April 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Deprecated the User Recording Connection Method in HTTP Federation Proxy Application

The User Recording connection method has been deprecated and is unavailable by default for HTTP Federation (HFED) Proxy applications. Customers who previously configured the HFED Proxy application using this connection method will experience no disruption and existing workflows will continue to function as expected. However, the User Recording connection method will no longer be available for the new application added using HFED Proxy (Cloud Administration Console > Applications > Application Catalog > Create From Template > HTTP Federation Proxy > Connection Method tab).

Refined Design for Application Download on My Page

The "Installing Authenticator App" page on My Page has been revamped for better visual clarity and a more intuitive user experience.

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November 2024 Release Announcement, non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IdPs). Access via any other URLs, or those without a company subdomain, will be blocked, potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed.

Coming Soon: Upgrade Seamlessly to the Latest RSA Authenticator App (May 2025 Release)

Users still relying on the legacy RSA Authenticate App (no longer supported) for web-based authentication will be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator App. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Fixed Issues

The following table lists the issues that are fixed for this release:
 

March 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Enhanced Security for SCIM Clients and Authentication Manager (AM) Communication with CAS

We have expanded administrator capabilities for configuring communication between SCIM clients and CAS, as well as AM and CAS. This update enhances security by allowing administrators to control IP filtering for SCIM identity sources and all versions of AM. Administrators can now allow or deny specific IP addresses under Network Zones, improving access control and reducing security risks.

Secure RSA Authentication APIs Using OAuth 2.0

We extend OAuth 2.0 support to Authentication APIs, providing secure, token-based access to the Cloud Authentication APIs. It also allows fine-grained permission controls and configurable token validity, providing a more secure and flexible approach to managing API access. This integration enhances both security and flexibility, allowing administrators to manage access with detailed permissions. Administrators can now configure OAuth clients for accessing Authentication APIs in the Cloud Administration Console, under Platform > API Access Management.  

Unified API Access Management for Improved Visibility

Administrators now have enhanced visibility into Administration and Authentication Legacy API Keys, along with OAuth clients, in a single, streamlined view. These can now be accessed under Platform > API Access Management (formerly API Key Management), simplifying management and control.

Custom Disclaimer Text for My Page Authentication Screens

Administrators can now tailor authentication experiences by adding custom disclaimer text for end users. This text will be displayed underneath the authentication screens. This update provides greater flexibility and customization, allowing organizations to display important legal or informational disclaimers directly within the authentication flow. Administrators can configure this setting in the Cloud Administration Console by navigating to Access > My Page > Customization tab.

Identity Routers (IDRs) Now Supported on Microsoft Azure

RSA Identity Router (IDR) can now be deployed in the Microsoft Azure environment. This new capability extends our existing support for Amazon Web Services (AWS), VMware, Hyper-V and Authentication Manager embedded deployments, offering even greater flexibility and choice with seamless integration of IDRs into your Azure environment. Deploying IDR within your Azure environment helps drive efficiency and security in your digital transformation journey. In the Cloud Administration Console, administrators can download the virtual hardware disk (VHD) image for Azure by navigating to Platform > Identity Routers.

Secure User Verification for Help Desk Calls

Administrators can now verify user identities during live help desk calls using any registered multi-factor authentication (MFA) authenticator. This ensures a secure and seamless verification process without exposing sensitive credentials and prevents unauthorized access while maintaining a smooth user experience.  The feature is managed through the Live Verification Policy, which is available in the Cloud Administration Console under Policies.

Improved Access Policy Visibility

On Cloud Administration Console > Applications screen, administrators can now view the Access Policy Type, enabling more proactive management of cloud application policies. Additionally, we have expanded capabilities to enhance the user experience. When a policy is assigned, the Primary Authentication option under Policies is now grayed out. However, administrators can view a link showing where the policy is applied, making it easier to enable or disable as needed.

RSA Authentication Manager Releases Documentation Update

Currently, AM patches for AM and WebTier have separate Read-Me documents for each patch. To enhance accessibility and convenience for customers, a unified approach will be introduced, consolidating all patch-related information into a single Read-Me document. Starting with AM 8.8, patch releases will feature a comprehensive, updated Read-Me document covering all patches, WebTier updates, and hotfixes. This consolidated document will provide details on both new and previous updates, installation instructions, new features, and resolved issues, ensuring that all relevant information is available in one place.

Important Notice: Use of Company-Specific URLs Required

As a follow-up to the November announcement (RSA-Release-Notes-Cloud-Authentication-Service-and-RSA-Authenticators), non-company-specific URLs will soon be removed. Please update the affected service URLs immediately. For more information, see transition guide here: Company-Specific Administrative URLs Update Instructions. Administrators must use their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IDPs). Access via any other URLs, or those without a company subdomain, will be blocked, potentially resulting in a loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators should promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as needed.

Coming Soon: Upgrade Seamlessly to the Latest RSA Authenticator App (April 2025 Release)

Users still relying on the legacy RSA Authenticate App (no longer supported) for web-based authentication will be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator App. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for ID Plus

• 15Five (SCIM)
• Okta Agent (RADIUS)

Updated Integrations for ID Plus

• F5 Big-IP APM (SAML)

Fixed Issues

The following table lists the issues that are fixed for this release:
 

February 2025 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Enable/Disable Resynchronization of OTP Hardware Authenticators

In the Cloud Administration Console (Access > My Page), administrators can now enable or disable resync of OTP authenticators. This feature allows users with out-of-sync OTP authenticators to resync their device with the Cloud Authentication Service particularly in cases where authentication fails due to clock drift (for example, from extreme temperatures) or when multiple consecutive OTPs are generated without use. Unauthenticated users who cannot sign into My Page can access a sync URL, enter the authenticator's serial number, and provide two consecutive OTPs to synchronize their device and regain access to their application.

Administration Event Monitor for Role Management

In the Cloud Administration Console, administrators can now track the creation, editing, and deletion of roles for the Fulfillment service through the Admin Event Monitor. The event description provides detailed information on the creation, editing, or deletion of roles.

Disable Anomaly Detection Email Notifications

Email notifications about suspicious authentication attempts, which help customers mitigate password spray attacks, were previously sent automatically to Super Administrators. Now, administrators can disable these notifications by clearing the new Anomaly Detection checkbox under Company Settings > Email Notifications in the Cloud Administration Console. This gives administrators the option to enable or disable these notifications as needed. 

New MFA Authentication Logs in the Cloud Administration Console

When multifactor authentication (MFA) occurs between the Authentication Manager and the Cloud Authentication Service, the Cloud Administration Console now provides new verbose logs in the User Event Monitor. These events track the initiation, success, and failure of MFA authentications through this hybrid deployment, offering administrators more detailed insights into the authentication process, including when MFA is initiated, successfully completed, or fails.

Local Groups Public API 

Local Groups Public API seamlessly integrate users from various identity sources (internal identity source, AD/LDAP, or SCIM), allowing them to be grouped together in a single group. Additionally, administrators can search for users and add them to groups either individually or bulk.

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, or redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set-up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

Coming Soon: Migration Prompt for RSA Authenticate App Users (March 2025 Release)

As communicated in previous advisories, the RSA Authenticate app on iOS, Android, Windows, and macOS is no longer supported. Users of this app must upgrade to the RSA Authenticator app, which provides a migration path for existing credentials.
While many initial users of the RSA Authenticate app have seamlessly completed this upgrade, a significant number of users are still relying on the RSA Authenticate app for authentication. To drive migration, a new feature will be introduced in the March 2025 release, where users attempting to authenticate with the RSA Authenticate app will receive a prompt notifying them that the app is no longer supported and providing clear instructions for upgrading to the RSA Authenticator app.

Identity Router Update Schedule and Versions

The new identity router software versions are:
 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for ID Plus

•  Nutanix Prism Central
• OpenText EnCase
• Salesforce CRM as SCIM Server
• SkyHigh Security (End User)

Updated Integrations for ID Plus

• AWS including session tags
• Citrix Cloud
• Citrix Netscaler
•  Fortinet FortiClient
• Microsoft SharePoint (Online)
•  PingFederate
•  RSA G&L

Fixed Issues

The following table lists the issues that are fixed for this release:
 

January 2025 - Cloud Authentication Service 

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Cloud Administration Console Notifications for Password Spray Attack Detection

In the Cloud Administration Console, on-screen notifications have been added to help administrators detect and respond more quickly to potential password spray attacks. These enhancements enable faster identification of suspicious authentication attempts, especially when the user ID does not match any known users, signaling possible malicious activity. Administrators can now more effectively assess and mitigate threats.

Secure My Page SSO Applications with Access Policy 2.0

Administrators are now required to assign only Access Policy 2.0 to My Page SSO applications, both when adding new applications and when editing existing ones. When adding a new My Page SSO application, the User Access tab will only display Access Policy 2.0 options. Additionally, when editing existing applications, administrators need to select 2.0 Access Policy for authentication, as 1.0 policies can no longer be edited.

When accessing an SSO application secured by a 2.0 access policy, users will no longer be prompted to authenticate with the My Page policy, only the 2.0 policy for that application. However, they will still need to complete the My Page policy when accessing the My Page Application Portal, launching Identity Router (IDR) SSO Portal applications, or visiting preexisting SSO applications protected by 1.0 policies.

These updates streamline access management by ensuring that all My Page SSO applications are protected by Access Policy 2.0, enhancing application security.

Note: Bookmark applications still use 1.0 policies.

Manage User Groups in the Cloud Administration Console

In the Cloud Administration Console (under Users > Groups), administrators can now create and manage Local Groups. Local Groups seamlessly integrate users from various identity sources (internal identity source, AD/LDAP, or SCIM), allowing them to be grouped together in a single group. Additionally, administrators can search for users individually and add them to groups for bulk user additions.

Enhanced My Page Applications Access Management

In the Cloud Administration Console, administrators can now assign specific access levels based on individual user attributes for application provisioning. This feature offers enhanced flexibility, customization, and more granular access management. Within the Fulfillment tab, administrators can now assign role/group permissions based on the available user attributes. The Fulfillment service provisions the application with the assigned roles/groups, ensuring that users are granted the appropriate privileges based on their needs.

Secure RSA Cloud Administration APIs Using OAuth 2.0

The RSA Cloud Administration APIs now support the OAuth 2.0 authorization framework, providing secure, token-based access to the Administration APIs. This integration enhances both security and flexibility, allowing administrators to manage access with detailed permissions. In the Cloud Administration Console, under Platform > API Key Management, administrators can now configure Administration API clients. OAuth 2.0 supports client authentication before issuing access tokens. It also allows fine-grained permission controls and configurable token validity, providing a more secure and flexible approach to managing API access.

Secure Access to Audit Logs for All Customers

With the support of OAuth 2.0 and granular permissions, all customers can now securely access all system-level audit logs, regardless of their ID Plus plan. This update enhances control for administrators, ensuring compliance requirements are met while offering secure and flexible access to audit logs.

Look and Feel Updates for the Cloud Administration Console

RSA is gradually updating the design of the Cloud Administration Console (for example, the header) as part of its ongoing effort to enhance the user experience.

Arabic Now Supported on My Page and Authentication Workflows

Users can now access RSA-protected resources with Arabic language support, including My Page, authentication workflows, email templates, and My Page Help.

Roles History Link Now Available on My Page

In the Request details pane, the Roles History link is now available on My Page, allowing requestors and approvers to track all changes made to a role during the request process.

Upgrade Seamlessly to the Latest RSA Authenticator App

Users still relying on the legacy RSA Authenticate app (no longer supported) for web-based authentication will now be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator app. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

RSA Authenticator 4.5.2 for iOS and Android – Coming Soon 

• Threat Detection for Android Rooted Devices: The RSA Authenticator app for Android now strengthens security by blocking usage on rooted devices, aligning with the protection available on the iOS version. With enhancements that extend beyond Google’s standard APIs, RSA is delivering a robust solution that ensures compliance, provides administrators with actionable insights, and minimizes the risk of false positives.
• RSA Authenticator App Now Supports Arabic: The RSA Authenticator app for iOS and Android is now available in Arabic, featuring full content translation and a right-to-left design for an intuitive user experience. This update ensures seamless accessibility for Arabic-speaking users, reflecting RSA’s commitment to global usability. 

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, and redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

RSA MFA Agent Support for macOS Sequoia 15.2

We are pleased to announce that RSA has officially qualified RSA MFA Agent 1.4.2 support for macOS Sequoia 15.2. Customers can now safely upgrade their macOS machines to Sequoia 15.2 and continue to use RSA MFA Agent 1.4.2 for secure user authentication and login.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
  

New Integrations for ID Plus

• Skyhigh Security
• Skyhigh Security SWG
• Zimperium zConsole

Updated Integrations for ID Plus

• Check Point Gateway
• Fortigate VPN
• Microsoft NPS
• OneLogin
• SonicOS
• Zoho ME ADSelfService Plus

Fixed Issues

The following table lists the issues that are fixed for this release:
 

Known Issues

The following table lists the known issues in this release:
 

January 2025 - Cloud Authentication Service 

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Cloud Administration Console Notifications for Password Spray Attack Detection

In the Cloud Administration Console, on-screen notifications have been added to help administrators detect and respond more quickly to potential password spray attacks. These enhancements enable faster identification of suspicious authentication attempts, especially when the user ID does not match any known users, signaling possible malicious activity. Administrators can now more effectively assess and mitigate threats.

Secure My Page SSO Applications with Access Policy 2.0

Administrators are now required to assign only Access Policy 2.0 to My Page SSO applications, both when adding new applications and when editing existing ones. When adding a new My Page SSO application, the User Access tab will only display Access Policy 2.0 options. Additionally, when editing existing applications, administrators need to select 2.0 Access Policy for authentication, as 1.0 policies can no longer be edited.

When accessing an SSO application secured by a 2.0 access policy, users will no longer be prompted to authenticate with the My Page policy, only the 2.0 policy for that application. However, they will still need to complete the My Page policy when accessing the My Page Application Portal, launching Identity Router (IDR) SSO Portal applications, or visiting preexisting SSO applications protected by 1.0 policies.

These updates streamline access management by ensuring that all My Page SSO applications are protected by Access Policy 2.0, enhancing application security.

Note: Bookmark applications still use 1.0 policies.

Manage User Groups in the Cloud Administration Console

In the Cloud Administration Console (under Users > Groups), administrators can now create and manage Local Groups. Local Groups seamlessly integrate users from various identity sources (internal identity source, AD/LDAP, or SCIM), allowing them to be grouped together in a single group. Additionally, administrators can search for users individually and add them to groups for bulk user additions.

Enhanced My Page Applications Access Management

In the Cloud Administration Console, administrators can now assign specific access levels based on individual user attributes for application provisioning. This feature offers enhanced flexibility, customization, and more granular access management. Within the Fulfillment tab, administrators can now assign role/group permissions based on the available user attributes. The Fulfillment service provisions the application with the assigned roles/groups, ensuring that users are granted the appropriate privileges based on their needs.

Secure RSA Cloud Administration APIs Using OAuth 2.0

The RSA Cloud Administration APIs now support the OAuth 2.0 authorization framework, providing secure, token-based access to the Administration APIs. This integration enhances both security and flexibility, allowing administrators to manage access with detailed permissions. In the Cloud Administration Console, under Platform > API Key Management, administrators can now configure Administration API clients. OAuth 2.0 supports client authentication before issuing access tokens. It also allows fine-grained permission controls and configurable token validity, providing a more secure and flexible approach to managing API access.

Secure Access to Audit Logs for All Customers

With the support of OAuth 2.0 and granular permissions, all customers can now securely access all system-level audit logs, regardless of their ID Plus plan. This update enhances control for administrators, ensuring compliance requirements are met while offering secure and flexible access to audit logs.

Look and Feel Updates for the Cloud Administration Console

RSA is gradually updating the design of the Cloud Administration Console (for example, the header) as part of its ongoing effort to enhance the user experience.

Arabic Now Supported on My Page and Authentication Workflows

Users can now access RSA-protected resources with Arabic language support, including My Page, authentication workflows, email templates, and My Page Help.

Roles History Link Now Available on My Page

In the Request details pane, the Roles History link is now available on My Page, allowing requestors and approvers to track all changes made to a role during the request process.

Upgrade Seamlessly to the Latest RSA Authenticator App

Users still relying on the legacy RSA Authenticate app (no longer supported) for web-based authentication will now be presented with an on-screen notice guiding them to upgrade to the current RSA Authenticator app. This always-on notice provides users with clear instructions on how to transition to the supported app, improving security and providing them with access to more authentication methods.

RSA Authenticator 4.5.2 for iOS and Android – Coming Soon 

• Threat Detection for Android Rooted Devices: The RSA Authenticator app for Android now strengthens security by blocking usage on rooted devices, aligning with the protection available on the iOS version. With enhancements that extend beyond Google’s standard APIs, RSA is delivering a robust solution that ensures compliance, provides administrators with actionable insights, and minimizes the risk of false positives.
• RSA Authenticator App Now Supports Arabic: The RSA Authenticator app for iOS and Android is now available in Arabic, featuring full content translation and a right-to-left design for an intuitive user experience. This update ensures seamless accessibility for Arabic-speaking users, reflecting RSA’s commitment to global usability. 

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, and redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality (for example, https://access.securid.com or https://na2.access.securid.com). To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

RSA MFA Agent Support for macOS Sequoia 15.2

We are pleased to announce that RSA has officially qualified RSA MFA Agent 1.4.2 support for macOS Sequoia 15.2. Customers can now safely upgrade their macOS machines to Sequoia 15.2 and continue to use RSA MFA Agent 1.4.2 for secure user authentication and login.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
  

New Integrations for ID Plus

• Skyhigh Security
• Skyhigh Security SWG
• Zimperium zConsole

Updated Integrations for ID Plus

• Check Point Gateway
• Fortigate VPN
• Microsoft NPS
• OneLogin
• SonicOS
• Zoho ME ADSelfService Plus

Fixed Issues

The following table lists the issues that are fixed for this release:
 

Known Issues

The following table lists the known issues in this release:
 

November 2024 - Cloud Authentication Service 

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).

Streamlined IP Address Management with Network Zones

Administrators can now create their own trusted and restricted IP lists. A network zone contains a range of IP addresses for trusted and restricted networks, strengthening security by controlling network traffic across CAS APIs, CAS Access Policies, and the Identity Router (IDR). These configurations are located on the page previously known as Trusted Networks, which has been renamed to Networks. This feature effectively helps protect against malicious activities, including password spraying.

 In the Cloud Administration Console, two pre-configured Network Zones are now available. The Access Policy Network Zones are used in access policies that define authentication conditions based on trusted networks. The IDR Network Zones consist of restricted networks that block unauthorized traffic directed to the IDR and are specifically utilized by the IDR. Additionally, administrators can now manage custom network zones for Authentication and Administration API Keys, ensuring that only trusted clients can access critical services.

RADIUS Client Code Matching Configuration

For  RADIUS clients that do not support challenge-response (required for code matching), administrators can now disable the Allow code matching option for specific customers. By default, the Allow code matching option is enabled, ensuring compatibility with clients that support push notification methods. However, for RADIUS clients that do not support challenge-response, disabling this option ensures they are limited to non-push authentication methods when Strict Code Matching is enforced.

iShield Key 2 OATH HOTP OTP Support Now Available

RSA is introducing the new RSA iShield Key Series, powered by Swissbit. Administrators can now upload RSA/Swissbit OATH OTP seeds through the Cloud Administration Console and select "RSA/Swissbit" as the manufacturer. Additionally, when a Swissbit iShield Key 2 is registered as an OATH HOTP OTP hardware authenticator in the Cloud Authentication Service, users can easily register the device via the My Page > My Authenticators section.

Strict Code Matching Enforcement in the Cloud Administration Console

Authentications may use an Authentication Agent or Authentication application that does not support Code Matching. In these cases, users could still use push notification methods even if code matching was enabled. A new setting, Strict Code Matching Enforcement, is now available to administrators. This option is disabled by default to avoid disrupting the current user authentication flow.

When the Strict Code Matching Enforcement option is enabled, users will only be able to use push notification methods if both the Authentication Agent and Authentication application used support the configured Code Matching method. If not, users will be prompted to use one of the other available authentication methods based on the configured policy.

Request Access to Applications and View Your Requests on My Page

Users can now request access to applications directly from My Page, either from the Application Catalog or from applications displayed on My Page that have not yet been provisioned.  Application requests can go through an approval process with options for no approval, manager approval, application owner approval, or both.  Once access is approved, users will be granted the necessary permissions. Additionally, users can view, track, and cancel their access requests as needed. Approvers can also view and manage pending action items directly from My Page. To enable users to request access, administrators can now activate the Fulfillment service in the Cloud Administration Console. Administrators can configure the approval process and set the fulfillment type (LDAP, SCIM, or Entra ID).

User Event Monitor Enhancements and Rate Limiting

To improve the efficiency of user event logging, rate limiting has been implemented to summarize certain user events when the activity exceeds a defined threshold. Rate limiting applies to "user not found" attempts. When the Cloud Authentication Service detects patterns where rate limiting is applied, administrators will receive an email notification alerting them to relevant events.

Important Notice: Use of Company-Specific URLs Required

Effective March 2025, access through non-company-specific URLs will be discontinued. Administrators need to utilize their designated company-specific URLs for all access, including API interactions, Authentication Manager (AM) configurations, SCIM configurations, and redirected URLs from identity providers (IDPs). Access via any other URLs or those lacking a company subdomain will be blocked, resulting in potential loss of functionality. For example, URLs such as https://access.securid.com or https://na2.access.securid.com  will no longer be valid. To ensure uninterrupted access, administrators need to promptly verify that all connectivity is routed through the appropriate company-specific URLs and update their configurations as necessary.
If a SAML third-party Identity Provider (IdP) is set up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.

IDR SLES Upgrade (12.22.0)

• AES128-SHA
• AES128-SHA256
• AES256-SHA
• AES256-SHA256

RADIUS Authentication Rate Limiting for Failed Login Attempts

Rate limiting has been implemented for RADIUS authentication to address consecutive authentication failures.  This feature helps detect and prevent certain types of potential attacks by temporarily blocking further attempts once a failure threshold is exceeded. 

Identity Router Update Schedule and Versions

The new identity router software versions are:
 

RSA MFA Agent 9.0 for Microsoft IIS and RSA MFA Agent 9.0 for Apache Web Server – Coming Soon

The new RSA MFA Agent 9.0 for Microsoft IIS and RSA MFA Agent 9.0 for Apache Web Server now deliver all the benefits of RSA MFA Agents. New features include seamless CAS support, REST API integration, and support for a variety of MFA authentication methods, such as:

• Approve
• Biometrics
•  Authenticate OTP
• QR Code
• SecurID OTP
• SMS & Voice OTP
• Emergency Access Code

In addition, the new agents support load balancing, extended failover mechanisms, enhanced reporting capabilities, and multiple language support.
UI updates and third-party library upgrades are also included.
The RSA MFA Agent 9.0 for Microsoft IIS and RSA MFA Agent 9.0 for Apache Web Server will be available for download through the RSA ID Plus Downloads page.
Note: Primary support for RSA Authentication Agent 8.0.x for Web for IIS and Apache will end in March 2026.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Fixed Issues

The following table lists the issues that are fixed for this release:
 

October 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following subsections outline the new and enhanced features of the Cloud Authentication Service (CAS).
 

My Page Recovery Policy Is Now Available in the Cloud Administration Console

Users can now report issues with their registered authenticators, such as damage, loss, theft, or other issues. To facilitate this, the My Page Recovery Policy is now available, allowing administrators to control who can recover access to My Page in these circumstances. Administrators can go to Access > My Page and enable the Recovery Settings under the Enrollment and Recovery tab to activate a URL that allows users to recover their accounts if their authenticator is lost, stolen, damaged, or in other circumstances.

Note: The recovery feature is available only for users with one registered Cloud Authentication Service authenticator, providing an additional layer of security for account management.
 

Important Notice: Use of Company-Specific URLs Required

Administrators need to use their designated company-specific URLs for all access, including API access and SCIM configurations. Access through URLs that are not company-specific or do not include a company subdomain will soon be blocked without redirection, leading to functionality loss. Administrators need to promptly ensure that all connectivity is through company-specific URLs and update their configurations as needed to maintain access.
If a SAML third-party Identity Provider (IdP) is configured for logging into the Cloud Administration Console, administrators need to ensure that the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured with the company-specific URLs on the IdP side. If they are not, please update them as needed. To locate the company-specific Sign-In URL and ACS URL, navigate to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console.
 

RSA Authenticator 4.5 for iOS and Android – Coming Soon

RSA Authenticator 4.5 for iOS and Android is scheduled to be released this month. RSA Authenticator 4.5 for iOS and Android is now a FIDO2 certified authenticator, allowing users to register passkeys within the app and use them with any FIDO2 certified services. Like any credentials managed in the RSA Authenticator app, these passkeys cannot be backed up or restored.

Important Notes:

• For this new feature to be available to users, administrators need to enable the use of the RSA Authenticator app as a FIDO Authenticator (from Access > My Page > My Authenticators, under Configuration).
• This new feature requires devices running at least iOS 17 and Android 14. Furthermore, certain device manufacturers may not have enabled the necessary Android modules to support the passkey feature.

RSA MFA Agent for Microsoft Windows Updates

Microsoft Entra ID Support for the RSA MFA Agent

The RSA MFA Agent 2.3.4 now supports both Entra ID and Hybrid Joined machines. Version 2.3.4 also includes all of the enhancements and issue fixes from all prior versions.
 

Secondary Groups

From RSA MFA Agent 2.3.4, you can specify an optional secondary group for the “Challenge Users” group policy. You can use this policy to include groups from a separate Active Directory forest. For more information, see the RSA MFA Agent 2.3.4 for Microsoft Windows Release Notes.

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

New Integrations for the Cloud Authentication Service

• Atlassian Confluence
•  Automox
• AWS IAM
• Cloudflare
• Gremlin
• Idera Team Server
•  IronWiFi
• OPSWAT MetaDefender IT Access
• Qualys Enterprise TruRisk
•  Vasion
• Watchguard

New Integrations for Authentication Manager

• Canon
• Dell PowerStore

Updated Integrations for the Cloud Authentication Service

• Coralogix
• PingOne
• Salesforce Experience Cloud
• Silverfort

Fixed Issue

The following table lists the issue that is fixed for this release:
 

September 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).
 

Risk AI Licensing and Identity Confidence Updates

For customers who do not have a Risk AI and Identity Confidence license, access to the Risk AI dashboard and its configuration settings will be disabled. For information about Risk AI dashboards and Identity Confidence, please contact your RSA Sales Representative.
 

Conditional Attributes for My Page Enrollment Policy

To secure self-service enrollment, administrators can now set conditions to manage user access based on predefined criteria. This feature enables the application of different identity and verification methods according to user-specific conditions. Administrators can select attributes such as the user's country or browser and define actions based on whether the user's context meets the specified criteria. RSA will compare each user request’s context against the specified conditions. Additionally, they can either deny access or require identity verification for specific user groups.
 

New Identity Verification Method for My Page Enrollment Policy

A new identity verification method is now available for the My Page Enrollment Policy. In the Cloud Administration Console, administrators can select the "Password + SMS/Voice Code" method, enabling users to receive codes via SMS or voice call to their registered phone number. Administrators can also configure the validity period for these codes. Subsequently, users will use their password and the received code to complete self-enrollment on RSA My Page and register their first authenticator.
 

My Page Customization Updates

In the Cloud Administration Console, under Access > My Page, in the Customization tab, the Color field has been renamed to Accent Color. Additionally, a new field titled Authentication Screen Background Color has been introduced, allowing administrators to set the background color of the login authentication screen. 
 

Code Matching Feature Update

When the Code Matching feature is enabled, administrators can now configure the code length for all confirmation methods, including input, selection, and visual confirmation. They can specify whether the codes include numbers, alphabetical characters, or both.

Note: RSA Authenticator App for iOS and Android versions earlier than V4.4 only support 4-character codes. If an administrator configures a code length other than 4 characters and an older app version is detected, CAS will automatically default to a 4-character code.
 

Email Notification Options Enabled for New Customers

In the Cloud Administration Console, all email notification events  (My Account > Company Settings) are now enabled by default for new customers.
 

Important Notice: Use of Company-Specific URLs Required

Administrators need to use their designated company-specific URLs for all access, including API access, Authentication Manager (AM) configurations, or SCIM configurations. Access through URLs that are not company-specific or do not include a company subdomain will soon be blocked without redirection, leading to functionality loss. Administrators need to promptly ensure that all connectivity is through company-specific URLs and update their configurations as needed to maintain access. Please note that a warning about this requirement has been displayed for the past two years in the Cloud Administration Console when accessed via non-designated URLs.
 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:
 

The new identity router software versions are:
 

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
 

New Integrations for the Cloud Authentication Service

• Allgress
• Delinea
• EZRentOut
• Heap
• Huntress
• IBM QRadar
• Kentik
• Miro
• MongoDB
• Netrix
• OPSWAT MetaDefender Core
• Orca Security
• Quest Foglight Evolve
• Quest Foglight for Databases
• Scalr.io
• SnowHR
• Splunk Enterprise
• Team Password Manager
• TeamViewer
• Trend Micro Cloud One
• Way We Do
• Zenduty

Updated Integrations for the Cloud Authentication Service

• AlertOps
• Clever
• Freshworks Freshservice
• getAbstract
• Helpjuice
• Hosted Graphite
• Image Relay
• JitBit
• Litmos
• Lucidchart
• OnlyOffice
• PagerDuty
• Panorama9
• ProdPad
• Small Improvements
• Trumba
• UserVoice
• Weekdone  

Fixed Issue

The following table lists the issue that is fixed for this release:
 

Known Issue

The following table lists the known issue in this release: