October 2022 - Cloud Authentication Service
RSA Authenticate App for Android Version 3.9.1 – Coming Soon!
By the 1st of November, RSA Authenticate app for Android version 3.9.1 will be released. This new updated version is a maintenance release that addresses some minor issues.
Third-Party Integrations from RSA Ready
If you are using an integration that is not listed on RSA Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.
Fixed Issues
The following table lists the issues that have been fixed in this release:
| Fixed Issue | Description |
|---|---|
| NGX-98035 | A customer encountered an issue with editing the configuration settings of My Page. This issue happened to customers who had the license to customize portal and email. The following error message was displayed: An error occurred while saving the configuration. This issue has been fixed, and the customer can now edit the configuration settings. |
| NGX-99202 | A customer was unable to edit or delete a SAML application from the Cloud Administration Console. This issue occurred due to marking an application as Cloud although it is deployed to IDR. |
September 2022 - Cloud Authentication Service
DS100 Next Generation Hardware Authenticator Availability
The DS100 is a cloud-managed, multi-functional hardware authenticator that supports SecurID one-time password (OTP) and passwordless FIDO2 authentication. With dynamic seeding and self-registration, administrators can secure users as they transition from SecurID OTP to FIDO2 without changing their authenticator. The DS100 authenticator supports OTP generation when unplugged from a device to support high security environments without USB connectivity.
Cloud Administration Generate and Download Reports APIs
Administrators can now use secure APIs to generate and download the available reports in the Cloud Authentication Service Administration Console.
SecurID Authenticator 4.1.5 for iOS and Android - Coming Soon!
-
SecurID apps and their related software development kits (SDKs) will support iOS 16 and Android 13.
-
In iOS devices, users will be able to approve or deny the sign-in requests before the Face ID authentication is completed.
-
Users will be able to share information logs and binding IDs not only via the default email client, but also via any of the installed apps on their devices.
-
Users will be able to approve the push notifications received from the SecurID Authenticator app on their Android watches.
Third-Party Integrations from RSA Ready
If you are using an integration that is not listed on RSA Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.
Fixed Issues
The following table lists the issues that have been fixed in this release:
| Fixed Issue | Description |
|---|---|
| NGX-91477 | Using the SecurID Authenticator app on iOS devices, users could not register their device to the Cloud Authentication Service if their email addresses contain an apostrophe before the @ symbol (e.g., o'neal@example.com). Users can now use an apostrophe and some additional characters in their email addresses. |
| NGX-92339 | Using the SecurID Authenticator app on Android devices, users could not register their device to the Cloud Authentication Service if their email addresses contain an apostrophe before the @ symbol (e.g., o'neal@example.com). Users can now use an apostrophe and some additional characters in their email addresses. |
| NGX-97267 |
In August release, the entity ID was incorrect, and it was replaced with the following instead: https://<customersubdomain>/sso/saml/<guid of specific application> |
| NGX-97488 | A customer was unable to download the SAML request signing certificate for an Identity Provider (IdP)and received the following error message: Error downloading certificate. |
August 2022 - Cloud Authentication Service
App Name and App Version Columns in All Synchronized Users Report
The "All Synchronized Users" report has been enhanced by adding App Name and App Version columns for all the admin roles to track which Software Authenticator application, either "SecurID Authenticator" or "RSA Authenticate App", each user is currently using.
Standardized Product Terminologies
The pages of the Cloud Administration Console and My Page self-service portal Authenticator management have been modified with standardized product terminologies and icons to align with the other SecurID products and the authentication industry.
Note: The login pages of My Page will be updated in a future release.
The following table lists the most important old and new terms:
| Old Term | New Term |
|---|---|
| Company ID | Organization ID |
| Account | Credential |
| Token |
Based on the usage, the term has been replaced by one of the following terms:
|
| Software Token |
Based on the usage, the term has been replaced by one of the following terms:
|
| View Tokencode |
Based on the usage, the term has been replaced by one of the following terms:
|
| Authenticate Tokencode | Authenticate OTP |
| Emergency Tokencode | Emergency Access Code |
| SMS Tokencode | SMS OTP |
| Voice Tokencode | Voice OTP |
Automatic Deletion of Users from Cloud Authentication Service Based on User Changes in the Identity Source
Users who have a registered software or hardware authenticator in the Cloud Authentication Service, but have not synced in the last 30 days, will be automatically Just In Time (JIT) synced from the directory server. JIT will disable the users who are out of the scope of the identity source or disabled in the directory server. Users will be marked for deletion 90 days after being disabled by auto-sync. Then, they will be deleted seven days after being marked for deletion.
Users are checked in the Identity Source to verify that they still meet the following conditions:
-
User is present in the Identity Source
-
User is active
-
User is in scope to be synchronized to the Cloud Authentication Service
If all the three conditions are not true, then the user is marked for automatic deletion in the Cloud Authentication Service.
Metadata Service Version 3 in SecurID FIDO Implementation
Metadata Service (MDS) is a centralized web repository of the Metadata Statement. The service was upgraded by the FIDO Alliance as a replacement to the deprecated MDS2. SecurID FIDO implementation upgraded the MDS2 to MDS3 to better work through the security notifications to ensure effective incident response.
Third-Party Integrations from RSA Ready
If you are using an integration that is not listed on SecurID Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.
Fixed Issues
The following table lists the issues that are fixed for this release:
| Fixed Issue | Description |
|---|---|
| NGX-94453 | When the msDS-PrincipalName (domain\username format) attribute was used as the alternate username, Just In Time sync could not onboard new users to the Cloud Authentication Service. |
| NGX-94868 | For My Page, the users received Access Denied error while using the Trusted Location attribute in the access policy to protect the access. |
| NGX-95254 | Applying Custom Domain Name for OIDC for Azure AD configuration did not work due to the limitation of Microsoft Azure requirement of registering allow list for redirect URLs. |
Known Issues
The following table lists the known issue in this release.
| Known Issue | Description |
|---|---|
| NGX-97371 |
For some of the newly provisioned customers who have never opened and saved the My Account > Company Settings > Company Information page, their QR code device enrollment screens display 'company' and the QR code registration for their users fails. Workaround Administrator can open the My Account > Company Settings > Company Information page and click Save Settings. |
July 2022 - Cloud Authentication Service
Periodic User Refresh Process
To keep the user repository of the Cloud Authentication Service in sync with the underlying directory server, a periodic user refresh process has been implemented. This will refresh the users who have not been authenticated or synchronized to the cloud recently.
Distinguished Name Column in All Synchronized Users Report
The All Synchronized Users report has been enhanced with a column for Distinguished Name to enable organizations with a large and distributed userbase to identify their users.
SecurID Authenticator 6.1 for Windows - Coming Soon!
SecurID Authenticator for Windows is a single authentication app on Windows that supports both the SecurID Authentication Manager (AM) One Time Password (OTP) credentials and ID Plus cloud-based OTP credentials and push authentication to manage all your authentication needs. SecurID Authenticator 6.1 for Windows will be released soon with RSA DS100 Hardware Authenticator management, including OTP credential registration and firmware upgrade. It can perform FIDO management on the DS100 and third-party FIDO Security Keys.
Third-Party Integrations from RSA Ready
If you are using an integration that is not listed on SecurID Community, contact the RSA Ready Program Manager, Michael.wolff@rsa.com.
Fixed Issues
The following table lists the issues that are fixed for this release:
| Fixed Issue | Description |
|---|---|
| NGX-89553 | The following error banner was displayed on the Connection Profile page of the IDR SAML application. "There was an error with your application setup. Correct the items in red". However, none of the fields were highlighted in red. This issue occurred when an expired certificate was used in the Encrypt Assertion section and the Encrypt Assertion check box was disabled. |
| NGX-90985 | When users accessed relying party and performed mobile authentication on the same device, authentication failed intermittently. |
| NGX-93473 | Organization ID was not showing any value during the device registration on My Page until Company Settings page was edited. |
June 2022 - Cloud Authentication Service
New Cloud-Based My Page Portal with Single Sign-On Experience is Available
A fully redesigned cloud-based My Page portal with a reliable and highly available single sign-on experience is now available. This allows users to manage the self-service of their authenticators in the My Authenticators tab and single sign-on (SSO) access to their protected applications in the My Applications tab. It provides a unified on-site and off-site user-friendly experience that is rebrandable, customizable , and accessible.
-
Existing customers with the HTTP Federation Proxy, Trusted Headers, NTLM, and Bookmark applications deployed on Identity Router based portal can easily migrate to the cloud-based portal.
-
SAML applications need to be created again in the cloud-based portal if you migrate from Identity Router based portal.
-
WS Federation applications are not supported in the cloud-based portal.
-
Identity Router based portal cannot be enabled going forward. This does not impact the customers who are already using the Identity Router based portal.
-
-
Administrators can now customize and configure domain name (CNAME). This is supported for HTTP Federation Proxy, Trusted Headers, NTLM, SAML, and Bookmark applications.
-
The user interface text and labels have been standardized to align with other SecurID products.
-
Users can sign in to the portal once and access multiple authorized applications, including cloud and on-premise applications, SAML-enabled and non-SAML enabled applications.
-
The My Page portal now supports the Italian language.
Enable or Disable Agent Inventory Report
To allow customers to control the information that is tracked in the Cloud Authentication Service, the agent data collection can now be enabled or disabled. The default for this setting is 'disabled'.
