Release Notes Archive - Cloud Authentication Service and Authenticators (August 2024 - January 2024)
7 months ago

August 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).
   

New APIs for Password Reset and Void Password Reset Code Now Available

The Password Reset API is now available for generating reset codes for users when signing into My Page. This API generates reset codes for specified users and allows administrators to configure the validity duration. Additionally, this API can send the generated reset codes directly to the users' default email addresses.
  

Enhancements to Microsoft Entra ID Authentication Using External Authentication Method (EAM)

In the Cloud Administration Console, administrators can now configure Microsoft Entra ID Relying Party settings and manage Authentication Options and Factor Classes through the Authentication tab. Furthermore, in the Connection Profile tab, the Relying Party Issuer URL and the Entra ID Application ID fields are now automatically populated with EAM values. For instructions on how to replace these default EAM values with Custom Control values, refer to the Microsoft Entra ID Custom Controls - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide.
This integration ensures users have access to the appropriate authentication methods for accessing protected resources. For more information, refer to the Microsoft Entra ID Authentication Methods (EAM) Implementation Guide .
In response to this integration, the RSA Authentication API now includes optional parameters for specifying Authentication Context Class Reference (ACR) and Authentication Methods Reference (AMR) values. These parameters can be used to filter authentication methods available to users.
Additionally, RSA now integrates with O365 Government Community Cloud (GCC) High through EAM, providing enhanced security and seamless integration for users within specialized government cloud environments.


Access Policy 2.0 Support for OpenID Connect (OIDC) Relying Parties

In this release, administrators can configure OIDC Relying Party applications to use Access Policy 2.0 through the Cloud Administration Console. For OIDC Relying Party applications where CAS manages both primary and additional authentication, administrators can now select from the available Access Policies 2.0.
  

Updated FIDO Web Authentication and Terminology

The web authentication pages are updated to align with the latest FIDO Alliance terminology and icons.
  

Important Notice: Required Use of Tenant-Specific URLs

Administrators must use their assigned URLs. Access through URLs specifying specific regions or sites will be blocked and not redirected. If an administrator has accessed the Cloud Administration Console using a non-assigned URL, a warning has been displayed in the console for the past two years.
 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
Authenticator for Windows6.1.2November 2024No
6.1.1August 2024No
RSA Authentication Manager8.6August 2024August 2025/August 2026
Authentication Agent for PAM8.1.xNovember 2024No

   

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

DateDescription

AU: 6/25/2024

EU/IN/JP: 6/27/2024

NA: 6/28/2024

GOV: 6/28/2024

CA/SG: 6/28/2024

Updated identity router software is available to all customers.
Default: Saturday 10/05/2024Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
Last: Sunday 10/27/2024

If you postponed the default date, this is the last day when updates can be performed.


The new identity router software versions are:
 

Identity Router Deployment Type  

Version
On-premises                                     12.21.0.0
Amazon Cloud   RSA_Identity_Router 12.21.0.0

    

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
  

New Integrations for the Cloud Authentication Service

  • Avaya
  • AWS Identity Center CloudWatch
  • AWS Workspaces
  • Microsoft Entra ID
  • PingDirectory as an Identity Source (Cloud & AuthMgr)
  • PingFederate (OIDC)
  • Splunk Cloud
  • Trellix
  • Yodeck

    

Updated Integrations for the Cloud Authentication Service

  •  Atlassian Confluence
  • Blogin
  • DocuSign
  • Flatter Files
  • Freshworks Freshdesk
  • HappyFox
  • Kintone
  • Microsoft M365
  • Trello

   

Fixed Issues

The following table lists the issues that are fixed for this release:
 

Fixed IssueDescription
NGX-158176      When a customer configured Microsoft Entra ID Custom Controls for OIDC Relying Party applications, authentication failure occurred, and an OIDC error response was sent.
NGX-158147Some customers reported encountering issues when using ID Plus with VPN integrations
that use embedded browsers.
NGX-157813The Description field for an IDR-based application failed to save during create or edit
operations.

 

July 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).
  

New Authentication Dashboard in the Cloud Administration Console

A new Authentication dashboard has been introduced in the Cloud Administration Console. It offers a daily summary contrasting successful versus failed authentications, providing security administrators with clear insights into potential issues. Administrators can view authentication counts for the past 7, 14, and 21 days, as well as the past month, with totals displayed for each period. The Authentication dashboard helps security administrators quickly identify unusual authentication activities, improving overall monitoring and management of authentication processes.
  

OAuth 2.0 Client Credentials Grant Support

The OAuth 2.0 client credentials grant flow allows applications to securely authenticate and acquire access tokens from the authorization server without user involvement. In the Cloud Administration Console, administrators can now configure OIDC/OAuth-based applications using this flow. This feature is available in limited release upon request.
  

Dutch Language Support for My Page

My Page, authentication workflows, and email templates are now localized in Dutch, improving the user experience for Dutch-speaking users.
  

Filter Identity Source Statement Attributes

In the Cloud Administration Console, administrators can now filter identity source statement attribute values for both Single Sign-on (SSO) applications and Relying Parties. They can manage Statement Attributes by adding, editing, and deleting them as necessary. Administrators can define attribute names, select identity source properties, apply operators to selected properties, and set filter values and conditions. 
  

Usage Information Dashboard Notification

In the Cloud Administration Console, on the Usage Information dashboard, if Authentication Manager is connected to the Cloud Authentication Service and is below version 8.7 SP2, the following notification will be displayed: "Upgrade to AM 8.7 SP2 or higher to display the full count of On-prem, Hybrid, and Total users."
  

Enrollment and Emergency Access Codes Guidelines

When an administrator generates an Emergency Access Code for a user, they cannot issue an Enrollment Code. Moreover, generating an Emergency Access Code will invalidate any previously issued Enrollment Code for that user.
  

Important Notice: Required Use of Tenant-Specific URLs

Administrators must use their assigned URLs. URLs identifying specific regions or sites will no longer work, and access through these URLs will be blocked, not redirected, in the future.
  

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
Authenticator for Windows6.1.2November 2024No
6.1.1August 2024No
RSA Authentication Manager8.6August 2024August 2025/August 2026
Authentication Agent for PAM8.1.xNovember 2024No

  

RSA Identity Router Version 12.21 Security Update

RSA Identity Router version 12.21 release includes security updates to address a vulnerability in RADIUS protocol and miscellaneous improvements. RSA recommends applying this critical update as soon as possible if it has not already been applied.

For RADIUS clients, you can enable the Message authenticator attribute field in this version. In the Cloud Administration Console, you can enable this attribute if you have already upgraded your identity router (IDR) to the latest version. For further information, see Update Identity Router Software.

Ensure that your RADIUS client software supports sending the message authenticator attribute in each RADIUS authentication request.
Note: If your IDRs have already been upgraded to version 12.21, no further updates are necessary.
 

Identity Router Update Schedule and Versions

Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

DateDescription

AU: 6/25/2024

EU/IN/JP: 6/27/2024

NA: 6/28/2024

GOV: 6/28/2024

CA/SG: 6/28/2024

Updated identity router software is available to all customers.
Default: Saturday 10/05/2024Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
Last: Sunday 10/27/2024

If you postponed the default date, this is the last day when updates can be performed.


The new identity router software versions are:
 

Identity Router Deployment Type  

Version
On-premises12.21.0.0
Amazon CloudRSA_Identity_Router 12.21.0.0
 

Strong Key Exchange Option Added in Encryption Settings

In the Cloud Administration Console, on the Platform > Certificates and Encryption > Encryption Settings page, a new option, "Enable Strong Elliptic Curve Key Exchange," has been added. When enabled, the identity router (IDR) will use elliptic curves with 224 bits or higher for Transport Layer Security (TLS) key exchange in all incoming and outgoing connections. Enabling this option is strongly recommended to enhance security.
          

Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
  

New SAML Integrations for the Cloud Authentication Service

  • AWS Identity Center

  • AWS Identity Center S3

  • Box

  • CloudBees Feature Management

  • Dropbox Sign

  • HashiCorp Terraform Cloud

  • IBM Resilient

  • Microsoft Entra ID

  • Monday.com

  • Oracle Cloud Infrastructure

  • SentinelOne

  • Sprout Social

  • Tenable Vulnerability Management

  • Zoho Mail
      

Updated SAML Integrations for the Cloud Authentication Service

  • Asana

  • Awardco

  • Boomi

  • ClearSlide

  • Help Scout

  • iMeet Central

  • Insightly

  • Jamf Pro

  • Jobscore

  • LiveChat

  • LogMeIn GoToMeeting

  • LogMeIn GoToTraining

  • LogMeIn GoToWebinar

  • New Relic

  • OneLogin

  • OpenVoice

  • Robin

  • ThousandEyes
     

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed IssueDescription
NGX-154568After updating customer information, an administration event log was generated unintentionally to document assurance level changes.
NGX-154582On My Page, in the My Authenticators tab, the registered RSA Authenticator app (V4.3) appeared with the old icon and name instead of the updated ones.
NGX-152224When accessing a SAML application on a Pixel phone, an authentication dialog box appeared trimmed, requiring scrolling left and right to view the text or click a button.


Known Issue

The following table lists the known issue in this release:

Known IssueDescription
NGX-150869After registering a new identity router (IDR), the Software Update Service and the Adapter Update Service indicated a warning message or displayed a red connection error regarding the identity router's connectivity status. This issue is temporary and will resolve itself. Please check back later to confirm.

 

June 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).
  

Authenticate OTP Method Now Available in Access Policy 2.0

Authenticate OTP is now available as a primary authentication method in Access Policy 2.0, enhancing security and flexibility for accessing protected resources.
  

Yubico Format Support for Imported YubiKey OATH HOTP Seeds

In the Cloud Administration Console, administrators can now select either the default "Yubico Format" or "OATH Standard" in the Yubico CSV File Format field when importing OATH OTP seeds for any YubiKey. This update supports Yubico's specific CSV format, making it easier to use both pre-seeded or self-seeded YubiKeys.
  

Mark Favorites and Sort Applications on My Page

Users can now mark applications as favorites within the My Page > My Applications tab, creating a personalized list for quicker access to their most frequently used applications. Additionally, users can sort applications alphabetically or by recent/frequent launches.
  

New "Transaction ID" Column in the User Event Monitor

The User Event Monitor now includes a new column for "Transaction ID", enhancing the tracking and visibility of multi-factor authentication (MFA) events. Administrators can now filter MFA events using the "Transaction ID" to view all events from initiation to successful or failed authentication. Furthermore, future plans involve using the "Transaction ID" to filter and group additional authentication events.
  

User Event Monitor Updates

The User Event Monitor has been updated to remove Error 411, "Just-in-time synchronization failed to synchronize user with the Cloud Authentication Service - User not found." For attempts involving an unrecognized user ID, only the following two events will now be logged:

  • Error 20300: "Multifactor authentication failed to initiate."
  • Error 20615: "RADIUS - Authentication failed."

  

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
Authenticator for Windows6.1.2November 2024No
6.1.1August 2024No
RSA Authentication Manager8.6August 2024August 2025/August 2026
SDK for iOS and Android3.1June 2024No
2.5 (iOS)
2.8 (Android)
Authentication Agent for Microsoft Windows7.4.xJune 2024No
MFA Agent for Microsoft Windows2.1.xJune 2024No
Authentication Agent for PAM8.1.xNovember 2024No
Authenticator App for iOS and Android4.2June 2024No

    

Third-Party Integrations from RSA Ready

The following integrations are recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.
  

New SAML Integrations for the Cloud Authentication Service

  • BigID

  • EZO AssetSonar

  • IBM Security Verify

  • Microsoft Entra ID

  • Microsoft GitHub

  • SolarWinds AppOptics

  • Zoho Directory

  • Zoho One
      

Updated SAML Integrations for the Cloud Authentication Service

  • 15Five

  • Atlassian Jira

  • BambooHR

  • Cisco AppDynamics

  • Envoy

  • Keeper Security Password Manager

  • LiquidPlanner

  • LogMeIn Pro

  • Okta

  • ServiceNow ITSM

  • SolarWinds Service Desk

  • UseResponse

  • Wordpress

  • Wrike

  • Zendesk for Service

May 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).
  

Access Policy 2.0 Support for SAML Relying Parties

Access Policy 2.0 offers a comprehensive solution for authentication configuration, allowing administrators to define both primary and additional authentication methods within a single policy. In alignment with the process available for Single-Sign On (SSO) applications and RSA My Page, administrators now have the capability to utilize Access Policy 2.0 for SAML Relying Party apps with primary and additional authentication options managed by the Cloud Authentication Service (CAS).

In addition, when configuring or editing existing SAML Relying Party apps that are currently utilizing Access Policy 1.0, administrators can click the Generate a new 2.0 policy for me button on the Access > My Page > My Authenticators page to automatically generate a new 2.0 access policy for primary authentication.
  

New User Verification Method for My Page Enrollment

In the Cloud Administration Console, a new user verification method is now available. Administrators can use the “Password + Email Enrollment Code” method for the My Page Enrollment Policy. Administrators can configure the Enrollment Settings, specifying the attribute for the source of the email address and the validity duration of the code. Then, administrators need to update the My Page Enrollment Policy with the new verification method. Subsequently, users can initiate the self-enrollment process through RSA My Page, using their password along with the provided validation code.

Additionally, administrators can unlock Enrollment Codes for users from the Users > Management page if their codes were locked.
  

