Summary
SecureAuth Hotfixes typically come after a release to resolve known issues without requiring customers to wait for or to upgrade to the next release.
SecureAuth IdP v9.1 - v9.3 Hotfixes
9.3.0 Hotfixes
The following is a list of hotfixes for SecureAuth IdP version 9.3.0.
Release No. | Release Date | Ref ID | Issue |
---|---|---|---|
9.3.0-24 | 29-Oct-2021 | EE-2345 | Web Admin UI Issue – Addressed issue with the Test Connection button on the Data tab. |
EE-2438 | JSON Web Token Support - Added support for iat (issued at) attribute. | ||
9.3.0-23 | 30-Aug-2021 | EE-2253 | WebServices Timeout Issue – Added logic to optimize timeout values for profile lookups. |
EE-2265 | This is an update to the following issue reported under EE-1967 in hotfix 9.3.0-22. Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable. | ||
9.3.0-23 | 30-Aug-2021 | EE-2253 | WebServices Timeout Issue – Added logic to optimize timeout values for profile lookups. |
EE-2265 | This is an update to the following issue reported under EE-1967 in hotfix 9.3.0-22. Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable. | ||
9.3.0-22 | 03-Jun-2021 | EE-1748 | Maximum Device Count – Resolved an issue where, when users reached the maximum limit of registered devices, no warnings were displayed. |
EE-1967 | Data Store Connection Issue – Addressed an issue causing intermittent problems in the Identity Platform when the connected data store is slow or unreliable. | ||
EE-2059 | Web Service Realm Issue – Resolved an issue that caused disabled WebService realm to continue to function if the username and password existed. Install this hotfix if you have:
| ||
EE-2060 | Security Optimization – OIDC authorization with PKCE optimized for security best practices. This hotfix is required for 9.3 deployments. | ||
EE-2110 | Security Optimization – Redirect pages optimized for security best practices. This hotfix is required for 9.3 deployments. | ||
9.3.0-21 | 26-Feb-2021 | EE-1810 | OIDC Claim Format Issue – The email_verified claim should be sent as a boolean value. Install this hotfix if you have:
|
EE-1854 | Web Admin Optimization – Removal of unused code and subfolder from the SecureAuth Identity Platform Web Admin project folder. | ||
EE-1864 | WS-Federation Update – In realms that use WS-Federation, this update requires allow-listing of URLs for the If a There is also a new optional setting to support allow-listing of more than one URL by using a comma-delimited list. Install this hotfix if you have:
| ||
EE-1897 | Performance Enhancements – Update exception handling to improve system performance during login and enrollment workflows. | ||
EE-2051 | Self-Service Account Update Theme Issue – There were some missing labels on the AccountUpdate.aspx page using 2016 or 2019 Themes. Install this hotfix if you have:
| ||
EE-2060 | Security Optimization – OIDC authorization with PKCE optimized for security best practices. This hotfix is required for all 9.3 deployments. | ||
EE-1960 | Hotfix Installer Update – Hotfix installer updates the cloud certificate URL to use https . | ||
EE-2046 | Hotfix Installer Update – Hotfix installer uninstalls Metricbeat. | ||
9.3.0-20 | 08-Jan-2021 | EE-1804 | Submit Form Post Issue Update – Update to a previous hotfix for this issue. The Submit Form Post realm incorrectly removes password data following certain special characters. Install this fix if you have:
|
EE-1826 | Transformation Engine Support for OIDC/OAuth2 Workflows – Transformation Engine now supports OIDC / OAuth2 workflows. Install this fix if you have:
| ||
EE-1844 | Security Issue – Resolved security issue with request parameters. This hotfix is required for all customers on SecureAuth IdP version 9.3 to ensure the security of the appliance. | ||
EE-2204 | SAML Request Signature Validation Certificate Issue – In certain SAML workflows, signature validation was not successful. Install this fix if you have:
By installing this hotfix, any expired signing certificate is now enforced by the certificate expiration date. To override this setting to allow expired certificates, set the following application setting in the web.config: <add key="BlockSAMLRequestCertExpiration" value="False" /> | ||
9.3.0-19 | 08-Oct-2020 | EE-1381 | Data Store Connection Issue – Resolves intermittent data store connection issues to an Application realm created in the New Experience UI. Install this hotfix if you have:
|
