November 2025 - Cloud Access Service

Critical Notices

The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.

Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Update the affected service URLs immediately. For more information, see the Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access through non-company specific URLs is not yet blocked, however, when it is blocked, it can potentially result in loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

• Logging in to the Cloud Administration Console via password or third-party IdP.
• Accessing the Cloud Administration REST APIs.

In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event from the Cloud Administration Console in Platform > Admin Event Viewer.

Identity Router (IDR) 12.23.0.0.11 Now Available

The IDR 12.23.0.0.11 release is now available. We recommend that all customers upgrade to this version.

This release includes the following updates:

• Fixed an issue affecting the IDR SSH login feature, which is used by RSA Support for troubleshooting purposes.

Note: This issue did not impact the core functionality of the IDR.

• Fixed multiple security vulnerabilities.

Customers can wait for the scheduled upgrade or choose to upgrade at their own discretion.

Identity Router Update Schedule

Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

Coming Soon - Deprecation of TCP Connection Between Cloud Access Service (CAS) and AM

RSA announces the upcoming deprecation of the TCP Agent connection between CAS and AM. If your environment is configured to connect to AM through Cloud Administration Console > Platform > Authentication Manager > Connection to Authentication Manager, an update will be required after the upcoming IDR release. This integration will transition to the Authentication Manager REST Agent, replacing the existing TCP Agent connection. At this time, no immediate action is required. Detailed instructions and timelines will be shared prior to the deprecation to guide you through the transition and ensure uninterrupted connectivity between CAS and AM.

Cloud Access Service Updates

My Page UI Now Supports Arabic RTL

The My Page user interface has been enhanced to improve usability and accessibility for Arabic-speaking users. Arabic content now displays from right to left (RTL), ensuring a more natural and intuitive reading experience. This enhancement provides a localized interface aligned with Arabic language standards, resulting in a smoother and more consistent user experience.

Export Admin Users Report via Cloud Administration Console or API

You can now export a comprehensive report of all administrative users directly from the Cloud Administration Console or retrieve it programmatically through the REST API. This report includes Admin Names, Admin Emails, Role, Status, Created At, Updated At, and last Login Time. This enhancement enables organizations to prove access, validate least privilege, and maintain continuous compliance evidence without relying on screenshots or manual exports.
To download the CSV report, go to Cloud Administration Console > My Account > Administrators > Admin Users Reports. You can also download this report through Cloud Administration Console > Users > Reports > Admin Users. 

Enhanced All Users Report

The All Users report is now enhanced to include the exact Last Successful Authentication Date and the Last Successful Authentication Method for every user. This update provides greater accuracy and visibility into user activity, helping you identify dormant accounts and maintain audit-ready reporting. To download the CSV report, go to Cloud Administration Console > Users > Reports > All Users. 

Enhanced Visibility with New RADIUS Clients Report

The RADIUS Clients report is introduced in the Cloud Access Service to provide deeper visibility into RADIUS client configurations and authentication activity. This report enables you to audit, optimize, and troubleshoot RADIUS integrations by consolidating detailed client information, including IP Address, Type, Authentication Configuration, Last Modified Date, and additional data fields. This enhancement improves operational efficiency, strengthens compliance reporting, and simplifies authentication management across environments. To download the CSV report, go to Cloud Administration Console > Users > Reports > Radius Clients. 

Enhanced Passkey Support Across Domains

The FIDO authentication is now enhanced by enabling multiple custom FIDO Relying Party (RP) IDs per account. A passkey registered on one approved domain can now be used to sign in across other authorized domains, delivering a seamless and secure multi-domain experience while preserving FIDO’s domain binding and privacy protections (FIDO Related Origins). To add one or more domains, go to Cloud Administration Console > Access > FIDO Authentication > FIDO Relying Party Domain(s).

Default Network Zone Configuration

A default option for network zones is now introduced, allowing you to designate any network zone as the default. The default network zone automatically applies to all APIs, AM, SCIM, and IDR configurations that either do not specify a network zone or rely on the default setting. You can change or select a different default network zone at any time, and updates will only affect configurations that use the default zone. You can now set any network zone as the default in the Cloud Administration Console.

Note: A System Default Zone is automatically created to allow all IP addresses. Once a network zone is set as the default, it cannot be deleted unless another network zone is designated as the default.

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• New Integrations for ID Plus

• Apple iOS Native VPN (RADIUS)
• BeyondTrust Password Safe (SAML)
• Broadcom Symantec PAM (SAML)
• FireMon Policy Manager (SAML)

• Updated Integrations for ID Plus

• AuthenTrend ATKey (FIDO)
• CyberArk PAM plug-in (AM)
• HPe Aruba ClearPass (RADIUS)
• Prove SMS Gateway (AM)

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issues

The following table lists the fixed issues for this release: 

Known Issue

The following table lists the known issue in this release:

October 2025 - Cloud Access Service

Critical Notices

The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.

Mandatory Upgrade Required by October 6, 2025

Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.

For more information on upgrading components, please refer to the latest published advisory: REMINDER: 1 WEEK LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION. 

Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

• Logging in to the Cloud Administration Console via password or third-party IdP.
• Accessing the Cloud Administration REST APIs.

In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event in the Cloud Administration Console > Platform >  Admin Event Viewer.

Identity Router (IDR) 12.23.0.0.11 Now Available

The IDR 12.23.0.0.11 release is now available. We recommend that all customers upgrade to this version.

This release includes:

• Fixed the issue affecting the IDR SSH login feature, which is used by RSA Support for troubleshooting purposes.

Note: This issue did not impact the core functionality of the Identity Router (IDR).

• Fixed multiple security vulnerabilities.

Customers can wait for the scheduled upgrade or choose to upgrade on their own discretion.

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

Cloud Access Service Updates

Updated Subprocessor List

The list of subprocessors used by RSA has been updated to reflect the latest changes. For more information, see RSA Subprocessor Information. 

New Column in Hardware OTP Credential Information Report: Last Successful Authentication

The Hardware OTP Credential Information report now includes a new column, Last Successful Authentication. This column shows the last time a hardware OTP credential is used for authentication. The update helps you track credential usage, strengthen security by identifying inactive credentials, and simplify audit readiness.
To generate the report, go to Users > Reports > Hardware OTP Credential Information > Generate.

New Controls for Online Emergency Access Code Duration Settings

Super Administrators can now manage Online Emergency Access Code duration settings at the account level. Super Administrators can allow administrators to override these settings or lock them to prevent changes. These controls give Super Administrators greater flexibility, strengthen security, and ensure consistent policy enforcement across your organization.
To configure this feature, go to Cloud Administration Console > My Account > Company Settings > Sessions & Authentication > Emergency Access Codes.
If Lock Online Emergency Access Code settings is disabled, administrators can manage online Emergency Access Code duration in the Cloud Administration Console > Users > Management > Emergency Access Code.

Enhanced Network Zone Configuration for Identity Router (IDR) Clusters

We have enhanced network zone management so you not only have the option to apply restricted networks from the IDR Network Zone across all IDRs, but you can also configure network zones for individual IDR clusters. This enhancement gives you more granular control, improves security, and provides greater flexibility so you can choose the approach that best fits your needs.
To access this feature, navigate to Cloud Administration Console > Platform > Clusters, then edit an existing cluster or add a new one, and go to the Network Zones section.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issue

The following table lists the fixed issue for this release: 

September 2025 - Cloud Access Service

Critical Notices

The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.

Mandatory Upgrade Required by October 6, 2025

Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.

For more information on upgrading components, please refer to the latest published advisory: 6 WEEKS LEFT TO COMPLETE UPGRADE WHEN USING RSA CAS AND AVOID SERVICE DISRUPTION. 

Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

• Logging in to the Cloud Administration Console via password or third-party IdP.
• Accessing the Cloud Administration REST APIs.

In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IdP login and Cloud Administration REST API. You can view this event in the Cloud Administration Console > Platform >  Admin Event Viewer.