Cleaning Up of Unused User Records
To increase the efficiency of the Cloud Authentication Service, a clean-up process has been implemented to remove the data for users who have never used the Cloud Authentication Service. This includes identifying the users who have not used Cloud Authentication Service for at least 30 days after their user records were initially created in the Cloud Authentication Service, disabling and marking them for deletion, and deleting their data. The Cloud Authentication Service automatically deletes all users who have been Pending Deletion for seven days. The deleted user records can be added back if the users want to use the Cloud Authentication Service.
SecurID Authenticator 6.0 for Windows - Coming Soon!
A single authentication app on Windows that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-premises, cloud, or hybrid infrastructure, you will have one single application to manage authentications effectively. By adding support for cloud MFA for Windows users, the new authenticator helps move your authentication to the cloud with continued support for software tokens. Existing software token users can easily migrate to the SecurID Authenticator 6.0 by simply re-importing their tokens.
Authentication Agent 1.0 for Epic Hyperdrive - Coming Soon!
Epic is moving its current primary end user application, 'Hyperspace', to a web-based framework, 'Hyperdrive'. RSA will release a new authentication agent to secure the new Epic Hyperdrive login and workflows.
New and Updated Third-Party Integrations from RSA Ready
The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.
-
Microsoft OWA 2013 (update, Cloud Authentication Service) – updated support for the HTTP Federation method type.
-
Prove (update, AuthMgr) – updated support for OTP via SMS.
-
Radiant Logic RadiantOne (update, AuthMgr) – updated support for REST method.
Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.
Fixed Issues
The following table lists the issues that have been fixed in this release.
| Fixed Issue | Description |
|---|---|
| NGX-90059 | Customer was unable to edit access policies when the MFA license flag was turned off. |
| NGX-90040 | Errors occurred during post tenant moveall ALA monitoring. |
| NGX-88921 | Customer could not save identity source attributes. |
May 2022 - Cloud Authentication Service
Authenticator 4.1 App for iOS and Android - Coming Soon!
SecurID app for iOS and Android has been renamed as Authenticator and its 4.1 version will be released soon with enhanced usability and accessibility. The user interface text and labels are standardized to align with other SecurID products.
Agent Inventory Report
A new report for exporting the list of cloud-connected Authentication Agents for compliance and reporting purposes is available now. From the June release, customers will be able to control the availability of the report. By default, the report will be disabled.
New and Updated Third-Party Integrations from RSA Ready
The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.
-
VMware Horizon (update, AuthMgr & Cloud Authentication Service) – updated support for SecurID Authentication (REST) API and Radius method types.
-
VMware UAG (update, AuthMgr & Cloud Authentication Service) – updated support for SecurID Authentication (REST) API and Radius method types.
End Of Support – Reminder
We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.
Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.
Fixed Issues
The following table lists the issues that have been fixed in this release.
| Fixed Issue | Description |
|---|---|
| NGX-89939 | A customer had reported that all the users in the tenant were receiving delayed MFA push notification. |
| NGX-86858 | Error occurred while assigning a FIDO token to a user. |
| NGX-86779 | Customer had reported flooding of MFA notifications. |
| NGX-85970 | SecurID app could not scan QR codes on older iPhone with smaller screen. |
| NGX-82341 | A customer was unable to publish the changes after editing NGX Auth ID. |
Known Issues
The following table lists the known issues in this release.
| Known Issue | Description |
|---|---|
| NGX-82988 |
This release contains changes that will prevent Identity Router SSO Agent intra-cluster session replication from working until all Identity Routers in the cluster are running on this release. This affects customers who have:
When an Identity Router becomes unavailable, the session will end for the users who logged into that Identity Router, and they will be asked to re-authenticate. Workaround Once all Identity Routers in the cluster are upgraded to the May release, this will work again as expected. This will not cause auth failures or prevent other Identity Router functionality from working correctly. |
| NGX-90704 |
Customers may notice a new report titled ALL_TRACKED_MFA_CLIENTS for a short duration. This report is not ready for use until they are upgraded to the May 2022 release. Attempting to run this report before the upgrade completes will display an error message. |
April 2022 - Cloud Authentication Service
SecurID 700 Hardware Tokens Available for All Customers
After a successful pilot with a limited set of customers, management of SecurID 700 Tokens in the Cloud Authentication Services is now available by default for all customers.
Cloud Migration for SecurID 700 Hardware Tokens – Coming Soon!
Using RSA Authentication Manager 8.7, SecurID 700 Hardware Tokens managed in Authentication Manager can be easily migrated to the Cloud Authentication Service. Administrators can decide which tokens to migrate and which tokens to retain within Authentication Manager, based on multiple factors.
For the migrated tokens:
-
Administrators can then manage them using the Cloud Administration Console without impacting their on-premises infrastructure.
-
Authentication Manager 8.7 will still be able to manage authentication if the cloud authentication service is unreachable.
New and Updated Third-Party Integrations from RSA Ready
The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see 8 on the SecurID Community.
-
Archer (update, Cloud Authentication Service) – ESG and Integrated Risk Management, updated support for authentication method types SAML via Cloud SSO and Relying Party.
-
SecurID G&L (update, Cloud Authentication Service) – Identity Governance and Administration, updated support for authentication method types SAML via Cloud SSO and Relying Party.
-
IBM MFA for z/OS (update, Authentication Manager) – alternate authentication mechanisms for z/OS networks, added support for REST API.
End Of Support – Reminder
We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.
Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.
Fixed Issues
The following table lists the issues that have been fixed in this release.
| Fixed Issue | Description |
|---|---|
| NGX-85886 | A customer was unable to change the SAML NameID value. The issue was that change in the NameID identifier type was not getting retained even after saving and publishing the updates. This issue has been fixed now. |
| NGX-86023 |
Customers reported an authentication outage after tenants were moved to the March Cloud release. The issue is fixed now. |
March 2022 - Cloud Authentication Service
SecurID Authenticator 5.0 for macOS is Available!
SecurID Authenticator 5.0 for macOS is a new app that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-prem, cloud, or hybrid infrastructure, you will now have one single app to manage effectively.
The app is distributed through platform-specific public Apple's App Store and a SecurID Link for a side-loading, customers can download the app package from the link.
Please see the SecurID Authenticator 5.0 for macOS Release Notes and Advisories for additional information about the contents of this release.
New and Updated Third-Party Integrations from RSA Ready
The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.
-
Cisco ASA (update, Authentication Manager, and Cloud Authentication Service) – updated support for authentication method types SAML and Radius.
-
PingFederate (update, Authentication Manager, and Cloud Authentication Service) – updated support for authentication method types SecurID Authentication API and SAML.
-
Prove (update, Authentication Manager) – update to configuration for SMS Gateway provider Prove; originally listed as Authentify.
-
Stormshield (new, Authentication Manager and Cloud Authentication Service) – new support for SSL VPN provider via authentication method types Radius and SAML.
End Of Support – Reminder
We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.
Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.
Fixed Issues
The following table lists the issues that have been fixed in this release.
| Fixed Issue | Description |
|---|---|
| NGX-85005 | The customer was unable to publish changes and the page was loading for a long time. This problem has been fixed. |
| NGX-85007 |
The customer was unable to edit or sync identity sources in the Production Environment. This problem has been fixed. |
February 2022 - Cloud Authentication Service
SecurID Authenticator 5.0 for macOS is Coming!
SecurID Authenticator 5.0 for macOS is a new app that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-prem, cloud or hybrid infrastructure, you will now have one single app to manage effectively. By adding support for cloud MFA for macOS users, the new authenticator helps move your authentication to the cloud with continued support for software tokens. Existing software token users can easily move to the SecurID Authenticator 5.0 by simply re-importing their tokens. Migration of software tokens from the RSA Software Token 4.2.3 desktop is not currently supported.
New and Updated Third-Party Integrations from RSA Ready
The following integrations were recently completed by RSA or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.
-
Fortanix Data Security Manager (DSM) SaaS (new, Cloud Authentication Service) – provides integrated data security with encryption, multi-cloud key management, tokenization, and other capabilities from one platform, delivered-as-a-service. Now supports SecurID MFA via SAML including SSO and Relying Party.
-
Microsoft Azure AD (new, Cloud Authentication Service) – can be used as a 3rd party IDP for MFA access to SecurID Cloud Admin Console via SAML.
-
VMware Cloud Director (new, Cloud Authentication Service) – a leading cloud service-delivery platform used by cloud providers to operate & manage successful cloud-service businesses. Now supports SecurID MFA via SAML including SSO and Relying Party.
-
VMware vSphere (new, Authentication Manager) – VMware’s cloud computing virtualization platform. Supports 2FA with Authentication Manager via SecurID Authentication API for C and Java.
We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java, by the end of 2022, to plan to support Authentication Manager – and the Cloud Authentication Service – using the SecurID Authentication API v1.x. Documentation and a YAML file (logon required) are available on SecurID Community. Contact SecurID Partner Engineering for questions and technical support, rsapesupport@securid.com.
Fixed Issues
The following table lists the issues that have been fixed in this release.
| Fixed Issue | Description |
|---|---|
| NGX-81437 |
Improved the performance of the Policies page. A customer had reported that the page could take several minutes to load a large number of access policies when an assurance level was empty. |
January 2022 - Cloud Authentication Service
Cloud Administration Console URLs Are Changing in January 2022
The Cloud Administration Console URLs for your company are changing to include your company subdomain. For example, if you previously accessed the Console with https://na2.access.securid.com/ and your company subdomain is example, you will now access the Console with https://example.access.securid.com . The Cloud Authentication Service can dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.
The shared URLs in use prior to January 2022 are available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to be supported for at least a year but might not offer all capabilities or perform as well as the new company-specific URLs.
