Released on July 27, 2017 Ref ID Issue Description Results will be consistent regardless of encryption The following is a list of hotfixes for SecureAuth IdP version 9.1.0. Security Issue – Resolved security issue with request parameters. This hotfix is required for SecureAuth IdP 9.1 deployments. Security Optimization – Redirect pages optimized for security best practices. This hotfix is required for SecureAuth IdP 9.1 deployments. OIDC / OAuth2 Workflow Session Cleanup – OIDC queries in OAuth workflows are not read correctly when a user has two browser tabs open when authenticating into a resource. Install this fix if you have: Security Fix – Resolved XSS security vulnerability in path resolution. CVSS Score: 5.3 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. WS-Fed and SAML Valid Hours Issue – When the SAML Valid Hours is set to a non-integer value, it does not work for WS-Fed integrations. Install this fix if you have: Security Fix – Implemented additional input validation to prevent double curly brackets ( {{ or }} ) in form input fields, including the UserID field. CVSS Score: 2.0 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. Updates to Audit Logging for OIDC – Audit Logging updated for OIDC workflows to provide more clarity. Install this hotfix if you have: Transformation Engine Issue – Resolves issue in which the Transformation Engine did not work correctly when used with WS-Federation. Install this hotfix if you have: Session Timeout Length – Increased session timeout length to accommodate specific use cases. Install this hotfix if you have: SameSite Cookie attribute support – Required for compatibility with Google Chrome 80. This hotfix is required for all 9.1 appliances. Ensure that the Microsoft .NET patch is applied prior to installing this hotfix. Read https://support.secureauth.com/hc/en-us/articles/360038330652 for more information. OTP Value Reusability – Resolves issue when using the API OTP validate endpoint, it was possible to reuse the same OTP at a later time. Install this hotfix if you have: Enhanced Device Recognition Logging – Device Recognition logging enhanced to make the results of the analysis clearer. Install this hotfix if you have: Device Recognition NULL Values – Resolves issue where “NULL” is returned in the Device Recognition profile as a score for a field, and the profile fails to match. Install this hotfix if you have: API Update for Hashed PIN – Using the API to update a user’s PIN no longer fails when the PIN is stored hashed. Install this hotfix if you have: mS-DS-ConsistencyGUID Support for Office 365 Integration – The mS-DS-ConsistencyGUID attribute is now supported by SecureAuth IdP to be used as the ImmutableID value for integrations with Office 365. Install this hotfix if you have: Cross-Site Request Forgery Vulnerability – CSRF tokens have been added to the administrative web interface. CVSS Score: 4.7 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. RBAC Group List – Resolves issue where a list of groups are created for a specific role type and not all groups were available to select, even after typing the full group name. Install this hotfix if you have: Support for AssertionConsumerServiceIndex (SAML) – SecureAuth IdP now supports AssertionConsumerServiceIndex for SAML integrations. Install this hotfix if you have: For instructions about applying the hotfix for this feature, see SAML integrations using AssertionConsumerServiceIndex hotfix. AuthCode Validity Issue – Only one AuthCode can be used in OIDC workflows for a client to obtain an access_token. Install this hotfix if you have: Cross-Site Request Forgery Vulnerability – CSRF tokens have been added to the administrative web interface. CVSS Score: 6.7 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. Arbitrary File Upload Vulnerability – An authenticated privileged user can no longer upload arbitrary file types. CVSS Score: 8.4 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. Device Recognition Data Storage Issue – When storing the Device Recognition Profiles (Device Fingerprints) in the SQL data base in JSON format, all data is now correctly stored. Install this hotfix if you have: New userAccountControl Values – SecureAuth IdP now has the most up-to-date userAccountControl values to ensure that certain account statuses are handled appropriately in transactions between LDAP providers and SecureAuth IdP. Install this hotfix if you have: Third-party JavaScript Libraries Vulnerability – jQuery, Bootstrap, and AngularJS have been upgraded due to a flaw in these libraries that may result in XSS. CVSS Score: 5.2 This hotfix is required for all customers on version 9.1 to ensure the security of the appliance. EE-1028 Create User Failure for eDirectory – Create User page integrated with eDirectory was not functioning due to hardcoded attribute information. NOTE: This fix enables the creation of users, but certain functionalities of the page are not supported for eDirectory at this time. Proxy Settings for OIDC Encryption Key Retrieval – Proxy settings configured in SecureAuth IdP are not applied when retrieving OIDC encryption keys. Create User Group Designation SQL – Create User page with SQL data store integration does not associate users to groups on the page during creation. NOTE: This fix requires a new stored procedure provided by SecureAuth Support (see contact information below). Novell eDirectory Lookup – During login, a user’s profile was not accessed successfully and the self-service password reset was unsupported. Affected SecureAuth IdP Version(s): 9.1 Support Information: Contact SecureAuth Support (support.secureauth.com, support@secureauth.com, or 1-866-859-1526) to have the latest hotfix installed on your SecureAuth IdP v9.1.x appliance.Version 9.1.0 New Features
OTP in Email Subject Line Allows users the option to read the OTP from the email subject line https://docs.secureauth.com/x/mxGsAg Licensing Expiration Status in Console Displays the licensing status of appliance in System Info https://docs.secureauth.com/x/jBmsAg API Handling for Stateless OTP and DFP Stateless calls are supported for OTP and DFP Multiple Endpoint Support in YubiKey Pre-Auth Page Multiple endpoint support allows handling of failover https://docs.secureauth.com/x/lg6sAg Extending Signing to API Responses Inbound API responses hash and sign the API key https://docs.secureauth.com/x/WBusAg Adaptive Authentication + O365 Leverages Adaptive Authentication with WS-Trust Request Blocking before user validation to mitigate DDOS attacks https://docs.secureauth.com/x/0w2sAg YubiKey as a Multi-Factor Method Enables the option of using YubiKeys as a Multi-Factor Method https://docs.secureauth.com/x/bQ6sAg SecureAuth Link-to-Accept as Multi-Factor Method Enables the option of using SecureAuth Link-to-Accept as a Multi-Factor Method https://docs.secureauth.com/x/RwysAg Local Account Lockout Feature Based on Bad Password Attempts Provides method to prevent brute force hacking of accounts from locking out users https://docs.secureauth.com/x/EhusAg Admin API An API that configures the Overview and Data settings. Workflow, Multi-Factor Methods, and Post Auth are limited. https://docs.secureauth.com/x/JB2sAg Device Recognition Rework of Device Recognition to improve user experience https://docs.secureauth.com/x/UhmsAg 9.1.0 Resolved Issues
IDP-85 System slows when Syslog server is down When Syslog server is offline, access to SecureAuth environment no longer slows IDP-156 Back button accesses Post Auth page after restart link is clicked After restart link is clicked, user will be prompted to log in again when clicking the back button IDP-336 Error messages not appearing when user passwords do not match in 2016 theme Error message will appear when user's passwords do not match IDP-416 Error message does not appear using regular expression to validate phone in 2016 theme Error will appear when phone / field entered does not match the regular expression configuration IDP-692 "Show 3rd Party App Support" setting missing in Web Admin The setting is now accessible in the Web Admin IDP-725 Back button brings user back to site After logout, the back button does not allow the user to return to the site IDP-912 IP Threat Service result inconsistency IDP-1271 Account Management Post Auth page error handling If a user's attribute update fails, the page will display an error message IDP-1274 Double click of submit button causes constraint error message Constraint Violation error no longer shown with double click of submit button IDP-1370 Certain fields not translating in non-English languages All fields correctly translate when using other languages IDP-1648 Additional push notification device created on Self Service page when un/re-installing the iOS app Only one iPhone is now listed on the Self-service page IDP-1926 JSON format not supported for SQL Saving JSON to SQL is successful IDP-1954 Session cookie timeout displays 401 unauthorized error The page will be redirected back to the login page instead of showing the 401 unauthorized error IDP-2308 Error with User ID's case sensitivity with the use of "Remember MFA Options" UserID does not provoke error via case sensitivity IDP-2350 IWA validations failing Improved handling of WS-Trust and Active Requestor Client IWA requests 9.1.0 Known Issues
Ref ID Issue Description IDP-1186 Max Invalid Password Attempts does not work with SQL provider Max Invalid Password Attempts setting in the Data tab is not acknowledged by the SQL provider IDP-1557 User is not notified when device registration fails When a user attempts to register a device that exceeds the max device account, they are not notified IDP-1662 Error upon letting the portal page sit for a set length of time on SSO realm User is unable to proceed after idle timeout length is reached IDP-1881 "Passwordreset_enternewpassword" value overwritten after hitting "Unlock" button Custom value for "Passwordreset_enternewpassword" will revert to default if the Unlock button is showing and clicked on Password Reset realm IDP-1935 Password expiration setting is active even if inline password change is disabled Users are seeing "password has expired" despite having valid and active passwords IDP-2084 Images not loading due to HTML containing template markups Safari has trouble with loading images due to HTML template markups IDP-2166 Default web UI configurations for Cookie Persistence do not match web.config The default template in web.config and Admin Console show different configurations IDP-2231 Test Connection under Data tab fails with error Test Connection under Data tab fails despite realms being fully functional after upgrade IDP-2241 Password encrypting bad behavior When setting the password for a datastore connection, it is not saved but no error is shown IDP-2242 Error message when ProfileProvider is set to "Same as Above" Error message appears when ProfileProvider is set to "Same as Above" in OpenLDAP IDP-2403 CSVImport not able to edit groups CSVImport does not add users to groups even when GroupList is presented in the CSV IDP-2413 Assertion signing certificate downloads wrong certificate in Post Auth tab The wrong cert is downloaded when user attempts to download SAML signing cert from the Post Auth tab IDP-2440 Password decrypting issues causes service account lockout Cert permissions are missing due to access issues IDP-2496 False API response when SMTP relay does not send email When SMTP relay does not send an email, the log reflects that the email delivery failed despite API responding with success 9.1.0 Hotfixes
Release No. Release Date Ref ID Issue 9.1.0-59 07-Jul-2021 EE-1814 SAML OneTimeUse Condition Support – Added support for the SAML OneTimeUse condition. EE-1844 EE-2110 9.1.0-58 24-Jul-2020 EE-1778 EE-1815 EE-1830 9.1.0-57 29-Jun-2020 EE-1644 9.1.0-56 12-Jun-2020 EE-1690 EE-1781 9.1.0-55 28-Feb-2020 EE-1511 EE-1519 EE-1558 9.1.0-54 12-Dec-2019 EE-1429 EE-1469 EE-1499 EE-1512 9.1.0-53 15-Oct-2019 EE-1342 EE-1336 EE-1363 9.1.0-52 13-Aug-2019 EE-1272 EE-1312
NOTE: This fix applies ONLY to the Web Admin application.EE-1315
NOTE: This vulnerability applies to the Web Admin application ONLY.9.1.0-51 25-Jul-2019 EE-1287 9.1.0-50 26-Jun-2019 EE-1220 9.1.0-49 03-Jun-2019 EE-1199 9.1.0-48 10-May-2019 EE-1179 Inline Password Reset Issue – Using the 2016 Light Theme, the Inline Password Reset pages now work as expected for all use cases. 9.1.0-47 14-Mar-2019 EE-1131 Device Fingerprint Space Issue – The Device Fingerprint cookie name now parses correctly if a space was present in the generated cookie name. EE-1069 Logging Updates – Updates to SecureAuth IdP logs to ensure security.
EE-1120URL Encoding Updates – Updates to URL encoding to ensure security. 9.1.0-46 30-Nov-2018 EE-930 Log Database Collection – SecureAuth IdP no longer stops creating log entries when records grow very large (2,147,483,647+). EE-986 Google ID Social Login – Issue resolved in which Google API changes caused SecureAuth IdP’s social login feature for Google Apps to stop working. EE-991 Begin Site Redirect Encoding – Begin site redirect is no longer double encoding the request query which had been causing the realm to break and the workflow to halt. 9.1.0-45 06-Sep-2018 EE-906 eDirectory Group Issue – Error no longer occurs when attempting to add a user to a group in eDirectory via the Create User function. EE-123 Timeout Message Display – When users are logged out of Secure Portal based on timeout, the notification now displays the timeout message configured on the realm. 9.1.0-44 27-Jul-2018 EE-847 OIDC Subject Claim Issue – Introspection endpoint was failing when access token subject claim contained a client ID. 9.1.0-42 21-May-2018 EE-786 OIDC EndSession Redirect – Redirect and session end was not occurring due to the 'post_logout_redirect_uri' parameter requiring the presence of the 'id_token_hint' parameter. Redirect now functions with the presence of 'client_id' only, and does not require 'id_token_hint'. 9.1.0-41 07-May-2018 EE-746 EE-749 EE-718 9.1.0-40 26-Apr-2018 EE-731 EE-642 Mobile QR Code Enrollment – When device limitation is enforced, false errors would occur during QR code enrollment. EE-703 SA Cloud Timeout and Fail Open – Due to extended timeouts and no fail open functionality, users were unable to log in when SA Cloud services are down. EE-446 Errant Calls to Invalid URLs – Calls made for IP Evaluation were hitting the wrong endpoint URLs. EE-629 Bad IPv6 Handling – During Adaptive Authentication analysis, IPv6 calls created issues with the evaluation. 9.1.0-39 or earlier Various EE-559 JWT Missing Claim – In OAuth 2.0 Client Credential Flow, the ‘sub’ (subject) claim was missing in the JWT. EE-586 Encryption Functionality – Encryption functionality was static due to the disability of this feature. EE-533 OTPValidateThrottle PUT Call – OTPValidateThrottle PUT call was resetting the count for both values (Select vs. Validate counts). EE-514
