SecurID® Release Notes - Cloud Authentication Service and Authenticators

These release notes include product updates and bug fixes.

For additional information, see:

  • SecurID Product Release Notes, a portal to all release notes for the Cloud Authentication Service, RSA Authentication Manager, authentication agents, and token authenticators.

  • RSA Link, to access all SecurID product documentation.

April 2022 - Cloud Authentication Service

SecurID 700 Hardware Tokens Available for All Customers

After a successful pilot with a limited set of customers, management of SecurID 700 Tokens in the Cloud Authentication Services is now available by default for all customers.

Cloud Migration for SecurID 700 Hardware Tokens – Coming Soon!

Using RSA Authentication Manager 8.7, SecurID 700 Hardware Tokens managed in Authentication Manager can be easily migrated to the Cloud Authentication Service. Administrators can decide which tokens to migrate and which tokens to retain within Authentication Manager, based on multiple factors.

For the migrated tokens:

  • Administrators can then manage them using the Cloud Administration Console without impacting their on-premises infrastructure.

  • Authentication Manager 8.7 will still be able to manage authentication if the cloud authentication service is unreachable.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Archer (update, Cloud Authentication Service) – ESG and Integrated Risk Management, updated support for authentication method types SAML via Cloud SSO and Relying Party.

  • SecurID G&L (update, Cloud Authentication Service) – Identity Governance and Administration, updated support for authentication method types SAML via Cloud SSO and Relying Party.

  • IBM MFA for z/OS (update, Authentication Manager) – alternate authentication mechanisms for z/OS networks, added support for REST API.

End Of Support – Reminder

We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

Fixed Issue Description
NGX-85886 A customer was unable to change the SAML NameID value. The issue was that change in the NameID identifier type was not getting retained even after saving and publishing the updates. This issue has been fixed now.
NGX-86023 Customers reported an authentication outage after tenants were moved to the March Cloud release. The issue is fixed now.

March 2022 - Cloud Authentication Service

SecurID Authenticator 5.0 for macOS is Available!

SecurID Authenticator 5.0 for macOS is a new app that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-prem, cloud, or hybrid infrastructure, you will now have one single app to manage effectively.

The app is distributed through platform-specific public Apple's App Store and a SecurID Link for a side-loading, customers can download the app package from the link.

Please see the SecurID Authenticator 5.0 for macOS Release Notes and Advisories for additional information about the contents of this release.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed or certified by SecurID through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Cisco ASA (update, Authentication Manager, and Cloud Authentication Service) – updated support for authentication method types SAML and Radius.

  • PingFederate (update, Authentication Manager, and Cloud Authentication Service) – updated support for authentication method types SecurID Authentication API and SAML.

  • Prove (update, Authentication Manager) – update to configuration for SMS Gateway provider Prove; originally listed as Authentify.

  • Stormshield (new, Authentication Manager and Cloud Authentication Service) – new support for SSL VPN provider via authentication method types Radius and SAML.

End Of Support – Reminder

We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java (v8.7 or earlier to build UDP/TCP clients) to move to SecurID Authentication (REST) API v1.x to connect to Authentication Manager. The Documentation and a YAML file (logon required) are available on SecurID Community. The integrations that were built using SecurID Authentication API for C and Java (8.7 or earlier) will be reaching their end of support soon. We request all the technology partners to start supporting integrations with REST API to avoid disruption of services.

Contact SecurID Partner Engineering for questions and integration support, rsapesupport@securid.com.

Fixed Issues

Fixed Issue Description
NGX-85005 The customer was unable to publish changes and the page was loading for a long time. This problem has been fixed.
NGX-85007 The customer was unable to edit or sync identity sources in the Production Environment. This problem has been fixed.

February 2022 - Cloud Authentication Service

SecurID Authenticator 5.0 for macOS is Coming!

SecurID Authenticator 5.0 for macOS is a new app that supports both SecurID Software Token and cloud-based multifactor authentication to manage all your authentication needs. Be it on-prem, cloud or hybrid infrastructure, you will now have one single app to manage effectively. By adding support for cloud MFA for macOS users, the new authenticator helps move your authentication to the cloud with continued support for software tokens. Existing software token users can easily move to the SecurID Authenticator 5.0 by simply re-importing their tokens. Migration of software tokens from the RSA Software Token 4.2.3 desktop is not currently supported.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed by RSA or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations on the SecurID Community.

  • Fortanix Data Security Manager (DSM) SaaS (new, Cloud Authentication Service) – provides integrated data security with encryption, multi-cloud key management, tokenization, and other capabilities from one platform, delivered-as-a-service. Now supports SecurID MFA via SAML including SSO and Relying Party.

  • Microsoft Azure AD (new, Cloud Authentication Service) – can be used as a 3rd party IDP for MFA access to SecurID Cloud Admin Console via SAML.

  • VMware Cloud Director (new, Cloud Authentication Service) – a leading cloud service-delivery platform used by cloud providers to operate & manage successful cloud-service businesses. Now supports SecurID MFA via SAML including SSO and Relying Party.

  • VMware vSphere (new, Authentication Manager) – VMware’s cloud computing virtualization platform. Supports 2FA with Authentication Manager via SecurID Authentication API for C and Java.

We would like to remind all Technology Partners with an integration that used SecurID Authentication API for C and Java, by the end of 2022, to plan to support Authentication Manager – and the Cloud Authentication Service – using the SecurID Authentication API v1.x. Documentation and a YAML file (logon required) are available on SecurID Community. Contact SecurID Partner Engineering for questions and technical support, rsapesupport@securid.com.

Fixed Issues

Fixed Issue Description
NGX-81437

Improved the performance of the Policies page. A customer had reported that the page could take several minutes to load a large number of access policies when an assurance level was empty.

January 2022 - Cloud Authentication Service

Cloud Administration Console URLs Are Changing in January 2022

The Cloud Administration Console URLs for your company are changing to include your company subdomain. For example, if you previously accessed the Console with https://na2.access.securid.com/and your company subdomain is example, you will now access the Console with https://example.access.securid.com. The Cloud Authentication Service can dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The shared URLs in use prior to January 2022 are available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to be supported for at least a year but might not offer all capabilities or perform as well as the new company-specific URLs.

To find the region and service where your Cloud Authentication Service is deployed, sign into the Cloud Administration Console and find the blue hyperlink next to Hello <administrator's name> near the top left of the Dashboard page. You need to know the region and service when checking the Cloud Authentication Service status page, uptime page, and notifications for maintenance and service incidents.

Action Required if You Have a Third-Party Identity Provider Protecting Access to the Cloud Administration Console

If your deployment configured a third-party identity provider (IdP) to protect access to the Cloud Administration Console, the shared console URLs are saved as the SAML Sign-In URL and the Assertion Consumer Service URL. SecurID recommends that you update these URLs to point to the new company-specific URLs for best performance. To view the company-specific URLs, open the Cloud Administration Console and click My Account > Company Settings > Sessions & Authentication tab. The new URLs are automatically provided in the SAML Sign-In URL and Assertion Consumer Service URL fields. Copy these URLs to your IdP configuration.

Whitelisting URLs Accessed by the Identity Router

The repository URLs accessed by the identity router will change to become company-specific. Therefore, make sure any whitelisting you have in place reflects these new URLs. For best practices, we recommend that you whitelist *.securid.com and *.securidgov.com instead.

New and Updated Third-Party Integrations from RSA Ready

The following integrations were recently completed by RSA or certified by RSA through the RSA Ready Technology Partner Program. For Implementation Guides, see SecurID Integrations.

  • Firehydrant.io (new, Cloud Authentication Service) – incident management platform supports SecurID MFA via SAML including SSO and Relying Party.

  • goCanvas (new, Cloud Authentication Service) - provides mobile apps and forms for data collection and sharing. Supports SSO or relying party.

  • Juniper Networks JunOS vSRX (new, Authentication Manager) – virtual NGFW supports SecurID authentication via Radius with Authentication Manager.

  • McAfee MVISION (new, Cloud Authentication Service) - protects data and stops threats in the Cloud across SaaS, PaaS, and IaaS from a single, cloud-native enforcement point. Supports SSO.

  • Microsoft Office 365 (update, Cloud Authentication Service) – updated CAS support for MFA into Microsoft 365 including SSO and Relying Party.

  • Microsoft Sharepoint 2019 (new, Cloud Authentication Service) – SSO Agent for SecurID authentication via SAML.

  • Specops uReset (new, Authentication Manager/Cloud Authentication Service) – self-service password reset supports SecurID authentication via REST API.

  • SUSE Rancher (new, Cloud Authentication Service) – unifies Kubernetes clusters to ensure consistent operations, workload management, and enterprise grade security. Supports SSO or relying party.

We would like to remind Technology Partners about the SecurID Authentication API, a REST-based programming interface that allows you to develop clients that process multifactor, multistep authentications through RSA Authentication Manager and the Cloud Authentication Service.

The SecurID Authentication API was released in 2019 and is one of the supported methods to integrate your client applications with the Cloud Authentication Service, in addition to SAML2 and RADIUS. It replaces SecurID Authentication API 8.7 for C and Java to communicate with Authentication Manager. As of June 2021, version 8.7 is now End of Primary Support Level 2, which means there are no hot fixes available and only best effort support is provided.

To remain RSA Ready, all Technology Partners should plan to support the Cloud Authentication Service in your applications by the end of 2022. If you use version 8.7 or older, you may update to the SecurID Authentication API. Documentation and a YAML file (Logon required) are available on RSA Link. Contact SecurID Partner Engineering for questions and technical support, rsapesupport@securid.com.

Removed the Ability to Request a Cloud Authentication Service Account Through the RSA Authentication Manager Security Console

SecurID no longer supports requesting a Cloud Authentication Service account through the Security Console. If you try to request an account, your patch level determines the error message that you receive.

You can continue to use your existing Cloud Authentication Service accounts. If you need a new Cloud Authentication Service account, call SecurID Sales at 1 800 995 5095.

SecurID 4.0 App is Available!

SecurID 4.0 app for iOS and Android adds cloud-based multifactor authentication to the software token functionality already present in the SecurID 3.0 app. Users have one convenient authenticator to safely sign into their company accounts. This enhancement helps your company move authentication to the cloud and effectively manage a hybrid deployment. See Announcing the Release of SecurID 4.0 app for iOS and Android.

Fixed Issues

Fixed Issue Description
NGX-75573 Documentation was updated to include hostnames and IP addresses (primary and failover), and the identity router download URL for the SecurID Federal region.
NGX-74407 The date encoding issue that occurred when using the Administration Rest API Client command line tool has been resolved in version 2.7.2 of the Cloud Administration SDK.
NGX-72907

A customer was unable to use the Cloud Administration Console to share the Amazon Machine Image (AMI) with multiple Amazon account IDs. This problem has been fixed.

October 2021 - Cloud Authentication Service

Automatic Unlock for Tokencodes

End users no longer have to call their IT Help Desk to unlock their tokencodes. You can configure the Cloud Authentication Service to automatically unlock tokencodes after a specified period of time has elapsed. Each tokencode is locked and unlocked separately. For more information, see Configure Tokencodes.

Multiple SecurID 700 Tokens per User

You can assign to each user up to five active SecurID 700 hardware tokens that are managed in the Cloud Administration Console. Users can register and activate their tokens on My Page. With this feature, the Cloud Authentication Service is closer to providing the same capabilities as Authentication Manager. For more information, see SecurID Hardware Tokens.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description

EU: 11/11/2021

ANZ, US, Gov: 11/16/2021

Updated identity router software is available to all customers.
1/08/2022 Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
1/29/22 If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Identity Router
Deployment Type

Version
On-premises 12.13.0.0
Amazon Cloud RSA_Identity_Router 12.13.0.0

Fixed Issues

Fixed Issue Description
NGX-74406 A customer reported that the hardware token authentications failed on Azure Active Directory. This problem has been fixed.
NGX-74375 Identity router went down after a software update. This problem has been fixed.
NGX-73521 A customer observed the identity router status changed to Distressed status. This problem has been fixed.
NGX-72070 Identity router memory usage is no longer going high.
NGX-71933 A customer reported that the sign-in through Integrated Windows Authentication (IWA) failed when a domain controller was down. This problem has been fixed.
NGX-71773 IWA authentication no longer fails for the Application Portal sign-in.
NGX-70822 A customer reported that the Identity Router showed unhealthy Cloud Authentication Service connections for both the primary and backup IP of the Cloud Authentication Service. This problem has been fixed.
NGX-68830 A customer observed few vulnerabilities being reported after running penetration testing on the SSO portal. This problem has been fixed.
NGX-68042 Cloud Authentication Service and identity router no longer requires anonymous bind to connect and search rootDSE (root of the directory data tree on a directory server). LDAP synchronization will no longer fail in a customer environment that blocks anonymous bind to rootDSE.
NGX-67189 In the Cloud Administration Console, a customer was unable to successfully publish the generated wildcard certificate to the identity router. This problem has been fixed.

September 2021 - Cloud Authentication Service

Required Identity Router Updates Must be Completed by October 31, 2021

To strengthen overall security, SecurID has rolled out significant improvements that harden identity routers to meet Security Technical Implementation Guide (STIG) standards. You must update your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5. To view identity router version and operating system information, see View Identity Router Status in the Cloud Administration Console.

Replace These Identity Routers by October 31, 2021

If your identity routers meet both of the following criteria, you must replace them by October 31, 2021 using the replace procedure described in the Identity Router 12.12.x Migration Guide:

  • 10 GB disk space or the identity router is embedded in Authentication Manager

  • SLES 11 operating system

  • Identity router version 12.12 or earlier

No additional updates are available for these identity routers.

Identity Routers Already Updated

If your identity routers meet all three of the following criteria, automatic updates or in-place upgrade should already have occurred on the default rollout date.

  • 54 GB disk space or the identity router embedded in Authentication Manager

  • SLES 11 or 12 operating system

  • Identity router version prior to 12.12

You do not need to replace these identity routers. For more information, see Update Identity Router Software.

Note: To view notification for identity routers that are not eligible for in-place upgrade, click Platform > Identity Routers in the Cloud Administration Console.

Before an in-place upgrade occurs, we recommend that you take a snapshot for VMware and Hyper-V identity routers and take a storage volume snapshot for AWS identity routers. These snapshots can be discarded after a successful upgrade. The in-place upgrade procedure updates your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

After the in-place upgrade is complete, verify the identity router operating system in the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name. If the operating system is not SLES 12 SP5, contact Customer Support.

Note: An in-place upgrade takes longer than the standard identity router software update. It may take more than an hour for a single identity router update and more than two hours for a cluster of three identity routers.

Additional Information for Identity Routers with SLES 12

The following information applies to identity routers with the SLES 12 operating system:

  • Any certificate and keys you upload to the Cloud Administration Console for SSO SAML applications, SecurID Application Portal (domain certificate), identity source, identity provider and so on must each have a minimum key length of 2048 bits.

  • Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the SecurID Application Portal. The following algorithms are supported.

    Supported Algorithm
    Signature Algorithm

    rsa-sha256

    rsa-sha384

    rsa-sha512

    dsa-sha256

    Digest Algorithm

    sha1

    sha256

    sha384

    sha512

Unify Your Authenticators, Your Way - SecurID SDK 3.1 for iOS and Android

Build a custom authenticator app for your SecurID, MFA and now Transaction Signing needs, with the new SecurID SDK 3.1 for iOS and Android. Make it easy for your users to access any authenticator conveniently within the same familiar app for a better overall user experience. For more information, see this advisory and SecurID SDK Documentation.

Authenticators Unite – SecurID App 4.0 is Coming!

The SecurID app for iOS and Android will soon add MFA functions from the SecurID Authenticate app to the existing SecurID Token capabilities. This merger simplifies the management complexities of your hybrid deployment and minimizes user disruption as you move to the cloud with the same authenticator app.

SecurID Authenticate app users can easily replace their existing app with the SecurID app using QR Codes from a self-service portal like My Page and experience improved usability and greater accessibility enjoyed by millions of SecurID app users today. To learn more, see this advisory.

Just-in-Time Synchronization Always On for Immediate User On-Boarding and Updates

SecurID’s just-in-time synchronization instantaneously allows new users to authenticate with SecurID and prevents disabled users from doing so. In this release, just-in-time synchronization replaces scheduled synchronization to prevent artificial delays from scheduled synchronization intervals. Scheduled bulk synchronization has been removed and just-in-time synchronization is always active. You can still manually synchronize identity sources on-demand. Automatic removal of users from SecurID that were deleted in a user identity store is coming in a future release. For more information, see Synchronizing Identity Sources with the LDAP Directory Server.

On-board, off-board and update on-demand!

Fixed Issues

Fixed Issue Description
NGX-72108 Users were prevented from using My Page to activate their cloud-managed hardware tokens if permission to use Authenticate Tokencode, Device Biomtrics, and Approve was not enabled for the company. This problem has been fixed.
NGX-70788 The documentation has been updated to clarify why some users receive an 8-digit emergency tokencode while others receive a 12-digit emergency tokencode. For more information, see Emergency Tokencode.
NGX-71761 A customer was unable to publish due to system constraints. This problem has been fixed.

August 2021 - Cloud Authentication Service

The August release of the Cloud Authentication Service includes the following features and bug fixes.

New Look for the Cloud Administration Console User Interface

The Cloud Administration Console has an updated, modern look that works more efficiently, improving usability and accessibility. Changes include redesigned main menu navigation bar and Publish bar. The new console has also been updated with the new SecurID branding, colors, and logo. This example shows the updated Cloud Administration Console dashboard.

securid_ngx_g_dashboard_newui.png

Improved Status Messages for the Identity Router

The identity router has improved status messages for update availability and starting status.

Update Availability Messages

In the Cloud Administration Console, improved status messages now clearly indicate when identity router updates are available, so that you do not have to upgrade any earlier than necessary.

securid_ngx_g_idr_update_available_message.png

Starting Status Messages

A new identity router status indicates that a registered identity router is starting. When the identity router is connected to the Cloud Administration Console, the status reads Starting until the identity router is Active.

securid_ngx_g_idr_starting_status_message.png

Reminder: Update Identity Routers to Software Version 12.12.x and SLES 12 SP5

The June 2021 - Cloud Authentication Service (Identity Router) Release Notes provided important information on Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System. Be aware of the following:

  • If your identity routers have a 10 GB hard disk drive (HDD), you must replace them as soon as possible with new image downloaded from the Cloud Administration Console. Replace these identity routers no later than October 31, 2021.

  • Identity routers with 54 GB HDD will be automatically upgraded either on the default rollout date or on the forced upgrade date. You do not need to replace these identity routers.

Changes to Identity Source Synchronization

In July 2021, just-in-time synchronization was enabled for all users, eliminating the need to schedule synchronization tasks. Just-in-time synchronization is now the primary method for keeping your identity sources up-to-date. Additional changes are continuing according to the following timetable.

Event Date
Scheduled synchronization was disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. Week of August 9, 2021

The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization.

September 2021

After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.

For more information, see Identity Sources for the Cloud Authentication Service.

How Connection Speed Affects Just-in-Time Synchronization

Just-in-time synchronization is affected by the speed of your identity source directories. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. For users who already have records in the Cloud Authentication Service, just-in-time synchronization waits up to 5 seconds for the directory server to respond before attempting to update a user's record during authentication. After 5 seconds, cached data is used to proceed with authentication. If the Cloud Authentication Service receives a response within a few seconds after the 5-second time limit has passed, it does process that response and the updated information will be available in the Cloud Authentication Service the next time the user attempts to authenticate. Just-in-time synchronization waits up to 22 seconds for the directory server to respond before creating a user's record during authentication. If no response is received in that time, the authentication attempt fails.

Cloud Administration Console URLs Expected to Change in November 2021 Release

Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The existing shared URLs will remain available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.

Fixed Issues

Fixed Issue Description
NGX-70781

The Cloud Authentication Service now accepts incoming SAML assertions from external identity providers that include the optional SPNameQualifier attribute of NameID element.

NGX-69964

Previously, users were being disabled during identity source synchronization if the user's DN and email address (mail attribute) changed simultaneously. This problem no longer occurs.

NGX-69615 Users saw misleading messages when they reset their PINs for SecurID hardware token using My Page. This problem has been fixed.

July 2021 - Cloud Authentication Service

The July 2021 release of the Cloud Authentication Service includes the following features.

New Cloud Administration APIs for Managing SID700 Hardware Tokens

You will be able to integrate Help Desk operations for SID700 tokens into your own provisioning or management tools. These APIs apply to hardware token records that are uploaded to the Cloud Authentication Service. The APIs perform the functions described below. For details on each API, see Using the Cloud Administration APIs.

Function Cloud Administration API
Retrieve details about all authenticators assigned to a user. Cloud Administration Authenticator User Details API
Retrieve details about a user's hardware token by providing the serial number. Cloud Administration Retrieve Hardware Token Serial Number API

Clear a user's PIN for a hardware token.

Cloud Administration Clear PIN for Hardware Token API

Assign or unassign a hardware token from a user.

Cloud Administration Assign Hardware Token API

Cloud Administration Unassign Hardware Token API

Delete a user's hardware token by providing the serial number. Cloud Administration Delete Hardware Token API

Enable or disable a user's hardware token.

Cloud Administration Enable Hardware Token API

Cloud Administration Disable Hardware Token API

Update the name of a user's hardware token.