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

New Export Capability for Event Monitors

You can now export event logs directly from the User Event Monitor, System Event Monitor, and Admin Event Monitor in the Cloud Administration Console. This enhancement allows you to generate structured CSV reports with just a few clicks, making it easier to analyze activity, support compliance efforts, and streamline audit reporting. 

• For the Admin and System Event Monitor: navigate to Cloud Administration Console > Platform > Admin Event Monitor / System Event Monitor , then click Generate Report.
• For the User Event Monitor: navigate to Cloud Administration Console > Users >User Event Monitor , then click Generate Report.

Simplify User Deprovisioning with Lifecycle Management

You can now enable, disable, or delete user access to applications provisioned through the Cloud Administration Console, giving managers and application owners greater control over access governance. These actions are available in My Page > My Users Access, providing improved visibility and flexibility when managing user permissions. To activate these capabilities, ensure the "Delete Action" is enabled and that the appropriate access control settings are configured through Cloud Administration Console > Application Catalog > Fulfillment. The availability of enable/disable options may vary depending on the selected Fulfillment Configuration Type, and all access changes will be reflected accordingly on My Page.

Create and Update Local Users Through the Manage Local User API

You can now use the Manage Local User API to create and update users in the local identity store, enabling automation of user lifecycle management. This enhancement supports seamless integration with existing workflows and ensures that actions align with the Cloud Administration Console permissions. The API is secured with modern OAuth protection, ensuring secure and scalable access for administrative operations.

Enforce Managed Browser Access

You can now require users to access Microsoft Edge for Business resources only through managed browsers, ensuring that access is limited to trusted, compliant devices. By leveraging Microsoft Edge device signals, this feature verifies endpoint compliance before granting access to critical applications. This strengthens your Zero Trust security posture by combining identity verification with device trust without complexity. To access this feature, navigate  to Cloud Administration Console > Access > Managed Browser. You can then use the "Managed Browser" attribute within an Access Policy to enforce browser-based access controls. To configure the connector, see 

Configurable Periodic User Refresh for Inactive Accounts

You can now configure how often inactive accounts are refreshed from your on-prem directory (LDAP) in CAS. By default, up to 1,000 accounts unused in the past 30 days are refreshed daily. You can lower this threshold to as few as 7 days to better align with your security policies. To configure this feature go to Cloud Administration Console > Users > Bulk Maintenance.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Coming Soon 

The following section outlines the upcoming features planned for the October release.

RSA MFA Agent for macOS 2.0 Expands Passwordless Authentication

RSA MFA Agent for macOS 2.0 introduces expanded support for passwordless primary authentication methods and enhanced resiliency features.

New passwordless authentication methods include:

• Mobile Passkey, using the RSA Authenticator app v4.6+ for iOS or Android (no Bluetooth required)
• QR Code Authentication
• Biometric Authentication

• Passwordless authentication methods are included with ID Plus E2 and E3 subscriptions and are available as an add-on for ID Plus E1 subscriptions.

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• New Integrations for ID Plus

• • Articulate Reach (SCIM)
  • HP Aruba ClearPass (SAML)
  • Microsoft Edge for Business Browser (RSA Device Trust Connector)
  • Rapid7 (SAML)

• Updated Integrations for ID Plus

• • CyberArk PAM Vault (Radius)
  • CyberArk PAM PVWA (Radius)

Fixed Issues

The following table lists the fixed issues for this release: 

August 2025 - Cloud Access Service

Critical Notices

The following urgent notices relate to mandatory upgrades and important changes within the RSA environment. Immediate action is required to prevent potential service disruptions.

Mandatory Upgrade Required by October 6, 2025

Following Google's decision to stop recognizing Entrust as a trusted Certificate Authority (CA), RSA must transition to an alternative CA beginning the week of October 06, 2025. To ensure continued functionality, you must update or upgrade the necessary on-premises RSA components prior to this date. Failure to complete the required updates may result in significant service disruptions.

Refer to the following advisories for details on upgrading the components:

• RSA Authentication Manager (AM) and RSA Authenticator for iOS and Android
• RSA Prime
• RSA Agents

Infinispan Upgrade in Identity Router (IDR) 12.23.0.0.X Requires Cluster-Wide Version Consistency

Note: This upgrade affects proxied applications on the IDR SSO Portal that store your credentials. 

