Skip to main content
  •  24.04

24.04

SecureAuth documentation for Identity Platform release 24.04

Release Updates

Product updates to SecureAuth® Identity Platform release 24.04.

For a complete list of fixes and known issues, see Enhancements and fixes, and Known issues.

Release 24.4.2

Release date: July 18, 2024

Enhancements

User Account page

We've redesigned and renamed the Self-Service Account Update page to User Account. It's now part of the New Experience, where you can attach a modern theme and customize field visibility.

To learn more, see User Account page configuration.

Available only in hybrid deployments. Coming soon for cloud deployments.

Microsoft Conditional Access

Support for external authentication methods (EAM) in Conditional Access with Microsoft Entra ID.

To learn more, see Microsoft Conditional Access External Authentication Method (EAM) integration guide.

Localization support

Localization support for French-Canadian language.

Theming configuration

Global theming configuration SSO Portal Themes is now Modern Themes, allowing theme creation for more Identity Management (IdM) pages with modern layouts.

Session timeout improvements

For pages with the Modern Theme (SSO Portal and User Account), users now receive a session expired warning. They can choose to wait or the system will automatically restart the login process, ensuring a smoother experience.

Profile field visibility

On the User Account page, profile fields set as "Visible (read-only)" will not display if the field is empty. This improves the user experience by reducing clutter and focusing on relevant information.

New SAML attributes

We have expanded the list of available SAML attributes in Advanced Settings to include Browser Session ID, Client IP Address, and Authentication Method. These new attributes are also available in the Open ID Connect ID Token Claims configuration for a profile property mapping.

In the upcoming release update, these additional SAML attributes will be available for SAML integrations in the New Experience.

Run Windows SSO warning

Added a warning that an authentication policy can only have one "Run Windows SSO" conditional rule.

New branding

We've updated the platform with our new branding while keeping the familiar layout. Enjoy a fresh and modern look.

Fixes

24.4.2.10 - October 31, 2024

  • Resolved an issue with Custom Controls in Conditional Access.

  • Resolved an issue with external authentication methods (EAM) in Conditional Access.

24.4.2 - July 18, 2024

  • Fixed a SAML metadata file export issue.

  • Fixed an issue with the users API endpoint to modify user accounts with a Microsoft Entra ID data store.

  • Fixed a known issue in 24.4.1 where updating data store information in cloud deployments with SecureAuth IWA Service for Windows SSO wiped out the IWA service account password.

  • Fixed issues where editing an existing Split Profile data store caused an error. And creating a new Split Profile data store prevented data store selection.

  • Fixed issues with migrating realms from the Classic Experience to the New Experience, where it did not retain the selected data stores.

Release 24.4.1

Release date: June 4, 2024

Enhancements

Audit log update

Includes new Event ID for the SecureAuth LOA score and Confidence Level for each user.

See the Audit log section in the SecureAuth Level of Assurance (LOA) Provider settings topic.

New conditional rule

In the authentication policy, we've added a new conditional rule, Continue to next rule. Use this rule when the Risk Engine is in its learning phase.

See step 3 in Add LOA rule in authentication policy.

Authentication apps global MFA

New setting to Prevent re-use of TOTP to prevent unauthorized use of a previously generated TOTP.

FIDO2 WebAuthn global MFA

New setting to Validate device registration with FIDO Alliance that enhances security.

Fixes

  • Resolved an issue where users had to manually clear cookies due to excessive growth from hitting multiple realms.

  • Updated installer to streamline updates to SecureAuth Identity Platform

  • Fixed an issue where saving email settings in the admin UI would clear out SMTP relay information, causing customers to stop receiving emails.

  • Fixed an issue where the Adaptive rule "Run Windows SSO" incorrectly prompted for MFA despite settings to skip MFA.

  • Resolved security issue where the IWA service account password was exposed in the data store list payload in the New Experience.

Known issue

  • In cloud deployments with SecureAuth IWA Service enabled for Windows SSO, updating any data store information might wipe out the IWA service account password.

    Workaround: Re-enter the IWA service account password.

    Note

    This issue is resolved in the 24.4.2 release.

Release 24.04

Release date: April 3, 2024

See also a list of hotfixes from previous releases that were rolled into this release and a list of known issues:

Enhancements

Add external identity provider (IdP) in policy

New setting in the authentication policy allows you to delegate SAML-based authentication to an external identity provider, like Arculix.

To learn more, see SecureAuth IdP and Arculix integration (IdP Chaining) and SecureAuth IdP and Arculix integration (IdP Factoring).

Aux ID for cloud storage

The data store properties have a new setting, Use Cloud Storage. Instead of storing this value in your data store, you can store this value in an Aux ID to the cloud profile database.

To learn more, see How to set up Aux ID for cloud storage.

Dashboard enhancements

We've improved the look and feel of the Identity Platform dashboard. Some updates include:

  • Data organization: The dashboard now categorizes data into the following four tabs to optimize analysis:

    • Login Data – Explore data related to logins by system, applications, or users.