Cloud Administration Update Hardware Token Name API

Note: The ability to manage SID700 hardware tokens in the Cloud Authentication Service is a limited release that is specifically targeted for Cloud-only deployments. This feature is not supported for hybrid deployments where SecurID Authentication Manager is connected to the Cloud Authentication Service. If you have a Cloud-only deployment and you want to enable native hardware token support, contact your RSA Sales representative or Channel Partner.

Identity Source Synchronization Changes Begin July 12, 2021

Significant changes to identity source synchronization are coming in future releases. Beginning in July, users are automatically be synchronized to the Cloud Authentication Service in real-time, eliminating the need to schedule synchronization tasks. These changes ensure that just-in-time synchronization will become the primary method for keeping your identity sources up-to-date. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. The changes will occur according to the following timetable.

Event Date

Just-in-time synchronization will be enabled for all customers. If this causes any problems for your deployment, you can choose to temporarily disable it.

week of July 12, 2021
Scheduled synchronization will be disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. week of August 9, 2021

The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization.

September 2021

After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.

Note: Just-in-time synchronization is affected by the speed of your identity source directories. Just-in-time synchronization waits up to 5 seconds to update a user's record during authentication and up to 22 seconds to create a user's record during authentication.

Cloud Administration Console URLs Expected to Change in November 2021 Release

Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The existing shared URLs will remain available for sign-in and administrators will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.

In addition, make sure your calls to the Cloud Administration Console APIs use the company-specific URLs when they become available. These APIs will continue to work with the existing shared URLs for the foreseeable future, but it is recommended to update these too once the company-specific URLs are available.

Improved Security for Approve Notifications in SecurID Federal Edition

Approve notifications in the SecurID Authenticate app are more secure for SecurID Federal Edition customers. Each notification includes a confirmation code to ensure that the same user initiates the authentication attempt and taps Approve on a registered device. You must prepare your users for this change.

When users attempt to access an application with Approve, a confirmation code is displayed on the application screen and on the users’ phone. If the app is already open, the code appears in the app. If the app is closed, the code appears on the Lock screen. The user must tap Approve only if both codes match. If the codes do not match, the user’s account may have been compromised. In this case, the user should not tap Approve and must notify your IT Help Desk immediately.

Fixed Issues

Fixed Issued Description
NGX-67039 After registering device with the Cloud Authentication Service, the user received a confirmation message with his name misspelled. This problem has been fixed and device names now support Unicode.
NGX-66355 The updated certificate and 2048 key requirements for the latest identity router version are documented in the June 2021 Release Notes for the Cloud Authentication Service. See Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System.
NGX-64526 The Cloud Administration Console now displays a message if the return list or check list attributes are not present in the RADIUS dictionary file.

July 2021 - SecurID SDK 3.0 for iOS and Android – Coming Soon

Build your own custom authenticator app using the new SecurID SDK 3.0 for iOS and Android. Offer your users a way to authenticate with convenient MFA options while seamlessly maintaining a similar look and feel across your existing applications for a better overall user experience.

June 2021 - Cloud Authentication Service (Identity Router)

Prepare for Unification – the New SecurID App is Coming!

The new SecurID 3.0 app to be release in June 2021 is the first step towards making it easier than ever for iOS and Android users to access their multifactor authentication methods in one place. The version 3.0 app will provide SecurID Software Token, with the ability to manage multiple software tokens, generate tokencodes, and view token information in an all-new card-style interface for improved usability. The version 4.0 app, expected within a few months, will include Authenticate Tokencode, Device Biometrics, and Approve (push notifications). Encourage your users update their Authenticate apps to version 3.9 to ensure a seamless transition to the 4.0 app.

Cloud Authentication Service Provides Native Support for SID700 Hardware Tokens

The Cloud Authentication Service now supports SID700 hardware tokens, unleashing the potential of the cloud platform to meet your specific regulatory, security, and business requirements. The total cost of ownership is significantly reduced because users can self-register, activate, and manage their own tokens in My Page.

Note: This is a limited release that is specifically targeted for Cloud-only deployments. This feature is not supported for hybrid deployments where RSA Authentication Manager is connected to the Cloud Authentication Service. If you have a Cloud-only deployment and you want to enable hardware token, contact your RSA Sales representative or Channel Partner.

This is the front of the SID700 hardware token:

securid_ngx_g_sid_hardware_token_700_front.png

During authentication, the Cloud Authentication Service validates the tokencode and PIN. These tokens can be viewed and managed from the Cloud Administration Console. You do not need to deploy an RSA Authentication Manager server.

For more information see SecurID Hardware Token.

Note: Hardware tokens can be used for offline authentication on desktops that have macOS Agent Version 1.3 or Windows Agent Version 2.1.1 Patch.

Identity Router Update Schedule and Versions

This release includes miscellaneous identity router improvements. Identity routers will be updated according to the following schedule.

Date Description

EU: 7/1/2021

ANZ, US: 7/6/2021

Updated identity router software is available to all customers.

7/24/2021

Default date when identity routers are scheduled to automatically update to the new version unless you modify the update schedule or update manually.
8/14/2021 If you postponed the default date, this is the last day when updates can be performed.

Note: Downloading the new identity router image when you deploy new identity routers ensures that you benefit from the latest security improvements.

The new identity router software versions are:

Deployment Type Version
On-premises 2.12.0.0
Amazon Cloud

RSA_Identity_Router 2.12.0.0

Note: The schedule to update the identity router software described above is independent of the process for upgrading the operating system described below. You can update the software without upgrading the operating system.

Identity Router Updates Available for the SUSE Linux Enterprise Server (SLES) Operating System

To strengthen the overall security of SecurID, in June 2021 RSA is rolling out significant improvements that harden identity routers to meet Security Technical Implementation Guide (STIG) standards. You must update your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

Select the appropriate update option based on the current software and operating system version of your identity router. To check your software and operating system version, in the Cloud Administration Console, click Platform > Identity Routers, then click the arrow next to the identity router name.

securid_ngx_g_idr_details_for_release_notes.png

Select the appropriate update option for your environment.

Note: To find the version number for an identity router, sign in to the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name.

If your identity router has Follow this update path
  • 54 GB disk space or the identity router embedded in Authentication Manager

  • Operating System: SLES 12

  • Software Version: 12.11

RSA recommends that you allow the update to occur automatically on the default rollout date. You do not need to replace these identity routers. For more information, see Update Identity Router Software.

  • 54 GB disk space

  • Operating System: SLES 11

  • Software Version: prior to 12.12

In-place upgrade follows the standard identity router software update procedure that happens automatically on a default schedule. For more information, see Update Identity Router Software.

RSA recommends that you take a VM snapshot for VMware identity routers and take a storage volume snapshot for AWS identity routers before performing an in-place upgrade. In-place upgrade procedure updates your identity router software version to 12.12.x and the operating system from SLES 11 SP4 to SLES 12 SP5.

After the in-place upgrade is complete, verify the identity router operating system in the Cloud Administration Console. Click Platform > Identity Routers, then click the arrow next to the identity router name. If the operating system is not SLES 12 SP5, contact Customer Support.

You do not need to replace these identity routers.

Note: In-place upgrade takes longer than the standard identity router software update. It may takes more than an hour for a single identity router update and more than two hours for a three identity router cluster.

  • 10 GB disk space or the identity router embedded in Authentication Manager

  • Operating System: SLES 11

  • Software Version: prior to 12.12

These identity routers are not eligible for in-place upgrade. Perform the streamlined swap and replace procedure described in the Identity Router 12.12.x Migration Guide.

You must replace these identity routers as soon as possible with new image downloaded from the Cloud Administration Console. Replace these identity routers no later than October 31, 2021.

Note: To view notification for identity routers that are not eligible for in-place upgrade, click Platform > Identity Routers in the Cloud Administration Console.

The following information applies to identity routers with the SLES 12 operating system:

  • Any certificate and keys you upload to the Cloud Administration Console for SSO SAML applications, SecurID Application Portal (domain certificate), identity source, identity provider and so on must each have a minimum key length of 2048 bits.

  • Signature algorithms RSA\SHA1 (rsa-sha1) and DSA\SHA1 (dsa-sha1) are no longer supported for signing SAML assertions for SAML applications in the SecurID Application Portal. The following algorithms are supported.

    Supported Algorithm
    Signature Algorithm

    rsa-sha256

    rsa-sha384

    rsa-sha512

    dsa-sha256

    Digest Algorithm

    sha1

    sha256

    sha384

    sha512

Identity Source Synchronization Changes Beginning July 2021

Significant changes to identity source synchronization are coming in future releases. Beginning in July, users will automatically be synchronized to the Cloud Authentication Service in real-time, eliminating the need to schedule synchronization tasks. These changes ensure that just-in-time synchronization will become the primary method for keeping your identity sources up-to-date. Your identity routers' connections to directory servers and to the Cloud Authentication Service must be fast enough to respond within the expected window before connections time out. The changes will occur according to the following timetable.

Event Date

Just-in-time synchronization will be enabled for all customers. If this causes any problems for your deployment, you can choose to temporarily disable it.

week of July 12, 2021
Scheduled synchronization will be disabled for all customers. If this causes any problems for your deployment, you can choose to temporarily enable it. week of August 9, 2021

The settings for enabling just-in-time synchronization and for scheduling synchronization will be permanently removed from the Cloud Administration Console. You will no longer have the ability to disable just-in-time synchronization or to schedule synchronization.

September 2021

After these changes are rolled out, you will still be able to do a bulk synchronization on-demand as needed. Work with your SecurID customer representative to resolve any issues that may occur as a result of these changes.

Note: Just-in-time synchronization is affected by the speed of your identity source directories. Just-in-time synchronization waits up to 5 seconds to update a user's record during authentication and up to 22 seconds to create a user's record during authentication.

Cloud Administration Console URLs Expected to Change in November 2021 Release

Beginning November 2021, the Cloud Administration Console URLs for your company will change to include your company subdomain. For example, if you currently access the Console with https://na2.access.securid.com/ and your company subdomain is example.com, you will access the Console with https://example.access.securid.com. The Cloud Authentication Service will be able to dynamically redirect your administrative requests to a suitable environment if a problem is detected that affects service availability.

The existing shared URLs will remain available for sign-in but administrators will be redirected to the new URL and will receive a message in the Console reminding them to update bookmarks to use the new URLs. The shared URLs will continue to work for the foreseeable future but might not offer all capabilities or perform as well as the new company-specific URLs.

RSA Now Enforces TLS 1.2 for all Cloud Authentication Service Connections

RSA now requires all identity routers to use Transport Layer Security (TLS) 1.2 or greater encryption for all communication. If you have not yet updated your identity router connections to TLS 1.2, you must do so immediately to ensure uninterrupted connectivity. Make sure that everything that accesses the Cloud Authentication Service supports TLS 1.2. This includes all of your applications, identity sources, identity providers, agents, browsers, mobile apps, API connections, and networking equipment such as HTTPS proxies.

Fixed Issues

Issue Description
NGX-64133

The Cloud Administration Console now truncates leading and trailing spaces in URLs configured for SAML applications and HTTP Federation applications.

NGX-63547

A customer experienced the following situation. Applications were configured in the application portal using SAML, and a third-party identity provider (IdP) was configured as an SSO Agent IdP. When users tried to access a SAML application using an SP-initiated workflow and third-party IdP to authenticate to the portal, the users were sent to the portal instead of to the application they were trying to access. This problem has been fixed.

NGX-62497

A customer was unable to successfully integrate an application with the application portal using SAML and an SP-initiated connection if the RelayState parameter in the SAML request contained unescaped characters. The problem has been fixed.

NGX-60617

A customer's identity router failed to update and stopped processing authentications when the software update service connection was broken before the update. This problem has been fixed.

NGX-53737

You can now ensure that users are able to access high-risk SAML applications in the SSO Portal only after successfully completing additional authentication. Make sure the ForceAuthn attribute is "true" in the SAML request. The user will be prompted for additional authentication even though a user session already exists and additional authentication was already completed at the same assurance level or higher.

June 2021 – SecurID Authenticate 3.9 App for iOS and Android

Prepare for unification! A future release of the new SecurID app will combine both Software Token and MFA functions into a single, easy to use SecurID app with improved usability and greater accessibility. This version 3.9 update contains functionality that ensures a seamless switchover to the unified app. Encourage your users to upgrade so they will be ready to easily transition to the future SecurID 4.0 (unified) app coming soon.

May 2021 - Cloud Authentication Service

Fixed Issue

Issue Description
NGX-62567

A customer was unable to publish changes to the Cloud Authentication Service due to validation errors for attribute extensions. This problem has been fixed.

Known Issue

Issue Description
NGX-59855

Identity routers on the SLES 12 SP5 operating system do not function properly when an incompatible private key is uploaded to the Cloud Administration Console. See Knowledge Base article 00003969 for details and workaround.

For release notes prior to May 2021, see Release Notes Archive - Cloud Authentication Service and Authenticators.