To find the region and service where your Cloud Authentication Service is deployed, sign into the Cloud Administration Console and find the blue hyperlink next to Hello< administrator's name > near the top left of the Dashboard page. You need to know the region and service when checking the Cloud Authentication Service status page, uptime page, and notifications for maintenance and service incidents.
Action Required if You Have a Third-Party Identity Provider Protecting Access to the Cloud Administration Console
If your deployment configured a third-party identity provider (IdP) to protect access to the Cloud Administration Console, the shared console URLs are saved as the SAML Sign-In URL and the Assertion Consumer Service URL. SecurID recommends that you update these URLs to point to the new company-specific URLs for best performance. To view the company-specific URLs, open the Cloud Administration Console and click My Account > Company Settings > Sessions & Authentication tab. The new URLs are automatically provided in the SAML Sign-In URL and Assertion Consumer Service URL fields. Copy these URLs to your IdP configuration.
Whitelisting URLs Accessed by the Identity Router
The repository URLs accessed by the identity router will change to become company-specific. Therefore, make sure any whitelisting you have in place reflects these new URLs. For best practices, we recommend that you whitelist *.securid.com and *.securidgov.com instead.
New and Updated Third-Party Integrations from RSA Ready
The following integrations were recently completed by RSA or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations.
-
Firehydrant.io (new, Cloud Authentication Service)– incident management platform supports SecurID MFA via SAML including SSO and Relying Party.
-
goCanvas (new, Cloud Authentication Service)- provides mobile apps and forms for data collection and sharing. Supports SSO or relying party.
-
Juniper Networks JunOS vSRX (new, Authentication Manager) – virtual NGFW supports SecurID authentication via Radius with Authentication Manager.
-
McAfee MVISION (new, Cloud Authentication Service)- protects data and stops threats in the Cloud across SaaS, PaaS, and IaaS from a single, cloud-native enforcement point. Supports SSO.
-
Microsoft Office 365 (update, Cloud Authentication Service)– updated CAS support for MFA into Microsoft 365 including SSO and Relying Party.
-
Microsoft Sharepoint 2019 (new, Cloud Authentication Service) – SSO Agent for SecurID authentication via SAML.
-
Specops uReset (new, Authentication Manager/Cloud Authentication Service) – self-service password reset supports SecurID authentication via REST API.
-
SUSE Rancher (new, Cloud Authentication Service) – unifies Kubernetes clusters to ensure consistent operations, workload management, and enterprise grade security. Supports SSO or relying party.
We would like to remind Technology Partners about the SecurID Authentication API, a REST-based programming interface that allows you to develop clients that process multifactor, multistep authentications through RSA Authentication Manager and the Cloud Authentication Service.
The SecurID Authentication API was released in 2019 and is one of the supported methods to integrate your client applications with the Cloud Authentication Service, in addition to SAML2 and RADIUS. It replaces SecurID Authentication API 8.7 for C and Java to communicate with Authentication Manager. As of June 2021, version 8.7 is now End of Primary Support Level 2, which means there are no hot fixes available and only best effort support is provided.
To remain RSA Ready, all Technology Partners should plan to support the Cloud Authentication Service in your applications by the end of 2022. If you use version 8.7 or older, you may update to the SecurID Authentication API. Documentation and a YAML file (Logon required) are available on RSA Link. Contact SecurID Partner Engineering for questions and technical support, rsapesupport@securid.com.
Removed the Ability to Request a Cloud Authentication Service Account Through the RSA Authentication Manager Security Console
SecurID no longer supports requesting a Cloud Authentication Service account through the Security Console. If you try to request an account, your patch level determines the error message that you receive.
You can continue to use your existing Cloud Authentication Service accounts. If you need a new Cloud Authentication Service account, call SecurID Sales at 1 800 995 5095.
SecurID 4.0 App is Available!
SecurID 4.0 app for iOS and Android adds cloud-based multifactor authentication to the software token functionality already present in the SecurID 3.0 app. Users have one convenient authenticator to safely sign into their company accounts. This enhancement helps your company move authentication to the cloud and effectively manage a hybrid deployment. See Announcing the Release of SecurID 4.0 app for iOS and Android.
Fixed Issues
The following table lists the issues that have been fixed in this release.
| Fixed Issue | Description |
|---|---|
| NGX-75573 | Documentation was updated to include hostnames and IP addresses (primary and failover), and the identity router download URL for the SecurID Federal region. |
| NGX-74407 |
The date encoding issue that occurred when using the Administration Rest API Client command line tool has been resolved in version 2.7.2 of the Cloud Administration SDK. |
| NGX-72907 |
A customer was unable to use the Cloud Administration Console to share the Amazon Machine Image (AMI) with multiple Amazon account IDs. This problem has been fixed. |
October 2021 - Cloud Authentication Service
Automatic Unlock for Tokencodes
End users no longer have to call their IT Help Desk to unlock their tokencodes. You can configure the Cloud Authentication Service to automatically unlock tokencodes after a specified period of time has elapsed. Each tokencode is locked and unlocked separately. For more information, see Configure Tokencodes.
Multiple SecurID 700 Tokens per User
You can assign to each user up to five active SecurID 700 hardware tokens that are managed in the Cloud Administration Console. Users can register and activate their tokens on My Page. With this feature, the Cloud Authentication Service is closer to providing the same capabilities as Authentication Manager. For more information, see SecurID Hardware Tokens.
Identity Router Update Schedule and Versions
This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.
| Date | Description |
|---|---|
|
EU: 11/11/2021 ANZ, US, Gov: 11/16/2021 | Updated identity router software is available to all customers. |
| 1/08/2022 | Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually. |
| 1/29/22 | If you postponed the default date, this is the last day when updates can be performed. |
Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.
The new identity router software versions are:
|
Identity Router | Version |
|---|---|
| On-premises | 12.13.0.0 |
| Amazon Cloud | RSA_Identity_Router 12.13.0.0 |
Fixed Issues
| Fixed Issue | Description |
|---|---|
| NGX-74406 | A customer reported that the hardware token authentications failed on Azure Active Directory. This problem has been fixed. |
| NGX-74375 | Identity router went down after a software update. This problem has been fixed. |
| NGX-73521 | A customer observed the identity router status changed to Distressed status. This problem has been fixed. |
| NGX-72070 | Identity router memory usage is no longer going high. |
| NGX-71933 | A customer reported that the sign-in through Integrated Windows Authentication (IWA) failed when a domain controller was down. This problem has been fixed. |
| NGX-71773 | IWA authentication no longer fails for the Application Portal sign-in. |
| NGX-70822 | A customer reported that the Identity Router showed unhealthy Cloud Authentication Service connections for both the primary and backup IP of the Cloud Authentication Service. This problem has been fixed. |
| NGX-68830 | A customer observed few vulnerabilities being reported after running penetration testing on the SSO portal. This problem has been fixed. |
| NGX-68042 | Cloud Authentication Service and identity router no longer requires anonymous bind to connect and search rootDSE (root of the directory data tree on a directory server). LDAP synchronization will no longer fail in a customer environment that blocks anonymous bind to rootDSE. |
| NGX-67189 | In the Cloud Administration Console, a customer was unable to successfully publish the generated wildcard certificate to the identity router. This problem has been fixed. |
September 2021 - Cloud Authentication Service
Required Identity Router Updates Must be Completed by October 31, 2021
To strengthen overall security, SecurID has rolled out significant improvements that harden identity routers to meet Security Technical Implementation Guide (STIG) standards. You must update your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5. To view identity router version and operating system information, see View Identity Router Status in the Cloud Administration Console.
Replace These Identity Routers by October 31, 2021
If your identity routers meet both of the following criteria, you must replace them by October 31, 2021 using the replace procedure described in the Identity Router 12.12.x Migration Guide:
-
10 GB disk space or the identity router is embedded in Authentication Manager
-
SLES 11 operating system
-
Identity router version 12.12 or earlier
No additional updates are available for these identity routers.
Identity Routers Already Updated
If your identity routers meet all three of the following criteria, automatic updates or in-place upgrade should already have occurred on the default rollout date.
-
54 GB disk space or the identity router embedded in Authentication Manager
-
SLES 11 or 12 operating system
-
Identity router version prior to 12.12
You do not need to replace these identity routers. For more information, see Update Identity Router Software.
Note: To view notification for identity routers that are not eligible for in-place upgrade, click Platform > Identity Routers in the Cloud Administration Console.
Before an in-place upgrade occurs, we recommend that you take a snapshot for VMware and Hyper-V identity routers and take a storage volume snapshot for AWS identity routers. These snapshots can be discarded after a successful upgrade. The in-place upgrade procedure updates your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.
After the in-place upgrade is complete, verify the identity router operating system in the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name. If the operating system is not SLES 12 SP5, contact Customer Support.
Note: An in-place upgrade takes longer than the standard identity router software update. It may take more than an hour for a single identity router update and more than two hours for a cluster of three identity routers.
Additional Information for Identity Routers with SLES 12
The following information applies to identity routers with the SLES 12 operating system:
-
Any certificate and keys you upload to the Cloud Administration Console for SSO SAML applications, SecurID Access Application Portal (domain certificate), identity source, identity provider and so on must each have a minimum key length of 2048 bits.
-
Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the SecurID Access Application Portal. The following algorithms are supported.
Supported Algorithm Signature Algorithm rsa-sha256
rsa-sha384
rsa-sha512
dsa-sha256
Digest Algorithm sha1
sha256
sha384
sha512
Unify Your Authenticators, Your Way - SecurID SDK 3.1 for iOS and Android
Build a custom authenticator app for your SecurID, MFA and now Transaction Signing needs, with the new SecurID SDK 3.1 for iOS and Android. Make it easy for your users to access any authenticator conveniently within the same familiar app for a better overall user experience. For more information, see this advisory and SecurID SDK Documentation.
Authenticators Unite – SecurID App 4.0 is Coming!
The SecurID app for iOS and Android will soon add MFA functions from the RSA SecurID Authenticate app to the existing SecurID Token capabilities. This merger simplifies the management complexities of your hybrid deployment and minimizes user disruption as you move to the cloud with the same authenticator app.
RSA SecurID Authenticate app users can easily replace their existing app with the SecurID app using QR Codes from a self-service portal like My Page and experience improved usability and greater accessibility enjoyed by millions of SecurID app users today. To learn more, see this advisory.
Just-in-Time Synchronization Always On for Immediate User On-Boarding and Updates
SecurID’s just-in-time synchronization instantaneously allows new users to authenticate with SecurID and prevents disabled users from doing so. In this release, just-in-time synchronization replaces scheduled synchronization to prevent artificial delays from scheduled synchronization intervals. Scheduled bulk synchronization has been removed and just-in-time synchronization is always active. You can still manually synchronize identity sources on-demand. Automatic removal of users from SecurID that were deleted in a user identity store is coming in a future release. For more information, see the "Synchronizing Identity Sources with the LDAP Directory Server" section on the Identity Sources for the Cloud Authentication Service page.
On-board, off-board and update on-demand!
Fixed Issues
| Fixed Issue | Description |
|---|---|
| NGX-72108 | Users were prevented from using My Page to activate their cloud-managed hardware tokens if permission to use Authenticate Tokencode, Device Biomtrics, and Approve was not enabled for the company. This problem has been fixed. |
| NGX-70788 | The documentation has been updated to clarify why some users receive an 8-digit emergency tokencode while others receive a 12-digit emergency tokencode. For more information, see Emergency Tokencode. |
| NGX-71761 | A customer was unable to publish due to system constraints. This problem has been fixed. |
August 2021 - Cloud Authentication Service
The August release of the Cloud Authentication Service includes the following features and bug fixes.
New Look for the Cloud Administration Console User Interface
The Cloud Administration Console has an updated, modern look that works more efficiently, improving usability and accessibility. Changes include redesigned main menu navigation bar and Publish bar. The new console has also been updated with the new SecurID branding, colors, and logo. This example shows the updated Cloud Administration Console dashboard.
Improved Status Messages for the Identity Router
The identity router has improved status messages for update availability and starting status.
Update Availability Messages
In the Cloud Administration Console, improved status messages now clearly indicate when identity router updates are available, so that you do not have to upgrade any earlier than necessary.
Starting Status Messages
A new identity router status indicates that a registered identity router is starting. When the identity router is connected to the Cloud Administration Console, the status reads Starting until the identity router is Active.
Reminder: Update Identity Routers to Software Version 12.12.x and SLES 12 SP5
The June 2021 - Cloud Authentication Service (Identity Router) Release Notes provided important information on Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System. Be aware of the following:
-
If your identity routers have a 10 GB hard disk drive (HDD), you must replace them as soon as possible with new image downloaded from the Cloud Administration Console. Replace these identity routers no later than October 31, 2021.
-
Identity routers with 54 GB HDD will be automatically upgraded either on the default rollout date or on the forced upgrade date. You do not need to replace these identity routers.
Changes to Identity Source Synchronization
In July 2021, just-in-time synchronization was enabled for all users, eliminating the need to schedule synchronization tasks. Just-in-time synchronization is now the primary method for keeping your identity sources up-to-date. Additional changes are continuing according to the following timetable.
| Event | Date |
|---|---|
| Scheduled synchronization was disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. | Week of August 9, 2021 |
|
The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization. | September 2021 |
After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.
For more information, see Identity Sources for the Cloud Authentication Service.
How Connection Speed Affects Just-in-Time Synchronization
Just-in-time synchronization is affected by the speed of your identity source directories. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. For users who already have records in the Cloud Authentication Service, just-in-time synchronization waits up to 5 seconds for the directory server to respond before attempting to update a user's record during authentication. After 5 seconds, cached data is used to proceed with authentication. If the Cloud Authentication Service receives a response within a few seconds after the 5-second time limit has passed, it does process that response and the updated information will be available in the Cloud Authentication Service the next time the user attempts to authenticate. Just-in-time synchronization waits up to 22 seconds for the directory server to respond before creating a user's record during authentication. If no response is received in that time, the authentication attempt fails.
Cloud Administration Console URLs Expected to Change in November 2021 Release
Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.
The existing shared URLs will remain available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.
Fixed Issues
| Fixed Issue | Description |
|---|---|
| NGX-70781 |
The Cloud Authentication Service now accepts incoming SAML assertions from external identity providers that include the optional SPNameQualifier attribute of NameID element. |
| NGX-69964 |
Previously, users were being disabled during identity source synchronization if the user's DN and email address (mail attribute) changed simultaneously. This problem no longer occurs. |
| NGX-69615 | Users saw misleading messages when they reset their PINs for SecurID hardware token using My Page. This problem has been fixed. |
July 2021 - Cloud Authentication Service
The July 2021 release of the Cloud Authentication Service includes the following features.
New Cloud Administration APIs for Managing SID700 Hardware Tokens
You will be able to integrate Help Desk operations for SID700 tokens into your own provisioning or management tools. These APIs apply to hardware token records that are uploaded to the Cloud Authentication Service. The APIs perform the functions described below. For details on each API, see Using the Cloud Administration APIs.
| Function | Cloud Administration API |
|---|---|
| Retrieve details about all authenticators assigned to a user. | Cloud Administration Authenticator Details API |
| Retrieve details about a user's hardware token by providing the serial number. | Cloud Administration Retrieve Hardware Token Serial Number API |
|
Clear a user's PIN for a hardware token. | Cloud Administration Clear PIN for Hardware Token API |
|
Assign or unassign a hardware token from a user. |
Cloud Administration Assign Hardware Token API Cloud Administration Unassign Hardware Token API |
| Delete a user's hardware token by providing the serial number. | Cloud Administration Delete Hardware Token API |
|
Enable or disable a user's hardware token. |
Cloud Administration Enable Hardware Token API Cloud Administration Disable Hardware Token API |
|
Update the name of a user's hardware token. |
Cloud Administration Update Hardware Token Name API |
Note: The ability to manage SID700 hardware tokens in the Cloud Authentication Service is a limited release that is specifically targeted for Cloud-only deployments. This feature is not supported for hybrid deployments where SecurID Authentication Manager is connected to the Cloud Authentication Service. If you have a Cloud-only deployment and you want to enable native hardware token support, contact your RSA Sales representative or Channel Partner.
Identity Source Synchronization Changes Begin July 12, 2021
Significant changes to identity source synchronization are coming in future releases. Beginning in July, users are automatically be synchronized to the Cloud Authentication Service in real-time, eliminating the need to schedule synchronization tasks. These changes ensure that just-in-time synchronization will become the primary method for keeping your identity sources up-to-date. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. The changes will occur according to the following timetable.
| Event | Date |
|---|---|
|
Just-in-time synchronization will be enabled for all customers. If this causes any problems for your deployment, you can choose to temporarily disable it. | week of July 12, 2021 |
| Scheduled synchronization will be disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. | week of August 9, 2021 |
|
The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization. | September 2021 |
After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.
Note: Just-in-time synchronization is affected by the speed of your identity source directories. Just-in-time synchronization waits up to 5 seconds to update a user's record during authentication and up to 22 seconds to create a user's record during authentication.
Cloud Administration Console URLs Expected to Change in November 2021 Release
Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.
The existing shared URLs will remain available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.
In addition, make sure your calls to the Cloud Administration Console APIs use the company-specific URLs when they become available. These APIs will continue to work with the existing shared URLs for the foreseeable future, but it is recommended to update these too once the company-specific URLs are available.
Improved Security for Approve Notifications in SecurID Access Federal Edition
Approve notifications in the RSA SecurID Authenticate app are more secure for SecurID Access Federal Edition customers. Each notification includes a confirmation code to ensure that the same user initiates the authentication attempt and taps Approve on a registered device. You must prepare your users for this change.
When users attempt to access an application with Approve, a confirmation code is displayed on the application screen and on the users’ phone. If the app is already open, the code appears in the app. If the app is closed, the code appears on the Lock screen. The user must tap Approve only if both codes match. If the codes do not match, the user’s account may have been compromised. In this case, the user should not tap Approve and must notify your IT Help Desk immediately.
Fixed Issues
| Fixed Issued | Description |
|---|---|
| NGX-67039 | After registering device with the Cloud Authentication Service, the user received a confirmation message with his name misspelled. This problem has been fixed and device names now support Unicode. |
| NGX-66355 | The updated certificate and 2048 key requirements for the latest identity router version are documented in the June 2021 Release Notes for the Cloud Authentication Service. See Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System. |
| NGX-64526 | The Cloud Administration Console now displays a message if the return list or check list attributes are not present in the RADIUS dictionary file. |
July 2021 - SecurID SDK 3.0 for iOS and Android – Coming Soon
Build your own custom authenticator app using the new SecurID SDK 3.0 for iOS and Android. Offer your users a way to authenticate with convenient MFA options while seamlessly maintaining a similar look and feel across your existing applications for a better overall user experience.
Return to Release Notes Archive - Cloud Authentication Service and Authenticators.