The upcoming Identity Router (IDR) 12.23.0.0.X release, as outlined in the Identity Router Update Schedule and Versions table, includes a critical Infinispan upgrade. During the upgrade process, if IDRs within a cluster are running different versions, they will continue to serve requests; however, keychain synchronization may be temporarily impacted. These functions will automatically resume once all IDRs in the cluster have been upgraded to the same version. Before performing an in-place upgrade, RSA strongly recommends creating a snapshot of the virtual machine for VMware and Hyper-V-based routers, or of the storage volume for AWS-based routers to ensure recovery options are available if needed. 

Notes: 

• All IDRs in a cluster must run the same version to prevent replication disruptions.

• If you plan to add a new IDR using the 12.23.0.0.X template while other IDRs in the cluster are still on 12.22.0.0.X, you must first upgrade all existing IDRs to version 12.23.0.0.X before introducing the new node.

• Backup files created with earlier versions will not be restorable after upgrading to 12.23.0.0.X.

• RSA strongly recommends creating new backups immediately after completing the upgrade.

• Keychain replication does not apply to Embedded IDRs, as they do not support the IDR SSO Portal. Therefore, this update does not apply to AM Embedded IDRs.

• Backups apply specifically to the HTTP Federation (Fed) application in the IDR SSO Portal.

This action is essential to maintain cluster stability, ensure successful replication, and avoid potential service issues.

Identity Router Update Schedule and Versions

Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com ). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Starting with the June release, a banner warning appears for 24 hours whenever a non-company-specific URL is used for the following:

• Log in to the Admin Console via password or third-party IDP.
• Access the Admin REST APIs.

In addition, an audit event is logged once per day whenever a non-company-specific URL is used for third-party IDP login and Admin API access. You can view this event in the Admin Event Viewer.

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Improved Support for SAML Certificate Rotation

You can now load up to two SAML signing certificates per application in CAS, ensuring seamless transitions when certificates expire. CAS automatically switches to the other certificate, maintaining secure and uninterrupted access for your applications. Managing certificates is now easier through the Cloud Administration Console, where you can view, import, and update them. This feature is available for both My Page SSO and Relying Party applications. 

• To use this feature for an SSO application, navigate to Cloud Administration Console > Applications > Application Catalog / My Applications, select a SAML application, and on the Connection Profile page, upload certificate from the  Message Protection section.
• To use this feature for a Relying Party application, navigate to Cloud Administration Console > Authentication Clients > Relying Parties, select an application, and on the Connection Profile page, upload certificate from the  Message Protection section.

Copy SAML Metadata URL

You can now copy the SAML metadata URL directly from your configured applications, making it faster to share metadata with services that require a direct URL instead of uploading files. This enhancement simplifies your SAML setup process and saves time. This feature is available for both My Page SSO and Relying Party applications. 

• To access this feature for an SSO application, go to Cloud Administration Console > Applications > My Applications, select a configured SAML SSO application, and from the dropdown, select Copy Metadata URL.
• To access this feature for a Relying Party application, navigate to Cloud Administration Console > Authentication Clients > Relying Parties, select a configured SAML Relying Party application, and from the dropdown, select Copy Metadata URL.

RSA SecurID Access Admin REST API 2.8.0 Now Available

RSA SecurID Access Admin REST API version 2.8.0 is now available with the updates on OAuth API access support. You can download the updated API package from the ID Plus Admin REST API Download page.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Fixed Issue

The following table lists the fixed issue for this release: 

July 2025 - Cloud Access Service

Cloud Access Service Updates

The following subsections outline the new and enhanced features of the Cloud Access Service (CAS).

Terminology Update: Cloud Authentication Service Renamed to Cloud Access Service

The "Cloud Authentication Service" has been renamed to "Cloud Access Service". This terminology change reflects the platform's expanded capabilities and aligns with upcoming improvements. You may still see both names in the product interface and documentation as we gradually roll out this update.

Improved TransactionID with Timeout MFA Event for Step-Up Authentication

The TransactionID feature has been updated to include a Timeout MFA event for step-up authentication scenarios. If a user completes primary authentication but then closes the browser or abandons the process before finishing step-up authentication, a Timeout MFA event is triggered. This event is logged after the configured timeout period (15 minutes by default), helping to reduce open-ended authentication threads in the logs and enhancing visibility into incomplete authentication attempts. You can find the new Timeout MFA event in the Cloud Administration Console under Users > User Event Monitor.

Controlling Certificate-Based Authentication in Windows Agent

The Certificate Authority (CA) service now supports certificate-based authentication (CBA) for Windows MFA Agents integrated with Microsoft Entra ID, giving you greater control and visibility over certificate lifecycle management. With this enhancement, you can view and revoke certificates issued by the the CA service from the Cloud Administration Console. In Users > Management, search for a user, and then you will find the Agent Passwordless Login Certificates section to revoke certificates associated with that user.

Activity ID for Improved Traceability

The audit logging capability has been enhanced with the Activity ID, allowing you to group user actions within a session for improved traceability and streamlined log analysis. This update supports more effective security auditing, faster troubleshooting, and better visibility into user activity patterns. You can view the Activity ID column in the Cloud Administration Console under Users > User Event Monitor, and it is also available via the public API.

Client Type Support for OAuth Configuration

The Cloud Administration Console now supports specifying client types when configuring OAuth clients. This enhancement helps administrators tailor OAuth configurations to meet specific application needs and security requirements. You can access this feature by navigating to Platform > API Access Management, making it easier to create and manage OAuth clients with precision.

User Recording Connection Method Toggle in HTTP Federation Proxy Application

The Use Recording connection method is no longer available for HTTP Federation (HFED) Proxy application configuration. Customers who previously configured the HFED Proxy application using this connection method will experience no disruption and existing workflows will continue to function as expected. However, the Use Recording connection method will no longer be available for the new application added using HFED Proxy in the Cloud Administration Console under Applications > Application Catalog > Create From Template > HTTP Federation Proxy > Connection Method tab.

Coming Soon (July Release) 

The following section outlines the upcoming features planned for the July release.

RSA Authentication Manager 8.8 Support for Nutanix AHV

We are excited to announce that RSA Authentication Manager 8.8 will soon offer compatibility with the Nutanix AHV. This enhancement underscores our ongoing commitment to providing seamless, scalable solutions for hybrid and cloud-based environments.

RSA MFA Agent for Windows 2.4 Adds Expanded Passwordless Authentication Support

RSA MFA Agent for Windows 2.4 introduces expanded support for passwordless primary authentication methods across both Local Active Directory and Microsoft Entra ID deployments.

• Passwordless authentication methods now include:

• • FIDO Authentication, in two forms:
    • FIDO Security Key (already supported in previous version of MFA Agent for Windows, but only with Local AD Deployment)
    • Mobile Passkey (Requires RSA Authenticator V4.6 for iOS and Android, released in July 2025)
  • QR Code Authentication
  • Biometric Authentication.

To enable passwordless authentication on machines protected by the RSA MFA Agent for Windows and integrated with Microsoft Entra ID, a certificate must be deployed to the endpoint. To streamline this process, RSA introduces an automated certificate provisioning mechanism that simplifies setup and ensures secure deployment. Additionally, to provide more granular control, two new authentication methods are available for configuration within Assurance Levels, enabling the use of the following passwordless authentication methods:

• • Agent QR Code
  • Agent Device Biometric

• Passwordless authentication methods are included with ID Plus E2 and E3 subscriptions and are available as an add-on for ID Plus E1 subscriptions.
• Passwordless authentication will be added in future releases to other RSA MFA Agents.

RSA Authenticator 4.6 for iOS and Android

The following sections highlight the new features planned for the July release of RSA Authenticator 4.6: 

Streamlined Credential Registration in RSA Authenticator App 

Users can now register both CAS credentials and passkeys (FIDO credentials) through a single, simplified action, reducing the number of steps required. This improves usability and accelerates secure onboarding.

