Release 5.9

July 2020

SAML Metadata Import

IntelliTrust now supports importing SAML metadata files when configuring SAML applications. Some SAML Service Providers provide metadata XML files that contain the details on how to configure the application. Supported fields include:

• Assertion Consumer Service URL
• Service Provider Entity ID (Issuer)
• Single Logout Service URL
• SAML Signing Certificate
• SAML NameID Encoding Format

User Last Authentication Time

An administrator now has the ability to see the last authentication time of a user. When an administrator lists users in the admin portal, the last authentication time displays in a column in the Users list.

Push Authentication Support for RADIUS EAP Applications

IntelliTrust now supports push authentication for EAP-enabled RADIUS applications. This can be used with the Entrust Soft Token and Mobile Smart Credential authenticators.

Preview - IntelliTrust AD Connector

You can now incrementally sync users from an on-premises Active Directory using the lightweight AD Connector native Windows application.

AD Connector will detect any changes for users and groups inside your Active Directory and send only the required updates to your IntelliTrust tenant.

Note: This feature is being released as a preview. See the Known Issues and Limitations page for more details.

Smart Credential Revocation Enhancement

When a smart credential (or the user who owns the smart credential) is deleted or disabled, the associated certificates are revoked in the CA.
If the CA is not available, the smart credential cannot be deleted or disabled in IntelliTrust. A new setting "Skip Revocation" has been added to the CA configuration. When selected, if revocation fails, IntelliTrust continues to delete or disable the smart credential. If not selected, the delete or disable operation fails. If IntelliTrust does not revoke the certificates, administrators should revoke the certificates directly in the CA.

New Apache Authentication Integration

A new integration has been added that allows you to configure your Apache HTTP server to use IntelliTrust for multi-factor authentication.

See the Apache Filter technical integration guide for details on how to configure your Apache server.

Issuance Accounts

The following capabilities have been added to Issuance accounts:

• Support for defining credential designs
• Enrolling applicants for credentials including support for bulk enrollment and enrollment from mobile devices
• Printing credentials
• Issuing mobile flashpass credentials to Apple iOS and Google Android devices
• Improvements for printer management including enhanced printer onboarding and print queue support
• Support for Sigma and DTC printers

Miscellaneous Improvements

• When authenticating, clicking on the "Resend OTP" button will now display a visual confirmation that a new OTP was sent. In addition, the "Resend OTP" button will be disabled for 5 seconds in order to prevent multiple OTPs from being delivered in a short period of time.
• The Password Settings have been updated to use more inclusive language. "Password Blacklist" has been renamed to the "Password Blocklist".
• The Scheduled Reports page now includes an option to enable and disable reports.
• It is now possible to schedule a usage report using the filters applied on the Tenants list page.

Changes to IntelliTrust APIs

The following have been added to the Administration APIs:

• The following changes to roles and permissions have been made in this release:
  • a new Directory Password permission has been added, which gives a right to read AD Connector directory password.
  • new permissions Credential Designs, Enrollments and Bulk Enrollments have been added. These permissions apply to Issuance accounts and controll access to the corresponding capabilities.
  • a new default role AD Connector has been added with the minimum required permissions for the AD Connector application to function.
  • new default roles Issuance Designer and Issuance Supervisor have been added to Issuance accounts.
• A new user attribute lastAuthTime has been added - which gives a right to display users last authentication time on the Users List page.
• New SearchByAttribute operators EXISTS and NOT_EXISTS have been added, NOT_EXISTS is mapped to Never for user's last authentication time.

The following changes have been made to the Issuance APIs:

• new methods to access and manage Print Queues have been added
• the following APIs have had non-backwards compatible changes:
  • the controller getPrintStatus no longer takes the printer Id as an argument. It is now GET /api/web/v1/printers/print/{printStatusId}
  • the controller updatePrint no longer takes the printer Id as an argument. It is now PATCH /api/web/v1/printers/print/{printStatusId}
• new options tactileFront and tactileBack have been added to PrinterPreferences related to tactile impression support. These preferences can be set for a printer or specified when submitting a print job.