. These algorithms are used by Windows Hello and some newer hardware.

Certificate Expiry Notification Improvements

The Certificate Expiry Notification email now includes more instructions including a link to the documentation describing how to update the certificates.

RADIUS Unknown User Cache Audit Changes

The audits generated by the RADIUS Unknown User Cache (introduced in 5.39) have been changed. Previously, an audit was generated for each unknown user that tried to authenticate in a given period of time. Now a single audit including a count of the number of unknown users who tried to authenticate in that period of time is generated instead.

Entrust Identity Security Whitepaper Updates

The Entrust Identity Security Whitepaper has been updated. This document can be accessed from the IDaaS Admin Portal Documentation Menu at Whitepapers > Identity as a Service Platform Security.

Fixed or changed in this release

1. Bulk import of unassigned grids failed. (35516, 37401)
2. Gateway status in Dashboard shows warning instead of error icon when the SSL certificate has expired. (37669)
3. User portal session timeout dialog shows negative timeout after session has expired. (34100, 38392)
4. RADIUS Push authentication fallback to grid not working. (37233)
5. Audit for change to FIDO Settings fidoRelyingPartyAllowlist showing wrong value when subdomainsAllowed is not checked. (37101)
6. User Portal Authenticators List Filter for Types should not include authenticators not allowed in User Portal policy. (37561)
7. User created by Azure synchronization is not getting provisioned by SCIM. (37769)
8. Clicking on the QR Code in the Google Authenticator activation email will now launch the Google Authenticator app on mobile. (37386)
9. Email value format is not validated in the UI if the email attribute is optional. (29804)
10. For SAML IDP authentication, the redirect message is not translated. (39359)
11. The Passkey/FIDO2 category in the Group Policy categories list is not sorted correctly. (34800)
12. Certificate validation added to the Directory SSL Certificate import rejects certificates with RSA-1024 and EC2 keys. These keys are now allowed. (38755)
13. During SAML authentication, if a user gets locked they are redirected to the IDaaS login page instead of back to the SAML service provider. (38285)
14. User certificate authentication failing on Mac Safari. (38761)
15. Test for external risk engine now returns error http_connector_execution_failed if it is unable to connect to the external risk service. Previously a general error was returned. (37965, 38495)
16. Password reset performed from Entrust Identity mobile app fails for passwords synchronized by AD Connector. (38081)

Changes to Identity as a Service APIs

Authentication API

The following changes have been made to support TOKENCR authentication.

• The value TOKENCR has been added to the list of available authenticators. This value can be passed as an argument to userChallengeUsingPOST and userAuthenticateUsingPOST indicating which authentication type to use. It can be returned in the attributes authenticationTypes and availableSecondFactor in UserAuthenticateQueryResponse returned from userAuthenticatorQueryUsingPOST indicating which authentication types are available. The resource rules of authentication API applications that don't support TOKENCR authentication should not be configured to include TOKENCR.
• The attribute challenge has been added to the model TokenChallenge. For TOKENCR authentication, this attribute includes the challenge to be entered into the token.

The following changes have been made to support OTP delivery using WeChat or WhatsApp.

• The values WECHAT and WHATSAPP have been added to the attribute otpdeliveryType in the model AuthenticatedResponse.
• The values WECHAT and WHATSAPP have been added to the attribute type in the model OTPContactValue.
• The values WECHAT and WHATSAPP have been added to the attributes otpDefaultDelivery and availableOTPDelivery in the model OTPDetails.
• The values WECHAT and WHATSAPP have been added to the attribute otpDefaultDelivery in the model UserAuthenticateQueryResponse.

These attributes specify when WeChat/WhatsApp are available to be used to deliver OTPs and to request that they be used to delivery OTPs.

The following changes have been made to support download of offline token responses.

• New method POST /api/web/v1/self/tokens/offline (getOfflineTokenResponsesUsingPOST) - Given the auth token returned from a previous authentication request for an application that allows offline token download, download offline token responses for the specified token.
• New model GetOfflineTokenAuthenticateParms - contains the parameters passed to the method getOfflineTokenResponsesUsingPOST.

Administration API

The following changes have been made to support managing FIDO Settings.

• The method GET /api/web/v1/settings/fido (getFIDOSettingsUsingGET) has been added. This method gets the requested FIDO Settings.
• The method PUT /api/web/v1/settings/fido (updateFIDOSettingsUsingPUT) has been added. This method updates the specified FIDO Settings.
• New model FIDOAuthenticatorSettings. This model contains the values returned from the method getFIDOSettingsUsingGET.
• New model FIDOAuthenticatorSettingsParms. This model contains the parameters passed to the method updateFIDOSettingsUsingPUT.
• New model FIDOAllowedRpid. This model defines one of the attributes included in FIDOAuthenticatorSettings and FIDOAuthenticatorSettingsParms.

The following changes have been made related to Device Verification.

• The attribute requireDeviceVerificationOnActivation has been added to EntrustSTAuthenticatorSettings. This setting indicates whether device verification must be performed when an Entrust Soft Token is activated.
• The attribute deviceVerified has been added to Token. This setting indicates if the token was device verified during activation.

The following changes have been made related to Application Verification.

• The attribute appVerificationRequired has been added to EntrustSTAuthenticatorSettings. This setting indicates whether application verification must be performed when an Entrust Soft Token is activated.
• The attribute appVerificationIOSBundleId and appVerificationIOSTeamId have been added to EntrustSTAuthenticatorSettings. These settings identify the trusted Apple mobile application.
• The attribute appVerificationAndroidPackageName has been added to EntrustSTAuthenticatorSettings. This setting identifies the trusted Android mobile application.
• The attribute appVerified has been added to Token. This setting indicates if the token was application verified during activation.

The following changes have been made related to the Smart credential certificate lifetime feature.

• The attribute lifetime has been added to DigitalIdConfigCertTemplate. This setting indicates the lifetime (in months) to use when requesting certificates from the CA if the default lifetime is not used.
• The attribute useCaDefaultCertLifetime has been added to DigitalIdConfigCertTemplate. This setting indicates if the CA default certificate lifetime should be used.

The following changes have been made related to Face Biometric authenticators.

• The method POST /api/web/v1/users/{userid}/face (createFaceUsingPOST) has been deprecated.
• The method POST /api/web/v2/users/{userid}/face (createFaceAuthenticatorUsingPOST) has been added. This method is used to create a new Face Biometric authenticator and replaces createFaceUsingPOST.
• New model FaceCreateResponse. This model contains the response from createFaceAuthenticatorUsingPOST.
• The attribute returnQRCode has been added to FaceCreateParms. This setting indicates if a QR code used to launch Face Biometric authenticator registration should be returned.

The following changes have been made related to TOKENCR authentications.

• The value TOKENCR has been added to the attributes idpLoginSecondStep and userLoginSecondStep in the models AuthenticationFlow and AuthenticationFlowParms. These attributes specify when the authenticator TOKENCR is allowed in an authentication flow.
• The value TOKENCR has been added to the attributes highRiskSecondStep, mediumRiskSecondStep, and lowRiskSecondStep in the models ResourceRule and ResourceRuleParms.
• The value TOKENCR has been added to the attribute authenticators in the model PasswordResetSettings. This model lists authenticators that can be used for password reset.
• The value TOKENCR has been added to the attribute lockedAuthenticatorTypes in the model User. This attribute lists locked out authenticators for a User.
• The value TOKENCR has been added to the attribute type in the model UserAuthenticatorLockoutStatus. This model provides details about authenticator lockout status for a User.

The following changes have been made related to supporting WeChat/WhatsApp for OTP delivery.

• The values WECHAT and WHATSAPP have been added to the attribute otpDefaultDelivery in the model OTPAuthenticatorSettings. This attribute specifies the default OTP delivery type.
• The attributes otpWechatDefaultDeliveryAttribute and otpWhatsappDefaultDeliveryAttribute have been added to the model OTPAuthenticatorSettings. These attributes specify the user attribute to use by default for OTP delivery using WeChat or WhatsApp.
• The values WECHAT and WHATSAPP have been added to the attribute otpDeliveryType in the model OTPCreateParms. This attribute specifies how an OTP is delivered when an OTP is created if delivery is enabled.
• The values WECHAT and WHATSAPP have been added to the attribute name in the model OTPDeliveryMethod. This model is used to define the allowed delivery methods in OTPAuthenticatorSettings.
• The values OTP_WECHAT and OTP_WHATSAPP have been added to the attribute type in the model OTPVerificationChallengeValue. This model is passed as an argument to the method contactVerificationChallengeUsingPOST to validate the value for a user contact attribute.
• The values OTP_WECHAT and OTP_WHATSAPP have been added to the attribute type in the models UserAttribute, UserAttributeParms, and UserExtraAttribute. These values specify the type of user attribute used to store a WeChat or WhatsApp contact value.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers.

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.40 and the three previous releases 5.37, 5.38, and 5.39). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.