Introducing FIDO's Latest Terminology and Icons

RSA application screens now incorporate the latest terms and icons from the FIDO Alliance, streamlining the identification of FIDO credentials. These enhancements include using the term "FIDO Passkey" to identify all types of FIDO credentials and introducing new FIDO icons to represent a FIDO Passkey.
  

Mobile Lock Enhancements

When the Mobile Lock feature is enabled for the first time, it now uses a threat policy called "Default Monitoring", where enabled threats are not classified as "Critical". As a result, detected threats are then only reported in the Mobile Lock Console without blocking authentication for end-users. This allows organizations to enable Mobile Lock with the primary objective of assessing threats present within the users' mobile devices while not impacting users. Subsequently, organizations can make informed decisions about which threats should be considered critical enough to warrant blocking authentication.

Another threat policy named "Default Active" is also available as part of the initial Mobile Lock configuration. Enabling this threat policy instead of the current "Default Monitoring" will result in blocking authentication for a predefined set of critical threats.

Additionally, administrators now have the capability to configure Single Sign-On (SSO) for their Mobile Lock Console. For detailed instructions and further information, please refer to How to enable the SSO Configuration menu in the RSA Mobile Lock Console.
  

Enhanced Access and Configuration for Identity Verification Providers

In the Cloud Administration Console, administrators can now directly access the new Identity Verification Providers page from the Users menu, provided that they have the Identity Verification Provider license enabled. Administrators no longer need to navigate through Users > Identity Providers to add a User Verification Identity Provider. Instead, on the Identity Verification Providers page, administrators can add new connectors, making the management of Identity Verification Providers more efficient and much smoother.

Furthermore, the Attribute Mappings tab has been moved from the OIDC Settings page to the Identity Verification Providers page. The relocated Attribute Mappings tab retains its original functionality, allowing administrators to create, edit, and delete mappings as required. This relocation enhances efficiency in configuration management, providing a more intuitive experience for administrators.
  

Integrations with Microsoft Entra ID External Authentication Methods

Microsoft announced its plan to transition the External Authentication Methods (EAM) framework to Public Preview in May 2024. With the EAM framework entering Public Preview, administrators can anticipate greater flexibility and security when integrating external authentication methods with Microsoft services. Therefore, RSA now offers support for integrations with external authentication methods. Furthermore, in the Cloud Administration Console, "Microsoft Azure Active Directory" within the Relying Party Catalog has been renamed to "Microsoft Entra ID" in alignment with Microsoft terminology.
  

Enhanced Visibility and Navigation in the Cloud Administration Console

In the Cloud Administration Console, vertical scrolling previously caused administrators to lose sight of the page context and action buttons. To enhance user experience, an update has been made to keep the main header and side navigation tabs fixed, ensuring continuous visibility of the context. This enhancement enables administrators to access action buttons and view side navigation tabs without losing sight of the page content, resulting in a smoother user experience and improved accessibility to essential functions within the Cloud Administration Console.
  

Introducing "Need Help" Link for Failed OTP Step-Up Authentication

During web authentication, if a user encounters a failed one-time password (OTP) step-up authentication attempt, a "Need Help" link will appear on the authentication screen. This link guides users to use the appropriate method based on their registered OTP authenticators and configured assurance levels.

In the Cloud Administration Console, administrators can enable this hint text option from My Account > Company Settings > Sessions & Authentication.
  

Coming Next Month: RSA Authenticator V4.4 for iOS and Android

RSA Authenticator app V4.4 for iOS and Android is set for release next month with the following main new features:

  • Enhanced security: Biometric Pushed Notification now supports Code Matching.
  • Passkey support: The app can now be registered and used as a FIDO device-bound passkey.
       

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

Product

Version

EOPS Date

Extended Support Level 1/Level 2

Authenticator for Windows

6.1.2

November 2024

No

6.1.1

August 2024

No

RSA Authentication Manager

8.6

August 2024

August 2025/August 2026

SDK for iOS and Android

3.1

June 2024

No

2.5 (iOS)
2.8 (Android)

Authentication Agent for Microsoft Windows

7.4.x

June 2024

No

MFA Agent for Microsoft Windows

2.1.x

June 2024

No

Authentication Agent for PAM

8.1.x

November 2024

No

Authenticator App for iOS and Android

4.2

June 2024

No

   

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

Date

Description

AU: 6/25/2024

EU/IN/JP: 6/27/2024

NA: 6/28/2024

GOV: 6/28/2024

CA/SG: 6/28/2024

Updated identity router software is available to all customers.

Default: Saturday 10/05/2024

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.

Last: Saturday 10/27/2024

If you postponed the default date, this is the last day when updates can be performed.


The new identity router software versions are:
 

Identity Router Deployment Type  

Version

On-premises

12.21.0.0

Amazon Cloud

RSA_Identity_Router 12.21.0.0

  

Third-Party Integrations from RSA Ready

The following integrations are recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

  • BeyondTrust Privilege Remote Access (new) – new SAML support for the Cloud Authentication Service.
  • GitLab (update) – updated SAML support for the Cloud Authentication Service.
  • Microsoft Entra ID (update) – updated SAML support for the Cloud Authentication Service.
  • Mulesoft Anypoint Platform (update) – updated SAML support for the Cloud Authentication Service.
  • Netskope Security Cloud (new) – new SAML support for the Cloud Authentication Service.
  • PingFederate (update) – new OIDC support for the Cloud Authentication Service.
  • SAP Concur (update) – updated SAML support for the Cloud Authentication Service.
  • Salesforce Tableau (update) – updated SAML support for the Cloud Authentication Service.
  • SolarWinds Observability (new) – new SAML support for the Cloud Authentication Service.
  • Zendesk for Sales (new) – new SAML support for the Cloud Authentication Service.
     

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed Issue

Description

NGX-147197

During an attempt to send Enrollment Codes to employees' email addresses containing special characters, such as an apostrophe ('), a customer encountered an error. The system displays an error message stating: "Invalid email address."

NGX-144336

In certain applications, when specific users authenticate to them, the User Event Monitor shows blank results for the authentication attempts instead of displaying the Event ID and Identity Confidence Level as expected.

NGX-149039

Updates of user information from the Authentication Manager internal database to the Cloud Authentication Service were failing after the initial synchronization.

 

April 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).

New Cloud Administration Void Enrollment Code API

Administrators can set the validity time of Enrollment Codes up to 24 hours when generating them. To cancel or void a code, a new API is introduced to void Enrollment Codes shared with users. Administrators can use the Cloud Administration Void Enrollment Code API to invalidate Enrollment Codes as needed, programmatically voiding codes generated for specific users. Additionally, this API returns a list of users for whom the voiding process succeeded or failed.

 

Enhanced Audit Logs for User Actions on My Page

Audit logging now includes monitoring of application clicks within My Page. This enhancement provides comprehensive event logs in the User Event Monitor, covering user actions ranging from clicking an app to completing the authentication process.

 

RSA Authenticate App No Longer Supported

The RSA Authenticate app for iOS and Android has reached its End of Primary Support (EOPS) date. As a result, new user registrations are discontinued. Existing users can continue using the RSA Authenticate app, but they will need to install the RSA Authenticator app and migrate their credentials to access the latest RSA features. For more information, see SECOND REMINDER: Support for RSA Authenticate App Ends on March 31, 2024.

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
Authenticator for Windows6.1.1August 2024No
RSA Authentication Manager8.6August 2024August 2025/August 2026
SDK for iOS and Android3.1June 2024No
2.5 (iOS)
2.8 (Android)
Authentication Agent for Microsoft Windows7.4.xJune 2024No
MFA Agent for Microsoft Windows2.1.xJune 2024No
Authenticator App for iOS and Android4.2June 2024No

 

Third-Party Integrations from RSA Ready

The following integrations are recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• Datadog (update) – updated SAML support for RSA Cloud Authentication Service.

• Dropbox (update) – updated SAML support for RSA Cloud Authentication Service.

• Evernote (update) – updated SAML support for RSA Cloud Authentication Service.

• Zendesk (update) – updated SAML support for RSA Cloud Authentication Service.

• Zoho (update) – updated SAML support for RSA Cloud Authentication Service.

 

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed IssueDescription
NGX-144211           A customer encountered issues with their BIG-IP Edge Client. As a result, users were unable to authenticate due to the absence of biometric authentication prompts from their Authenticator apps.
NGX-143930The integration between AWS Workspaces and My Page using SAML failed. The issue was that the RelayState provided by AWS in the GET request for the Cloud Authentication Service was not included in the POST request back to AWS.
NGX-139749A customer reported that their My Page URL was indexed by Google's search engine.

 

March 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).

CAS Now Supports OATH HOTP Hardware Authenticators

The Cloud Administration Console now allows administrators to view and manage OATH HOTP hardware authenticators. They can upload OATH HOTP OTP seed files to the Cloud Administration Console and assign authenticators to users. Consequently, users can self-register, activate, and manage their tokens in My Page.

Supported models are listed in the Cloud Administration Console when seeds are imported. For requesting support for additional HOTP models, administrators can contact RSA Technical Support.

 

New Identity Source Attribute – Manager

A new user identifier attribute, Manager, is now available in LDAP and Active Directory identity sources. In the Cloud Administration Console, administrators can configure and synchronize the Manager attribute for user accounts within LDAP and Active Directory identity sources. This attribute enables administrators to specify users' managers and identify to whom they report. In addition, the All Users report now includes a new column for the Manager attribute.

 

Enhanced Verbose Logging in the Cloud Administration Console

For more comprehensive logging, verbose logging now includes the Cloud portal Single Sign-On (SSO) related events, for example, user login events. Administrators can monitor user authentication events for applications and relying parties by selecting the Include Verbose Logs option on the User Event Monitor page.

Automatically Prefilled User ID Field on Login Authentication Page

When a user authenticates to a protected resource using FIDO, Emergency Access Code, or SecurID OTP authentication methods, their User ID is now stored on the login screen via a browser cookie. This enhancement ensures that the User ID input field is automatically pre-filled when a user attempts to log in again.

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
Authenticator for Windows6.1.1August 2024No
RSA Authentication Manager8.6August 2024August 2025/August 2026
SDK for iOS and Android3.1June 2024No
2.5 (iOS)
2.8 (Android)
Authentication Agent for Microsoft Windows7.4.xJune 2024No
MFA Agent for Microsoft Windows2.1.xJune 2024No
Authenticator App for iOS and Android4.2June 2024No
4.1.xJanuary 2024No
Authenticator App for macOS5.0March 2024No
Authentication Agent for Citrix StoreFront2.0.xMarch 2024No
Authenticate App for iOS and Android3.9.xMarch 2024No

 

Third-Party Integrations from RSA Ready

The following integrations are recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

• 1Password (new) – supports RSA Cloud Authentication Service using OIDC.

• Barracuda (update) – added support for the Authentication Manager using REST.

• ForgeRock Identity Cloud (new) – now supports RSA Cloud Authentication Service using SAML.

• Google Workspace (update) – added support for My Page SSO using SAML.

• Salesforce Slack (update) – added support for My Page SSO using SAML.

 

Fixed Issue

The following table lists the issue that is fixed for this release:

Fixed IssueDescription
NGX-141056                

On an Identity Router (IDR) status page, both the Notification service and Authentication Manager displayed incorrect statuses after the deployment of Authentication Manager (AM) 8.7 SP2. The Notification service was labeled as "Unhealthy" and the Authentication Manager as "Partially Healthy."

Support for the Notification service will be added in IDR version 12.20.0.0. Until then, the status for the Notification service will be "N/A," with no impact on the overall status of AM.

 

Known Issues

The following table lists the known issues in this release:

ixed IssueDescription
NGX-142597                           In the Cloud Administration Console, enabling the Use Single OTP Web Authentication Page option under My Account > Company Settings > Sessions & Authentication displays the new OTP Web Authentication pages only in English. Currently, these OTP Authentication pages are not available in all supported languages. However, they will be localized for all supported languages in the April release.
NGX-144061On the Assurance Levels page, the new authentication method 'OATH HOTP' for OATH HOTP Hardware Authenticators is currently visible but is not yet available for use until the March release is rolled out.
The OATH HOTP method will become available for use in the March release.

 

February 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).

Disabled Use of FIDO Synced Passkeys

In the Cloud Administration Console, the use of FIDO synced passkeys for authentication is now disabled by default. If you want to enable users to use FIDO synced passkeys, select the Allow the use of FIDO syncable passkeys option on the Access > FIDO Authentication page. However, RSA recommends that you leave this option cleared. For more information, see the "Configure FIDO Synced Passkey Settings" section on the FIDO Authentication and Custom App Authentication page.

 

Configure My Page Enrollment Policy

In the Cloud Administration Console, administrators can now enable the My Page Enrollment Policy setting to verify users and manage how they register an authenticator using secure enrollment. For the My Page enrollment policy, administrators can create and define rule sets targeted at specific user populations for different user verification methods.

Note:  This feature is currently available in limited release. If you are interested in securely enrolling users to their RSA authenticators with an ID proofing method, please contact your RSA Sales Representative.

 

Reminder: Maintain Custom Domain Certificates

Administrators need to replace or update a custom domain certificate before it expires to avoid any disruption. Expired certificates will cause traffic to a custom domain to stop working. For more information, see Customize and Configure Domain Name.

 

New Builds for RSA SDK 4.0 for iOS and Android

New builds were released for RSA SDK V4.0 for iOS and Android. In the RSA SDK 4.0 for iOS build 4.0.6, the 'PrivacyManifest' was introduced in Xcode 15. In the RSA SDK 4.0 for Android build 4.0.2, the SDK was split into parts. For more information, see RSA SDK Documentation.

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
Authenticator for Windows6.1.1August 2024No
RSA Authentication Manager8.6August 2024August 2025/August 2026
SDK for iOS and Android3.1June 2024No
2.5 (iOS)
2.8 (Android)
Authentication Agent for Microsoft Windows7.4.xJune 2024No
MFA Agent for Microsoft Windows2.1.xJune 2024No
Authenticator App for iOS and Android4.2June 2024No
4.1.xJanuary 2024No
Authenticator App for macOS5.0March 2024No
Authentication Agent for Citrix StoreFront2.0.xMarch 2024No
Authenticate App for iOS and Android3.9.xMarch 2024No

 

Third-Party Integrations from RSA Ready

The following integrations are recently completed or certified by RSA through the RSA Ready Technology Partner Program. Implementation Guides will be coming soon. For the complete catalog of Implementation Guides, see RSA Ready Integrations on the RSA Community.

  • Absolute Secure Access (update) – added support for the Cloud Authentication Service using SAML.

  • AWS (update) – added support for My Page SSO using SAML.

  • Dell Unisphere for PowerMax (new) – support for Authentication Manager using RSA MFA API (REST).

  • Microsoft Azure AD (update) – added support for the Cloud Authentication Service using SCIM.

  • Shibboleth IDP (update) – added support for My Page SSO using SAML.

 

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed IssueDescription
NGX-139101
NGX-138226                

A script error occurred when logging into Citrix Secure Access. Certain JavaScript code was not supported by the Internet Explorer browser. This issue has been fixed.

NGX-133737When Code Matching was used for Approve notification, user authentications sometimes failed.
NGX-137901When accessing the My Page Self-Service portal via mobile devices, some dialogs were not completely visible.

 

January 2024 - Cloud Authentication Service

Cloud Authentication Service Updates

The following sections provide information on the new and enhanced features of the Cloud Authentication Service (CAS).

Publish Changes to the Cloud Authentication Service Faster

In the Cloud Administration Console, the Publish Changes button will no longer publish changes to an identity router (IDR) if the changes do not affect that IDR, thereby reducing publish time. For example, when you edit RSA My Page customizations, the changes will be published only to the Cloud Authentication Service.

The new "Force Publish to all IDRs" option is now available on the Publishing Status page so that administrators can publish changes to the Cloud Authentication Service and all registered Identity Routers to resend the current configuration settings to each IDR or to resolve an IDR's issue (if any).

 

Publish Changes in Authentication Sources

When administrators make changes to authentication sources, they need to publish these changes using the Publish Changes (Force publish to IDRs) button on the Publishing Status page in the Cloud Administration Console.

 

Register Multiple FIDO Authenticators

Users can now register a maximum of five FIDO authenticators using the RSA My Page so they can still log in if their primary authenticator is unavailable. On the My Page > My Authenticators page, users can view all their registered FIDO authenticators.

In the Cloud Administration Console, administrators can view a user's registered FIDO authenticators on the Users > Management > a user's details page. In the All Users report, a new column, titled "Number of FIDO Authenticators", has been added to help administrators view the number of registered FIDO authenticators per user. Moreover, administrators can enable the option to automatically send an email notification when users register a FIDO credential on the My Account > Company Settings > Email Notifications page.

 

A New Unified View of Usage Information in the Cloud Administration Console Dashboard

In the Cloud Administration Console, the Usage Information dashboard has been enhanced with a unified view of total users and credentials of both Cloud Authentication Service (CAS) and on-premises Authentication Manager (AM) for your hybrid deployments. To display the unified view, the connection between the Cloud Authentication Service and Authentication Manager needs to be established. A new, refreshed look and feel has been developed to visually present the Cloud-only data when there is no AM and CAS connection.

Note:  To view the unified usage dashboard with on-premises information, you need to upgrade your Authentication Manager to 8.7 SP2, scheduled for release by end of January 2024.

ngx_rn_unified_usage_info_dasboard

Enable Approve and Biometrics Code Matching Feature

Administrators can now enable Code Matching with different modes, even if the various components in their environment (Authenticators or Agents) do not support it for Approve and Biometric notifications. Once this feature is enabled, Code Matching is then used for a given authentication event only if both the Agent and the Authenticator app involved support the configured mode.

 

Enable Saving Primary Authentication Method Preference

In the Cloud Administration Console, administrators can now enable the option to save a user’s last successfully used primary authentication method and its associated policy as their preferred one in a browser cookie. Therefore, when a user attempts to authenticate again, they will be prompted to use the same saved primary authentication method.

 

Customize Cloud IdP User Instructions

Administrators can now add Cloud IdP instructions or text displayed during authentication. Users can easily perform Primary Authentication via Cloud IdP by following the displayed on-screen instructions during authentication.

 

Access Policies Terminology Changes in the Cloud Administration Console

In the Cloud Administration Console, terminology changes have been made to the UI labels of access policies. These changes aim to create a more unified and standardized experience while managing your access policies for authentication. For example, when you add a Microsoft Azure Directory Relying party, in the Authentication tab, the “Access Policy for Additional Authentication” label has been changed to “1.0 Access Policy for Additional Authentication”. In addition, when you add an application, in the User Access tab, the “Select a policy” label has been modified to “Select a 1.0 policy”.

 

MFA Agent Citrix StoreFront V3.0 Now Released!

MFA Agent Citrix StoreFront V3.0 is now released with the following features:

  • New and intuitive user interface for an enhanced user experience, with new terminology adapted.

  • Support for Emergency Access Code as a new method and enhanced Approve and Biometrics methods to support Code Matching.

  • Enhanced Agent settings interface allows easy configurations relevant to the Cloud Authentication Service (CAS) and Authentication Manager (AM) using the Server and Advanced tabs.

  • Support for Authentication Manager failover (The Agent can switch to AM replicas in case of AM failure when using AM as a secure proxy to connect to CAS).

  • Ability to enable WPI either during installation or by using configuration settings after installation.

  • Enhanced Agent reporting.

  • Support for silent mode installation and upgrade.

  • Deprecated UDP connection to Authentication Manager and risk-based authentication (RBA) support. For more information, see Deprecated Features for RSA MFA Agents.

 

Upcoming End of Primary Support (EOPS) Details

The following table provides details of the RSA products reaching the end of support within the next six months:

ProductVersionEOPS DateExtended Support Level 1/Level 2
Authentication Agent for Microsoft Windows7.4.xJune 2024No
MFA Agent for Microsoft Windows2.1.xJune 2024No
Authenticator App for macOS5.0March 2024No
Authentication Agent for Citrix StoreFront2.0.xMarch 2024No
Authenticate App for iOS and Android3.9.xMarch 2024No
 Authenticator App for iOS4.2June 2024  No
4.1.5January 2024
4.1.0
Authenticator App for Android4.2June 2024  No
4.1.6January 2024
4.1.0

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule. Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

DateDescription


AU: 3/11/2024

EU / IN: 3/13/2024

NA: 3/14/2024

Gov: 3/14/2024

Updated identity router software is available to all customers.
Saturday 4/20/2024Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
Saturday 5/18/2024

If you postponed the default date, this is the last day when updates can be performed.

Note:  Please update all your IDRs to v12.19 before the updated identity router software is available in your region and ensure that the IDRs have no reachability issues with the region-specific domain names before May 2024. For more information, see View Identity Router Status in the Cloud Administration Console.

The new identity router software versions are:

Identity Router
Deployment Type

Version
On-premises12.20.0.0
Amazon CloudRSA_Identity_Router 12.20.0.0

Fixed Issues

The following table lists the issues that are fixed for this release:

Fixed IssueDescription
NGX-138067An identity router failed to connect to the Cloud Authentication Service in the USEAST region. The hostname was not resolving and had a different format than the expected one.
NGX-132415A customer could not reset their LDAP password. The following error message was displayed:
Unable to change the password. Please contact your administrator for assistance.

NGX-131144

NGX-129486

Some security vulnerabilities were fixed in identity routers portals.
NGX-130202A customer's identity router stopped responding, although its status was Active in the Cloud Administration Console.
NGX-122833A customer reported that they could not connect their embedded identity router to the Cloud Authentication Service. There was a DNS error.
NGX-118058A customer reported that their identity routers’ status changed to distressed and encountered “too many open files” errors when they tried to restart their IDRs.

Known Issue

The following table lists the known issue in this release.

Known IssueDescription
NGX-143918

Issue: After upgrading the IDRs, the Test Connection of an identity source failed. The error message displayed states: "Error occurred while connecting to the directory server. Unable to connect to Active Directory server. Review the configuration details." This issue impacts the Test Connection functionality but not authentication or other IDR services.
Resolution: Restarting the IDR resolves this issue.

 

 

 

 

Related Articles

Trending Articles

Don't see what you're looking for?