Enhanced Mobile Lock Notifications in RSA Authenticator App 

When a critical threat is detected, users will now receive notifications containing detailed information about the threat. This empowers users to resolve certain issues independently and enables them to provide clearer, more actionable information when engaging with their IT Help Desk, improving response time and support efficiency. 

In-App Upgrade Notification in RSA Authenticator App 

Users will now receive an in-app notification when a newer version is available for download. This helps ensure users stay up to date with the latest features, performance improvements, and security updates.

Expanded Credential Support in RSA Authenticator App 

Users can now manage up to 30 RSA credentials, including both Authentication Manager (AM) and CAS credentials. This enhancement is designed for powered users who need access to multiple services, providing greater flexibility and convenience. The user interface has also been updated to simplify navigation and improve the management experience for a larger number of credentials, including passkeys. 

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com )". To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

Operating System (OS) Update for Embedded Identity Router

RSA released an updated Identity Router (IDR) version 12.22.x with the SLES 15 SP6 operating system (OS) image in November 2024, available for both standalone and embedded deployments. However, embedded Identity Routers used with Authentication Manager are not eligible for an in-place upgrade to SLES 15 SP6.

Deployments of IDR version 12.21.x or earlier, which are based on SLES 12 SP5, will continue to receive software package updates. However, be aware that support for SLES 12 SP5-based IDRs will be phased out in the soon. New deployments of embedded IDR version 12.22.x or later will use the latest SLES 15 SP6-based image.

If you are using IDR on SLES 12 SP5, or if your IDR version is v12.21.x or earlier, you must update the IDR to the latest version as soon as possible. Use the new image available from the Cloud Administration Console to perform the update.

To view IDR version and operating system information, see View Identity Router Status in the Cloud Administration Console.

RSA strongly recommends that customers using Embedded IDRs migrate to SLES 15 SP6 based images. To do so, perform the following steps:

1. Remove the Embedded IDR from the Authentication Manager appliance. Refer to Remove the Embedded Identity Router from RSA Authentication Manager. 
2. Download and install the new IDR. Refer to step 3: Deploy the Embedded Identity Router section in the Quick Setup - Connect RSA Authentication Manager to the Cloud Access Service with an Embedded Identity Router article.

Note: In step 1, regenerate the Registration Code from the existing IDR record. You do not need to create a new identity router record.

3. Register the new IDR with the existing record in the Cloud Administration Console. Refer to steps 3 to 9 of Step 3: Deploy the Embedded Identity Router section in the Quick Setup - Connect RSA Authentication Manager to the Cloud Access Service with an Embedded Identity Router article.
4. In the Cloud Administration Console, click Publish Changes.

After the migration, verify that the new IDR is working as expected by checking the status in the Cloud Administration Console. Refer to View Identity Router Status.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• New Integrations for ID Plus

• • Articulate Reach 360 (SAML)
  • Jamf Connect (OIDC)

• Updated Integrations for ID Plus

• • ADP Federated SSO (SAML)
  • Microsoft GitHub (SAML)
  • Okta SSO (SAML)
  • SAP NetWeaver (SAML)

Fixed Issues

The following table lists the issues that are fixed for this release: 
 

June 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Emergency Access Codes Now Support One-Time Use

Emergency Access Code (EAC) functionality is now enhanced with support for single-use expiration. This improvement reduces exposure and helps minimize the risk of unauthorized access during critical support scenarios. With the new setting, EACs expire immediately after a single use, an upgrade from the previous minimum expiration period of one day. Help Desk Administrators can configure one-time use EACs in the Cloud Administration Console under Users > Management, while Super Administrators can define the default tenant wide behavior via Company Settings > Sessions & Authentication > Emergency Access Codes.

Enhanced Control: Restrict RSA Authenticator App Usage According to Operating System 

Administrators can now restrict the use of the RSA Authenticator app according to operating system, to help organization enforce internal compliance policies. This feature is available in the Cloud Administration Console under Access > My Page > My Authenticators > Configuration.

Improved Access Visibility for Managers and Application Owners

Managers and Application Owners can now easily view their team members and the applications they have access to via the new My Users Access tab, located under My Page > My Users Access. This enhancement improves transparency and simplifies access oversight, helping organizations ensure users have appropriate access levels while supporting stronger governance and compliance practices.

Improved Password Spray Attack Detection and Notification Visibility

Password Spray Attack detection now includes the tenant name and URL in email notifications sent to Client Administrators. Additionally, filtering has been enhanced to event code search in Cloud Administration Console > Users > User Event Monitor, making it easier to identify and investigate suspicious activity. These updates enhance visibility into potential threats, streamline incident response, and strengthen your organization’s ability to detect and mitigate password based attacks. Super Administrators can configure notification settings by navigating to Cloud Administration Console > My Account > Company Settings > Email Notifications > Anomaly Detection (Password Spraying).

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, AM configurations, SCIM configurations, or redirected URLs from identity providers (IdPs).The access through the non-company specific URL is not yet blocked. It will be blocked potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com )". To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated.  

RSA Authentication Agents 8.0.x for IIS and Apache No Longer Available for Download

Coming Soon (July Release) 

The following section outlines the upcoming features planned for the July release. 

Upcoming Identity Router Update Requirement

• IDRs running versions 12.21.x or 12.22.x (earlier than 12.22.0.0.32) are automatically upgraded. However, IDRs on versions prior to 12.21.x are excluded from this automatic upgrade, as they are no longer supported and require manual intervention.
• For customers currently on version 12.21.x, this upgrade also includes an operating system update. Please refer to the Upgrade Guide for detailed steps and prerequisites.
• The upcoming automatic upgrade for IDR follows a different process from standard upgrades. You will not have the option to reschedule or select an alternate upgrade date. To apply the update earlier than the scheduled rollout, you can manually upgrade the IDR at any time. Ensure upgrading the IDR at any time before July 12, 2025.

RSA Authenticator V4.6 for iOS and Android

Streamlined Credential Registration in RSA Authenticator App 

Users can now register both CAS credentials and passkeys (FIDO credentials) through a single, simplified action, reducing the number of steps required. This improves usability and accelerates secure onboarding.

Enhanced Mobile Lock Notifications in RSA Authenticator App 

When a critical threat is detected, users will now receive notifications containing detailed information about the threat. This empowers users to resolve certain issues independently and enables them to provide clearer, more actionable information when engaging with their IT Help Desk, improving response time and support efficiency. 

In-App Upgrade Notification in RSA Authenticator App 

Users will now receive an in-app notification when a newer version is available for download. This helps ensure users stay up to date with the latest features, performance improvements, and security updates.

Expanded Credential Support in RSA Authenticator App 

Users can now manage up to 30 RSA credentials, including both Authentication Manager (AM) and CAS credentials. This enhancement is designed for powered users who need access to multiple services, providing greater flexibility and convenience. The user interface has also been updated to simplify navigation and improve the management experience for a larger number of credentials, including passkeys. 

Expanded Passwordless Authentication Methods in RSA MFA Agent for Windows

The upcoming RSA MFA Agent for Windows v2.4, targeted for release in the July/August 2025 timeframe, introduces expanded support for passwordless authentication across both Local Active Directory and Microsoft Entra ID deployments. This includes: 

• FIDO Security Key (now extended to Entra ID; previously supported only with Local AD)

• Mobile Passkey, used with RSA Authenticator app v4.6 for iOS and Android (scheduled for July 2025 release)

• QR Code Authentication

• Biometric Notification

To enable these capabilities:

• The CAS June release introduces three new authentications methods for administrators to configure:

  • QR Code (RSA Agent)

  • Device Biometrics (RSA Agent)

  • Mobile Passkey (RSA Agent)

• The CAS July release will include Certificate Authority (CA) services to enable certificate-based passwordless authentication for Entra ID deployments.

