Release 5.8
SAML Relay State Support
IntelliTrust now supports the ability to configure a list of relay state values for SAML applications. The configured relay states will appear on a user's My Profile page.
Smart Credential Self-Registration
The registration settings now include support for allowing users to self-register a Smart Credential.
Dashboard System Alerts
The dashboard now displays an alert if IntelliTrust is unable to deliver an email using your custom mail server after five attempts.
Directory Attribute Mappings
In previous versions of IntelliTrust, when configuring the directory attribute mappings you had to provide a mapping for all IntelliTrust System attributes regardless of whether they were mandatory attributes. Custom attributes could be optionally mapped regardless of whether the Custom attribute was mandatory.
This has been changed so that you must only provide directory attribute mappings for attributes (system or custom) that are mandatory. If an attribute is not mandatory, then you do not need to provide a directory attribute mapping for that attribute.
As in previous releases, any users in Active Directory that are missing mandatory attributes will not be synced to IntelliTrust.
Advanced Gateway Agent Settings
It is now possible to control some of the advanced settings of your Gateway Instances. This includes:
- Password Agent Worker Threads: Set the number of worker threads the Password Agent uses to handle Active Directory password requests.
- RADIUS Agent Worker Threads: Set the number of worker threads the RADIUS agent uses to handle RADIUS authentication requests. Note: In order to change this setting the Enterprise Service Gateway (ESG) must be at least version 5.8.
- RADIUS Agent Message Queue Max Time: Set the maximum amount of time a RADIUS message is in the queue waiting to be processed by the RADIUS Agent.
Preview - Azure AD Cloud Sync
You can now sync users directly from Azure Active Directory without the Enterprise Service Gateway.
IntelliTrust will sync users directly from Azure into your IntelliTrust account. Users synced from Azure can also change and reset their Azure AD password through the IntelliTrust portal.
Note: This feature is being released as a preview. See the Known Issues and Limitations page for more details.
RADIUS EAP Improvements
IntelliTrust now supports password for first-factor authentication to EAP-enabled applications. When password is configured, the user is prompted for their IntelliTrust or Active Directory password. Note: EAP password authentication requires Enterprise Service Gateway version 5.8 or later. With earlier versions of the Gateway, RADIUS authentication will fail if PASSWORD is configured as the first-factor.
This release also introduces support to allow users to select the second-factor authenticator they want to use to authenticate to an EAP-enabled application. When enabled, the VPN client prompts the user for the second-factor authenticator from the user's list of available authenticators.
RADIUS Agent Password Authentication Affinity
This release includes a the ability to enable Password Agent affinity for RADIUS applications.
If enabled, Active Directory password authentication and change requests that are initiated as part of RADIUS authentication will be handled by the Gateway instance that initiated the request.
If disabled, the request will be handled by any Gateway instance in the gateway.
Allow Lowering of Entitlements
Service Providers can now lower the entitlement quantity of a tenant to a value lower than the current number of users in that tenant.
Service Provider Contract Mode
This release includes a new Contract Mode feature that allows the creation of Production and Trial tenant accounts. Trial accounts include predefined entitlements that cannot be changed. Trial accounts that are not converted to Production accounts within 30 days are permanently suspended.
Existing accounts are categorized as Unknown. Service Providers should review their accounts and categorize them accordingly as Production or Trial accounts.
Service Provider Usage Reports
This release includes a Usage Report feature. Usage Reports can be scheduled and downloaded in a CSV file.
API Deprecations
The following API endpoints are deprecated and will be removed in IntelliTrust 5.10:
Name | Operation | Replacement |
---|---|---|
List Unassigned Grids | listUnassignedGridsUsingGET | unassignedGridsPageUsingPOST |
List Assigned Grids | listAssignedGridsUsingGET | assignedGridsPageUsingPOST |
List Audit Events | auditEventReportUsingPOST | auditEventPageUsingPOST |
List all users | usersUsingGET | usersPagedUsingPOST |
List Tenants | getTenantsUsingGET | getTenantsPageUsingPOST |
Changes to IntelliTrust APIs
The following have been added to the Administration APIs:
- A new endpoint
/v1/directorycommons
has been added that returns a list of on-premise and Azure AD directories. - The following changes to tenant related methods have been made in this release:
- a new version of the create tenant method “POST /api/web/v2/tenants” has been added.
- the entitlement argument of this API is now required for both Authentication and Issuance accounts. Previously it was not required for Issuance accounts.
- the entitlement argument must specify a contractMode value of either PRODUCTION or TRIAL
- if the v1 version of this API is called, the new tenant is created with a contractMode of UNKNOWN
- a new method that lists a page of tenants “POST /api/web/v1/tenantspaged” has been added. It replaces the existing list tenants method that returned all tenants which has been deprecated and will be removed in a future release.
- a new method that lists usage information for the tenant and its child tenants “POST /api/web/v1/tenants/entitlements/usage” has been added.
- all service provider controllers that return a tenant (including create, get and list) include the new contractMode value. For existing tenants that don’t have a value set for this value, the contractMode will have the value UNKNOWN.
- a new version of the create tenant method “POST /api/web/v2/tenants” has been added.