EE-521Self-service PIN Update – The Update button needed two clicks to save new PIN information. EE-470 RADIUS Server Timeouts – RADIUS Server requests were timing out when under a high load. EE-482 Slow Response – When connected to a Syslog Server, too many UDP clients created a massive slow down. EE-417 Tivoli Directory Device Recognition – Device / Browser Profiles were not accurately saved to Tivoli user profiles. EE-483 Link-to-Accept with Proxy – Link-to-Accept did not properly go through the configured proxy settings (both SMS and email). EE-480 Device Recognition on IE10 – PixelRatio property analyzed for fingerprinting was unsupported in IE10 and therefore returned a null response and invalid browser profile. EE-464 YubiKey Validation Call Failure – API calls to validate the YubiKey login fail due to character limitations in the string. EE-376 Account Management Error – Updating the OATH Seed on the Account Management page created an error due to split directory integrations for membership and profile. EE-429 SMTP Timeout Errors – Using the Authentication API to request OTP emails, the user experienced SMTP timeout errors. EE-366 HID Token Read Failure – Login process was unable to read the OATH Seed from an HID token for MFA, and SecureAuth IdP was unable to read the OATH Seed from HID token for post-authentication. EE-337 2016 Light Theme Login Page – When pasting a password (from password manager, for example), the Submit button did not change color and the mouse cursor showed the ‘no entry’ icon. Clicking the button worked, but visually appeared as though it would not. EE-329 Verbiage Customizations – When a user’s browser is not set to English and the preferred language is not selected in the SecureAuth IdP configuration, then the browser defaulted to English, but without the verbiage customizations made in the Web Admin. EE-345 Invalid Username not Updating – With workflow type set to Username & Password, when the user entered an invalid username and then corrected it, the username was still considered invalid and the page reverted the text back to the original invalid entry. EE-328 OTPValidate Throttle not Counting – Instead of creating a unique counter for OTPValidate, the MultiFactorIntervalThrottle counter was used instead. EE-320 Login for Windows UI – Various UI defects were resolved in Login for Windows. EE-303 Username Overflow – On the Account Management page, the username overflowed into the next text box. EE-295 OIDC Redirect URI with Localhost – For OIDC integrations, the Redirect URI did not support localhost. EE-248 NumberProfile API Server Error – Requests to the phone number analysis endpoint with an invalid number (e.g. 123456789) generated a server error response. EE-265 Password Requirements for Create User Page – Password requirements configured on the Web Admin were not applied to the Create User page. EE-263 Unwanted Verbiage on Page – A flag on a page displayed unwanted verbiage on client-side pages. EE-203 Duplicate Knowledge Based Questions – Users were able to select the same KBQ multiple times, thus only having one question to answer for Multi-Factor Authentication. EE-255 No Automatic Redirect – Users were not automatically redirected from SecureAuth IdP with an OIDC token to the relaying application. EE-212 Invalid User Error – LDAP users attempting to log in continually received an “Invalid User” error. EE-202 OATH Token Invalidation – After upgrading to version 9.1, existing OATH Tokens were no longer valid and required re-provisioning. IDP-1721 Login for Windows Configuration – Configuration settings for new Login for Windows product were not available in the Web Admin. EE-183 FIPS Compliance – SecureAuth IdP updates were made for FIPS Compliance requirements. IDP-2554 Admin API HMAC Authentication – It was possible to remove HMAC authentication from the Admin API. EE-119
EE-175Authentication API Throttling – The Multi-Factor Throttling count doubled based on selection and validation of the OTP, thereby rendering the configuration inaccurate. IDP-2524 Web.config URL Update – Values for some URLs were incorrect in the web.config. IDP-2486 Compilation Error – The SISU code file contained a compilation error. IDP-2516 ChangePassword Error – Username was missing a domain slash for Change Password via the API. IDP-2497 Link-to-Accept UI Update – Color of the button was incorrect. IDP-2512 Authentication API OATH Token Failure – OATH Token was not working as a viable Multi-Factor Authentication option via the Authentication API.
Feature
Description
References