    • User Profile Data – Explore cloud profile data associated with each user name.

    • Authentication Types – Explore data on enrolled mobile and authenticator devices, and view push notifications blocked by users.

    • Deployment Data – View product versions for services deployed with your Identity Platform tenant.

  • Quicker data refresh: Dashboard data now refreshes every 3 hours for quicker visibility to key metrics such as user logins.

To learn more, see Dashboard insights.

Password Policy updates

Some password policy updates include:

  • Password Policy change. Before, the password policy was linked to the application in the Application Manager. We changed where password policies are linked, which is now in the authentication policy. It's on the Login Workflow tab. The password policy is no longer restricted to the Password Reset page at the application level. You can now set a password policy for all applications attached to the authentication policy. This includes Account Management pages and SAML applications.

  • Real-time password rules. Users can now see the password rules in real-time when they change their password in the application.

  • Inline password change. Setting now available in the New Experience for authentication policies. It's on the Login Workflow tab. The setting allows users to change their password inline without leaving the page.

To learn more about setting up password rules, see How to configure and display password rules for users.

SAML Logout

Provides seamless termination of user sessions in the Identity Platform (IdP) when they log out of a service provider (SP).

To learn more, see How to configure SAML Logout.

Single Logout (SLO)

Provides seamless termination of connected SPs within the corporate SSO ecosystem when the user logs out of an SP.

To learn more, see How to configure Single Logout (SLO).

SecureAuth Risk Engine updates

We've integrated a machine-learning based Assurance Provider to analyze login patterns of users. It generates a Level of Assurance (LOA) confidence score for each user. The LOA score helps decide whether to increase or decrease user friction at the time of login.

To learn more about configuring and using LOA, see SecureAuth Level of Assurance (LOA) Provider settings.

Send FIDO2 confirmation email

Send a confirmation email to the user when they enroll or remove a FIDO2 authenticator in their profile.

To learn more about configuring this setting, see How to send a confirmation email about a FIDO2 device.

Send password change notification

Send a notification to the mobile app to let the user know about a password change.

To learn more about configuring this setting, see How to send a notification about a password change.

SSO Portal page improvements

Customize the look and feel of your organization's SSO Portal. You can edit the default portal theme, or create custom themes, and set how application tiles appear. Apply your theme when you configure an SSO Portal page in the Internal Application Manager.

For more information, see Modern Themes and SSO Portal configuration.

Windows SSO as an adaptive rule

Windows SSO as an MFA method has moved to the Authentication Rules tab in the authentication policy. You can use Run Windows SSO as a condition in an authentication rule for Country, IP Range, or Threat Service.

Other improvements and fixes

Copy data store

We've added the ability to copy a data store. This makes it easier to clone a data store and change attributes for other applications.

Deprecate Create New From Template

In the Advanced Settings (formerly Classic Experience), we've deprecated the Create New From Template feature.

Extend realm limit

Added improvement to extend the realm limit beyond 999.

FIDO2 device card view

New admin setting to set how users will view their devices on the FIDO2 Enrollment page. Admins can choose the card view or table view for their users.

FIDO2 device restriction options

More options to restrict how many FIDO2 devices a user can enroll. Available settings are No limit, or 1 through 10.

Microsoft Conditional Access Custom Controls

Added out of the box integration with Microsoft Conditional Access and the Identity Platform.

Mobile services updates

We've added some configurations that relate to mobile services features.

  • Override company display name – In the application configurations, you can override the default company name that is set in the Multi-Factor Methods > Authentication Apps settings. This setting is in the Application Manager and Internal Application Manager.

  • Enable blocking of push notifications – New admin setting allowing users to block unknown login requests. This setting is in the Multi-Factor Methods > Authenticate Apps configuration.

    To learn more, see How to block and unblock login requests in Authenticate.

  • Prevent third-party app scan of QR code – You can prevent users from using third-party apps to scan the QR code on the QR enrollment page. This setting is in the Internal Application Manager for QR enrollment page configuration.

  • Only allow enrollment from MDM devices – You can only allow QR and URL enrollment from mobile device management (MDM) devices. This setting is in the Internal Application Manager for QR or URL enrollment page configuration.

New OTP Validation field for Login for Endpoints

We've added a new OTP Validation field in the data store properties. For end user authentication in Login for Endpoints, you will need to map to this field instead of an Aux ID.

SAML post-auth message

During a SAML post-auth login workflow, it displays a message to users to be patient. To customize this message, see How to modify SAML post-auth message.

SecureAuth Connector Installer UI updates

When generating the Connector configuration files, we added the ability to confirm or change the email address where you receive the passcode.

Split profiles

In the New Experience, we've improved the ability for applications to pull Membership information and Profile information from different data stores.

Theme

Changed the default theme to SA IdP on the Overview tab in the Advanced Settings. This is the theme for the pre-authentication login page that displays MFA options.

In this section: