Release 5.41

June 2025

New in this release

Verifiable Credentials

This release of IDaaS includes preliminary support for the issuance and presentation (or verification) of verifiable credentials. IDaaS supports verifiable credentials using the W3C VC format. IDaaS also supports OpenID for Verifiable Credential Issuance (OID4VCI) and OpenID for Verifiable Presentations (OID4VP) for integrating VC issuance and presentation with wallets. IDaaS supports the following standards:

• W3C Verifiable Credential Data Model v1.1 - https://www.w3.org/TR/vc-data-model/
• OpenID for Verifiable Credential Issuance - draft 15 - https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-15.html
• OpenID for Verifiable Presentations - draft 28 - https://openid.net/specs/openid-4-verifiable-presentations-1_0-28.html

Face Biometric Registration Improvements

When registering a Face Biometric authenticator, the IDaaS user's first and last name are provided to the Onfido registration workflow to compare the user's name in IDaaS to the user's name as it appears on their government ID. Previously, the user's default firstName and lastName attributes were used. The IDaaS user attributes used to provide first name and last name values can now be configured in the Face Biometric policy. This feature allows IDaaS to store both a user's legal name and their preferred name. When configured, the user's preferred name is used in most cases and the user's legal name is used for Face Biometric registration.

Certificate Expiry Notification Email Improvements

The certificate expiry notification email now includes the hostname of the IDaaS account. This provides useful information for administrators who are managing multiple IDaaS accounts.

Portal UI Error Reporting

Errors that cause the IDaaS Portal and Authentication UI to crash are now logged to the IDaaS service to facilitate debugging.

Fixed or changed in this release

1. Audits for failed device verification are missing. (39166)
2. Allow Enterprise Service Gateway and Microsoft CA proxy to be downloaded from accounts with a vanity URL. (37855)
3. Token activation with Identity Verification option should include the Face Biometric serial number in its audit. (38779)
4. The Identity as a Service Integration ForgeRock application has been removed from the list of applications that can be created. The integration was no longer supported by ForgeRock. The ForgeRock OIDC application template is still available. (38633)
5. For Service Provider accounts, the default Customer Support Agent role now includes the Edit Tenants permission. This allows support agents to unlock tenants. (38472)
6. Editing the Message of the Day in the Administration portal generates a stack trace in the browser console. (38903)
7. Editing the User Verification Message in the Administration portal generates a stack trace in the browser console. (38757)
8. On the Group List page of the Administration portal, selecting the checkbox for all groups no longer selects the "All Users" group. The "All Users" group is a virtual group for which actions like delete groups do not apply. (38804)
9. When activating an Entrust Soft Token, do not display the Identity Verified option if it is not available. (38777)
10. Authenticate API user query can fail if the user password last changed time is not set. (39181)
11. Updating a user from any page other than the first page of the list results in a page not found error. (38454)
12. For OTP voice delivery, English was used for the Thai and Turkish locales. (38874)
13. Push notifications not sent for an Entrust Soft Token activated offline. (39218)
14. Activation of a Face Biometric on the Entrust Identity application is not working if registration started from the mobile web browser. An activation QR code was displayed instead of an activation link. (37756)
15. The error message displayed when a compromised password is used has been changed to "This password has been found in a compromised password list from a 3rd-party website. To ensure security, its use is restricted." (39147)
16. A password cannot be assigned to a user if they do not have an email address. Now the option to send the new password by email is disabled. (38483)
17. Broken hyperlinks in the documentation have been fixed. (38482)
18. Fix errors in the Administration Guide "Integrate Microsoft Entra ID with Identity as a Service" section. (38913)
19. For accounts that do not have WeChat/WhatsApp OTP delivery enabled, some WeChat/WhatsApp options are visible including the admin portal menu search. (38810)
20. Improve audits when WhatsApp credentials are updated. (38837)
21. User certificate authentication was only shown for users that had smart credentials supporting push authentication. This did not include users who have YubiKey smart credentials. (38750)

Changes to Identity as a Service APIs

Authentication API

There are no changes in the Authentication API in this release.

Administration API

There are no changes in the Administration API in this release.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.41 and the three previous releases 5.38, 5.39, and 5.40). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.