Release 5.44

November 2025

New in this release

IDaaS Authentication JavaScript SDK

A new authentication javascript SDK has been released to facilitate integration of IDaaS authentication into web applications. It wraps hosted OIDC flows, risk-based authentication (RBA) challenges, and “convenience” methods (password, OTP, passkey, soft token, etc.) in a client.

The SDK can be found at https://github.com/EntrustCorporation/idaas-auth-js.

SMS OTP Message Format

IDaaS now includes a new OTP policy setting OTP SMS Format. Administrators can select between two formats for SMS OTP messages:

• Ends with OTP (existing format): OTP appears at the end of the message (for example, Your Entrust Identity as a Service OTP is 01234567).
• Starts with OTP (new format): OTP appears at the start of the message (for example, 01234567 is your OTP for Entrust Identity as a Service).

Users may find having the OTP at the beginning of the message easier to retrieve.

Dashboard Enhancements

The Dashboard in the IDaaS Administration Portal has been enhanced. Counts in the Authenticators and Authentication statistics panels are now interactive and allow the administrator to navigate to additional information:

• Authenticators: clicking an entry opens the Members > Users list filtered to users who have that authenticator.
• Authentications per Application: clicking an application opens the Audit Logs filtered to authentication events for that application.
• Authentications per Authenticator: clicking an authenticator opens the Audit Logs filtered to authentication events performed with that authenticator.

A new Authenticator filter has also been added to the Audit Logs list, enabling administrators to view only authentication events for a specific authenticator.

Face Biometric Enhancements

The following improvements have been made to the IDaaS Face Biometric authenticator:

• The Onfido applicant created during registration is no longer required for authentication. Permanent Onfido profile data is therefore no longer retained.
• Biometric data collected during registration can now optionally be stored in IDaaS instead of only in the Entrust Identity mobile application. This enables use cases such as account recovery when a user has a new device.
• A new Face Biometric authenticator (including associated biometric data) can be provisioned through the Administration API. This allows results from an external Onfido verification workflow to be used directly to create an IDaaS Face Biometric authenticator.

Directory Synchronization Enhancements

A new option has been added to directory sync configuration allowing a synchronized group to be converted to an "unsynchronized" (local) group instead of being removed from IDaaS. Removing a group also deletes associated policy and resource rules. Converting the group instead preserves those configurations.

When a directory user becomes a local user, all directory groups will be disassociated from the user.

Previously, when the user ID of a user was updated in the directory, the existing IDaaS user ID was stored as an alias of the user. Now, the existing IDaaS user ID is no longer stored as an alias. The following behavior has not changed: if the new user ID was already defined as an alias, it is removed as an alias.

Identity Provider Enhancements

The following improvements have been made to SAML and OIDC identity providers:

• SAML IDPs now support metadata import and export to support easier configuration with third-party systems.
• A new system authentication flow "Domain-based IDP or User Login" has been added.
• When configuring IDP authentication in authentication flows, a default IDP can be specified. A single IDP can be defined as the default IDP.
• IDPs now allow external group names/IDs returned from the IDP to be mapped to IDaaS group names. Previously, values returned from the IDP had to exactly match IDaaS group names. This was an issue for Microsoft Entra ID SAML where only the group object ID was returned to IDaaS.

Fixed or changed in this release

1. Resource rule Save button is enabled when group filter validation fails. (40485)
2. Admin Guide compromised password detection/response missing from documentation. (40482)
3. Admin Guide end user timeout should be max 8 hours rather than 6 as documented. (40481)
4. Admin Guide verify user option - Grid Card and Token Authentication should allow selecting multiple options. (40472)
5. IP list should not allow duplicate IP addresses. (40121)
6. Compromised status filter is missing for the User and the Admin portal authenticators page. (40332)
7. Default for authentication provisioning settings has been changed so that by default a password and soft token are not created for a new user. (40427)
8. Duplicate audits for verify user using Email OTP. Audits created in both Authentication and Management categories. (40720)
9. Improved audit message for OIDC error. Replaced message that included JsonSyntaxException. (40552)
10. Face Biometric expiry date update audit missing seconds in timestamp format. (37755)
11. Field validation error for Entrust Soft Token Settings 'Activation Lifetime' has no upper limit. (25884)
12. Remove the application customization tab for OIDC server application types. (40696)
13. Helpdesk role should have magic link content view permission. (40091)
14. MagicLink authenticator does not set ACR or AMR values. (40398)
15. OIDC re-authentication triggers a loop if user becomes disabled. (40329)
16. Pass-through authenticator should be present as an option for user login second-factor but not IDP second-factor. (40459)
17. Push notification not delivered to iOS devices when Production Mode is enabled in IDaaS Soft Token SDK Credentials. (40403)
18. Resource rule risk condition date/time update makes the value and label overlap. (40537)
19. Remove all access restrictions on Syria. (40726)
20. SCIM Server Endpoint field should be editable on the Configuration page. (40504)
21. Communication with a SCIM server now has a timeout of 10 seconds. Previously the timeout was 30 seconds. (40792)
22. SCIM provisioning failed for SCIM servers that returned externalId values larger than a 32 character UUID. (40723)
23. Verify user missing authenticator dialog. (40531)
24. Spelling errors in IDaaS. "On-premise" should be "On-premises", "Dekstop" should be "Desktop", "Strengh" should be "Strength". (40608)
25. Update SAML application audit should not show encryptionCertificate attribute if it did not change. (36694)
26. User Guide Magic link authentication step missing update for confirmation requirement. (40019)
27. Improved error message if Entrust Soft Token activation fails because the user requires a mobile Face Biometric. (40228, 40229)
28. Improved text for Verify user audit message. (40521)
29. Copy button next to Application ID not properly labeled for screen readers in Edit Administration API screen. (39734)
30. Improved descriptions for IDaaS ISAPI, AD FS, and Desktop applications. (40766)
31. Verify user using OTP voice audit message incorrectly says SMS. (40569)
32. User verify result should be "successfully verified" instead of "successfully authenticated". (40492)
33. Several issues with importing SAML metadata have been fixed. (40624)
34. Documentation describing how to configure IDaaS SCIM Provisioning for GitHub has been added. (40486)

Changes to Identity as a Service (IDaaS) APIs

Authentication API

The following changes have been made to models in the Authentication API:

• The attribute rpId has been added to UserAuthenticateParameters and UserAuthenticateQueryParameters. This attribute specifies the Relying Party ID of Passkey/FIDO2 tokens to be considered for authentication. If a value is not provided, Passkey/FIDO2 tokens with the Relying Party ID of the IDaaS account hostname are considered. This attribute replaces the existing attribute origin which has been marked as deprecated. A similar change was made to the model UserChallengeParameters in a previous release.

Administration API

The following methods have been added to the Administration API:

• POST /api/web/v1/identityproviders/saml/configuration (fetchSamlConfigurationUsingPOST). Fetch configuration from a third-party SAML identity provider that can be imported into IDaaS.
• GET /api/web/v1/identityproviders/saml/{id}/configuration (getSamlConfigurationUsingGET). Get SAML configuration from IDaaS that can be exported to a third-party SAML identity provider.

The following changes have been made to existing methods in the Administration API:

• POST /api/web/v2/reports/auditeventspaged (auditEventPageUsingPOST) - A new search attribute authenticator is supported in the searchByAttributes parameter. This search attribute filters authentication audits by authenticator type (for example, PASSWORD, OTP, TOKEN, FIDO, SMARTCREDENTIALPUSH, TOKENPUSH, IDP, PASSKEY, etc.). The only allowed operator is EQUALS.

The following models have been added to the Administration API:

• FaceEncryptedToken - Represents an encrypted biometric token that can be specified when creating a Face Biometric authenticator.
• IdentityProviderExternalGroupMapping - Represents a mapping between an external group name/ID returned from the IDP and an IDaaS group name. This model can be provided as input when creating or modifying an OIDC or SAML identity provider and is returned when fetching identity provider details.
• SamlConfigurationParms - The parameters passed to fetchSamlConfigurationUsingPOST specifying the metadata URL of the third-party IDP from which to fetch configuration.
• SamlConfigurationResponse - The response returned from fetchSamlConfigurationUsingPOST containing the SAML configuration details.
• SamlInfoClaim - Represents a SAML claim included in SamlConfigurationResponse.

The following changes have been made to existing models in the Administration API:

• The attribute otpSMSFormat has been added to OTPAuthenticatorSettings. This setting specifies the format used for OTP SMS messages.
• The attribute idpDefault has been added to AuthenticationFlow and AuthenticationFlowParms. This attribute indicates if the Authentication Flow uses the default IDP for IDP authentication.
• The attribute defaultProvider has been added to IdentityProvider, OidcIdentityProvider, OidcIdentityProviderParms, SamlIdentityProvider and SamlIdentityProviderParms. This attribute indicates if the Identity Provider is the default provider for IDP authentication.
• The attribute externalGroupMappings has been added to OidcIdentityProvider, OidcIdentityProviderParms, SamlIdentityProvider, and SamlIdentityProviderParms. This attribute contains mappings between external group names/IDs returned from the IDP and IDaaS group names.
• The attribute groupDesyncPolicy has been added to DirectorySync. This setting indicates whether groups should be removed or converted to local groups when desynchronized.
• The attribute directoryDesynced has been added to Group. This attribute indicates if this group was converted from a synchronized group to a local group.
• The attribute encryptedBiometricToken has been added to FaceCreateParms. This attribute allows an encrypted biometric token created externally to be associated with a Face Biometric authenticator.
• The default value for the setting authenticatorActivationType in GeneralSettings has been changed from ENTRUST_SOFT_TOKEN to NONE. This means that by default tokens are not created for new users.
• The default value for the setting defaultPassword in GeneralSettings has been changed from true to false. This means that by default a password is not created for new users.
• The deprecated attribute registrationPeriod has been removed from GeneralSettings.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

Clients should stop using the following TLS Ciphers. Support for them will be removed in a future release.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.44 and the three previous releases 5.41, 5.42, and 5.43). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

NOTE: In an upcoming release, changes are planned that will break versions of ESG older than 5.33.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation

Microsoft no longer supports the Internet Explorer 11 and Microsoft Edge Legacy browsers. Identity as a Service no longer supports these browsers.

Feature Deprecation

ActiveSync Device Management

IDaaS provided a feature that allowed IDaaS users to perform secure, multi-factor authentication and manage their Microsoft Office 365 ActiveSync devices. The Office 365 capabilities that IDaaS used to implement these capabilities are no longer supported by Microsoft. This feature will be removed from IDaaS in the 5.45 release.