Note: The two CAS features mentioned above will be seamlessly enabled before the CAS July release for ID Plus E2 and E3 subscriptions. Customers with ID Plus E1 subscriptions will require an add-on to enable these.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• New Integrations for ID Plus
• CrowdStrike Falcon Identity Protection (REST)
• Microsoft GitHub (SCIM)
• WSO2 (SAML)

• Updated Integrations for ID Plus
  • Omnissa Horizon Connection Server (RADIUS)
  • Omnissa UAG (RADIUS)

May 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Improved Security for IDR and CAS Communication

Security has been enhanced for connections between Identity Routers (IDRs) and the Cloud Authentication Service (CAS). Through the Cloud Administration Console, a network zone can be assigned to a cluster, ensuring that only IDRs within a trusted configured network zone are allowed to pull configurations from CAS. This feature is accessible via the Cloud Administration Console > Platform > Clusters. To monitor communication status, administrators can view the connection state (Active or Blocked) under Platform > Identity Router.

Live Verification Enhancements

Help Desk Live Verification can now be accessed through an API, enabling seamless integration into your existing systems and workflows. This update allows administrators to trigger bi-directional authentication using any registered MFA authenticator directly through API calls without exposing any credentials during the verification process.

Note: The user interface now supports localization in 10 languages, offering a more flexible and accessible experience for end users.

Streamlined Passwordless Identity Verification

You can now confidently verify user identities without requiring passwords. The user enrollment and credential recovery experience has been simplified and enhanced with new passwordless verification options on RSA My Page. This update delivers stronger security, reduced user friction, and a smoother overall experience. The new workflow supports both environments with or without an identity verification system. To access this feature, navigate to Access > Policies > My Page Enrollment / Recovery > Rule Sets > Identity Verification in the Cloud Administration Console.

Improved FIDO Authenticator Support for Custom Domains in CAS

Authentication requests from Microsoft Entra to CAS via external authentication method now fully support all types of FIDO authenticators registered to custom domains. This enhancement ensures a smoother, more secure login experience for your users. 

Note: This functionality is not currently supported in Firefox, as the browser does not support FIDO's Related Origin Request (ROR) feature.

Coming Soon: Support for Agent Passwordless Authentication Methods in Policy Configuration (July) 

We’ve introduced new authentication method options within the Primary Authentication policy configuration to support upcoming agent-based passwordless authentication methods and help organizations proactively align with modern authentication strategies. Administrators can now preconfigure these methods by navigating to Cloud Administration Console > Access > Policies > Add a Policy > Primary Authentication. While these options are now visible in the policy setup, they will only take effect once the corresponding agents are updated to support them and the required licensing is in place.

RSA Authenticator App Updates

Stay Secure: Mandatory RSA Authenticator App Upgrade by October 2025

To ensure users continue enjoying a secure and seamless login experience, all RSA mobile application users must upgrade to the latest version of the RSA Authenticator app for iOS and Android by October 2025. Starting with the CAS October 2025 release, all versions of the RSA Authenticate app for iOS and Android and versions of RSA Authenticator apps for iOS and Android  prior to V4.5 will no longer support modern multi-factor authentication (MFA) methods, such as push notifications. To make this transition easier, users of these apps will begin receiving  clear upgrade notifications via the web interface following a successful authentication through CAS. For more details, see Time is Running Out – Users Must Migrate from the Legacy RSA Authenticate App. Check the following screenshots of the upgrade notices for both app types. 

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access via any other URLs, or those without a company subdomain, will be blocked, potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed. If your Identity Router (IDR) software version is earlier than 12.22.0.0.32, you must upgrade your IDR to 12.22.0.0.32 or later to avoid any disruptions when non-company-specific URLs are deprecated. 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for ID Plus

• Cerby (SAML & SCIM)
• Sophos XGS4500 Firewall (Radius)

Updated Integrations for ID Plus

• CyberArk PVWA (SAML)
• Fortra GoAnywhere MFT (SAML)
• ID Dataweb (OIDC)
• Microsoft ADFS (SAML)
• Microsoft Sharepoint On-prem (SAML)

Fixed Issues

The following table lists the issue that is fixed for this release: