Release 5.43

September 2025

New in this release

Compromised Password Detection Enhancements

In a previous release, IDaaS added the ability to block new passwords found in a list of known compromised passwords during password change and reset. In this release, IDaaS has been enhanced to support checking existing passwords when they are used to authenticate. If a compromised password is detected during authentication, an audit event is generated, and the password is flagged as compromised. Options exist to force the user to change their password or to deny them access. IDaaS administrators can query users that have a compromised password. Checking existing passwords during authentication reduces the time newly compromised passwords can be attacked.

New User Verify Action in Administration Portal

A new User Verify action has been added to Users in the User List in the Administration Portal. This action allows a help desk administrator to verify users calling a help desk by challenging them to provide a response to TOKEN PUSH, TOKEN, GRID, or OTP challenges. This feature assists help desk administrators to prevent a common account takeover attack where the attacker tries to get the help desk to give them access to an account.

Push Notification Actionable Notifications

The upcoming 5.25.0 release of the Entrust Identity Mobile Application will support completing push authentication transactions from the notification without needing to open the application.

This release of IDaaS includes the changes to support this feature, including a new Soft Token policy setting to enable the feature. This feature is only available when Soft Tokens are configured to not require a PIN.

When this feature is enabled, end users using an older version of the Entrust Identity Mobile Application will continue to have to open the application to complete the transaction. There is a known issue with older versions of the iOS application where the application will not launch in this situation. To resolve this issue, either have end users upgrade to the new version of the mobile application or disable the actionable notifications feature.

Resource Server Enhancements

In IDaaS, a Resource Server defines how access and refresh tokens are issued by IDaaS for authorization purposes after authenticating to specified OIDC applications. The Resource Server also defines the contents and processing of these tokens.

A new Resource Server tab has been added to OIDC Applications in the Administration Portal. This tab allows administrators to manage the Resource Servers associated with the application in the same place the application is defined.

System for Cross-Domain Identity Management (SCIM) Enhancements

IDaaS supports using SCIM to allow clients to provision groups and users to IDaaS (inbound provisioning) and to provision users from IDaaS to other services (outbound provisioning). The following changes have been made to enhance existing SCIM capabilities provided by IDaaS:

• Improved how the configuration for outbound provisioning is tested to improve interoperability with 3rd-party SCIM services.
• Added support for the SCIM endpoints /Schemas and /ResourceTypes for inbound provisioning requests received from clients.
• Improved logging for SCIM outbound provisioning for better traceability and debugging.
• Added additional SCIM attributes to support a wider range of SCIM services.
• Outbound provisioning from IDaaS has been tested with GitHub and AWS.

Login Session Enhancements

When a user logs in to authenticate to the portal, SAML or OIDC applications, a login session is maintained to track when the user authenticated and what authenticators they used. The user will not need to re-authenticate when accessing an application if the following conditions are true:

• The login session has not expired.
• The reauthentication time specified for the application has not been exceeded.
• The application has single sign-on (SSO) enabled.
• The user has previously authenticated with the authenticators required by the application's resource rule.

The following enhancements have been made to login sessions:

• The maximum login session lifetime defined by the General Policy "Standard User Authentication Session Idle Timeout" has been increased from 1 hour to 8 hours. This setting was previously named "Authentication Session Lifetime".
• A separate maximum login session lifetime for Administrators defined by the General Policy "Admin User Authentication Session Idle Timeout" has been added. It allows a customer to define a different login session lifetime for IDaaS administrators. It has a maximum lifetime of 1 hour.
• The maximum age setting for SAML and OIDC applications has been relabeled to "Reauthentication Time (Max Authentication Age)".

Resource Rule Enhancements

The following changes have been made to the Resource Rule UI in the Administration Portal:

• The Cancel and Save buttons for the resource rule have been moved to the top of the page and are always visible.
• The option to revert to the old UI has been removed.
• Leaving the page with unsaved changes requires confirmation.
• The Access and Deny tasks now have descriptions describing their purpose.
• Improvements to connecting nodes by clicking on the connection points.
• When selecting the Add button on a link, multiple access filters are added in parallel instead of sequentially.
• The Date/Time risk context is created with a default value of the next day.

Allow IDaaS Groups to be Assigned to Users Synchronized from a Directory

Previously, users synchronized from a directory could only be assigned to groups synchronized from a directory. Now, users synchronized from a directory can also be assigned to groups defined in IDaaS. This gives IDaaS administrators the flexibility to assign all users to IDaaS groups without needing to change group membership in the directory. In IDaaS, group membership can be used to allow access to applications and to specify the policy that is used for users.

Passkey Developer Documentation

The Passkey Developer Documentation available in the IDaaS Developer Portal has been enhanced.

• A new document describing how to add IDaaS Passkey authentication to web applications has been added.
• The existing document describing how to add IDaaS Passkey authentication to mobile applications has been updated.

Enterprise Service Gateway IdentityGuard Agent Enhancements

The IdentityGuard Agent has been enhanced to support the V12 version of Identity Enterprise Authentication API. This means clients using the latest version of the Identity Enterprise API can now migrate to IDaaS using the IdentityGuard agent.

Fixed or changed in this release

1. Operations in the IDaaS Administration Portal may fail due to rate limiting for accounts (including trial accounts) that have small rate limits. The portal will now delay and retry the requests when it is rate limited. (40223)
2. Certificate expiry dates for SAML Identity Providers not formatted consistently. (38095)
3. In the Administration Portal, an administrator with only the view group permission should be able to view the details of a group. (38827)
4. Resetting a user's AD password from the Administration Portal was audited as an unlock operation. (39769)
5. A successful password reset performed from the User Portal did not display a success message. Additionally, error messages are now displayed consistently under the New Password entry field. (38778)
6. Improved error message "The mutual challenge size is greater than the number of possible challenge strings" when Entrust Soft Token mutual challenge policy is invalid. (38402)
7. Some documentation links in the Administration Portal were referencing the Entrust Soft Token documentation instead of general token documentation that includes Google Authenticator and other tokens. (38856)
8. The state attribute configuration for LDAP directories was not being processed correctly resulting in all users being synchronized as ACTIVE. (40072)
9. The Magic Link entry in a user's authenticator list shown in the Administration Portal is now not shown if the user does not have the MAGICLINK view permission. (40283)
10. The entry "Entrust Legacy Token" appearing in the policy, token and user profile pages, has been renamed to "Legacy Token". (40119)
11. The resource rule page no longer shows the Device Verification risk context for accounts with the Plus bundle, which does not support Device Verification. (40068)

Changes to Identity as a Service (IDaaS) APIs

Authentication API

The following changes have been made to models in the Authentication API:

• The attribute serialNumbers has been removed from GridChallenge. The same information is available in the attribute gridInfo.
• The attribute timeoutMillis has been added to FIDOChallenge and FIDORegisterChallenge. This setting specifies the FIDO timeout in milliseconds. It replaces the attribute timeout which has been deprecated.
• The attribute userIdStored in FIDORegisterResponse has been deprecated.
• The attribute rpId has been added toUserChallengeParameters. This setting specifies the Relying Party ID of FIDO tokens that should be considered when requesting a FIDO challenge. This setting replaces the attribute origin which has been deprecated.

Administration API

The following changes have been made to models in the Administration API:

• The attribute allowActionableNotifications has been added to EntrustSTAuthenticatorSettings. This setting indicates whether the new push authentication actionable notifications feature is enabled.
• The attribute timeoutMillis has been added to FIDORegisterChallenge. This setting specifies the FIDO registration timeout in milliseconds. It replaces the attribute timeout which has been deprecated.
• The attribute userIdStored in FIDORegisterResponse has been deprecated.
• The attribute adminUserAuthenticationSessionLifetime has been added to GeneralSettings. This setting specifies the login session lifetime when an IDaaS administrator authenticates.
• The attribute compromised has been added to UserPassword. This setting indicates whether the user's password has been detected as compromised.
• The attribute lastCompromisedCheckTime has been added to UserPassword. This setting indicates the last time the user's password was checked against a list of known compromised passwords.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.43 and the three previous releases 5.40, 5.41, and 5.42). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

NOTE: In an upcoming release, changes are planned that will break versions of ESG older than 5.33.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Entrust Identity and Entrust Windows Desktop Soft Token Deprecation

In the IDaaS 5.43 release, changes have been made that break the following operations:

• Password reset in versions of Entrust Identity prior to 25.1.1. Customers using the SDKs are not impacted.
• Soft Token online activation in versions of Entrust Windows Desktop Soft Token prior to 3.1.

Browser Deprecation

Microsoft no longer supports Internet Explorer 11. Identity as a Service ceased support for Internet Explorer 11 after May 2023.