EE-1778 | OIDC / OAuth2 Workflow Session Issue – OIDC queries in OAuth workflows are now read correctly when a user has two browser tabs open when authenticating into a resource. Install this fix if you have:
| ||
EE-1804 | Submit Form Post Issue – The Submit Form Post realm no longer removes password data following certain special characters. Install this fix if you have:
| ||
EE-1815 | Security Fix – Resolved XSS security vulnerability in path resolution. This hotfix is required for all customers on SecureAuth IdP version 9.3 to ensure the security of the appliance. | ||
EE-1819 | Database Logging Issue – Resolves issue in which database logs experiencing a table lock stopped writing new log entries. Install this hotfix if you have:
| ||
EE-1843 | Token Issue – Resolves token caching issues impacting logins for admin realms in the New Experience UI. Install this hotfix if you have:
| ||
EE-1860 | Performance Optimizations – Realms created in the Classic UI are now optimized to reduce latency. Install this hotfix if you have:
| ||
EE-1861 | Security Optimization – Sanitize sensitive data in Debug Logs. This hotfix is required for all customers on SecureAuth IdP version 9.3 to ensure the security of the appliance. | ||
9.3.0-18 | 17-Jun-2020 | EE-1762 | Adaptive Authentication Licensing – The Adaptive Authentication settings were not displaying the correct license information. Install this hotfix if you have:
|
9.3.0-17 | 05-Jun-2020 | EE-1644 | Security Fix – Implemented additional input validation to prevent double curly brackets ( {{ or }} ) in form input fields, including the UserID field. This hotfix is required for all customers on SecureAuth IdP version 9.3 to ensure the security of the appliance. |
EE-1680 | Debug Log Cleanup – Debug logs required changes. This hotfix is required for all 9.3 appliances. | ||
EE-1745 | Chrome 404 Error on Manage Accounts Page – Chrome browser would give a 404 error to users on the Manage Accounts (help desk) page if the page timed out and user logs back in, whereas other browsers would redirect them back to the page after authentication. Install this hotfix if you have:
| ||
9.3.0-16 | 04-Feb-2020 | EE-1426 | Content and Localization Spacing Issue – Resolves issue in which after making customizations that include leading spaces, the spacing presents as expected until content and localization is edited at a later point, where then the spacing is removed. Install this hotfix if you have:
|
EE-1432 | SAML Request Signature Validation – In certain SAML workflows, signature validation was not successful. Install this hotfix if you have:
| ||
EE-1519 | SameSite Cookie attribute support – Required for compatibility with Google Chrome 80. This hotfix is required for all 9.3 appliances. Ensure that the Microsoft .NET patch is applied prior to installing this hotfix. Read https://support.secureauth.com/hc/en-us/articles/360038330652 for more information. | ||
EE-1530 | Help Desk Page Input Requirements – Resolves issue on the Help Desk client-side page, where some fields were acting as required to update the user profile even though they were configured to be “Show Disabled”. Install this hotfix if you have:
| ||
EE-1540 | OIDC Workflow Wipes KBAs – After authenticating in an OIDC workflow with consent storage, users’ knowledge-based answers is no longer deleted from their profile. Install this hotfix if you have:
| ||
EE-1564 | Inline Password Reset Issue – Resolves issue with using the 2016 Light Theme, where the Inline Password Reset function was not working as expected for all use cases. Install this hotfix if you have:
| ||
EE-1576 | Inline Password Reset Forced Updates – Resolves issue in which users were being forced to update their password even though their password had not yet expired. Install this hotfix if you have:
| ||
9.3.0-15 | 20-Dec-2019 | EE-1373 | IP Evaluation Update – The IP Eval service now uses the appropriate IP address for WS-Trust requests when using a load balancer. Install this hotfix if you have:
|
EE-1388 | API Password Reset – IdM API password reset did not always work if user account was locked. Install this hotfix if you have:
| ||
EE-1391 | Updates to Secure Storage – Updates made to Secure Storage to avoid corruption. This hotfix is required for all 9.3.0 appliances. | ||
9.3.0-14 | 09-Dec-2019 | EE-1217 | Updates to Audit Logging for OIDC – Audit Logging updated for OIDC workflows to provide more clarity. Install this hotfix if you have:
|
EE-1422 | Adaptive Auth API Response Updates – Resolved issue when using the Authentication API for adaptive authentication calls; not all actions were available to enable the desired workflow. Install this hotfix if you have:
| ||
EE-1434 | Yubikey Enrollment with Proxy – Resolved issue in which Yubikey enrollments were not honoring the proxy settings configured in the realm, which led to user verification failures. Install this hotfix if you have:
| ||
EE-1442 | Help Desk Verification Unmasking – When typing in the help desk verification answer on the Self-service Account Update page, there is now an option to “unmask” the answer, as there is with knowledge-based answers. Install this hotfix if you have:
| ||
EE-1455 | Enhancements to User Risk Logging – Enhancements were made to logging for user risk information gathered during adaptive authentication, to provide more clarity. Install this hotfix if you have:
| ||
EE-1475 | Web.config Updates for SISU – Web.config updates required for SISU to work properly. Install this hotfix if you have:
| ||
9.3.0-13 | 29-Oct-2019 | EE-1355 | Last Access Time Issue – For device enrollments (Authenticate app), issue is resolved in which an enrollment was not replaced when the end user reached the maximum number of enrollments allowed. Install this hotfix if you have:
|
EE-1363 | Support for AssertionConsumerServiceIndex (SAML) – SecureAuth IdP now supports AssertionConsumerServiceIndex for SAML integrations. Install this hotfix if you have:
For instructions about applying the hotfix for this feature, see SAML integrations using AssertionConsumerServiceIndex hotfix. | ||
9.3.0-11 | 11-Sep-2019 | EE-1206 | TRX Performance Issue – When there is latency reaching the SecureAuth TRX cloud endpoint, it no longer causes application latency, which would impact user login performance. This hotfix is required for all 9.3 appliances. |
EE-1357 | mS-DS-ConsistencyGUID Support for Office 365 Integration – The mS-DS-ConsistencyGUID attribute is now supported by SecureAuth IdP to be used as the ImmutableID value for integrations with Office 365. Install this hotfix if you have:
| ||
EE-1365 | Enhance Device Recognition Logging – Device Recognition logging was enhanced to make the results of the analysis clearer. Install this hotfix if you have:
| ||
EE-1367 | Geo-velocity Cloud Communications Error – When comparing previous and current IP addresses, some logins were generating an “unavailable” result. Install this hotfix if you have:
| ||
9.3.0-10 | 06-Sep-2019 | EE-1354 | Symbol-to-Accept API Support – The Symbol-to-Accept MFA method is now supported in the Authentication API. Install this hotfix if you have:
|
9.3.0-9 | 13-Aug-2019 | EE-1305 | QR Code Enrollment False Error – The hotfix resolves an issue where the QR Code App Enrollment page was inaccurately displaying an error (“Invalid Code. Please try again.”), despite successful enrollment. This was caused by double-clicking before the page finished loading. Install this hotfix if you have:
|
EE-1315 | Arbitrary File Upload Vulnerability – An authenticated privileged user can no longer upload arbitrary file types. NOTE: This vulnerability applies ONLY to the Web Admin application. This hotfix is required for all customers on SecureAuth IdP version 9.3 to ensure the security of the appliance. | ||
EE-1326 | Authentication API Updates for User Risk – When using the Authentication API for adaptive authentication, the User Risk feature is now effectively accessed during analysis. Install this hotfix if you have:
| ||
EE-1329 | OATH Token JSON Encryption Issue – Data is now correctly read when JSON encryption is selected as the OATH Token Data Format method. Install this hotfix if you have:
| ||
9.3.0-8 | 26-Jul-2019 | EE-1282 | Password Throttling Count Issue – The saved count for Password Throttling now effectively clears the bad password attempts to make way for the valid password entries. Install this hotfix if you have:
|
EE-1273 | Logging Updates – Adaptive Authentication logging now correctly writes actual parameters instead of dictionary lines for certain requests. Install this hotfix if you have:
| ||
9.3.0-7 | 26-Jun-2019 | EE-1220 | New userAccountControl Values – SecureAuth IdP now has the most up-to-date userAccountControl values to ensure that certain account statuses are handled appropriately in transactions between LDAP providers and SecureAuth IdP. Install this hotfix if you have:
|
9.3.0-6 | 05-Jun-2019 | EE-1225 | Mobile Cookie Name – Mobile cookies that include spaces in the name now process correctly. Install this hotfix if you have:
|
9.3.0-5 | 21-May-2019 | EE-1186 | App Enrollment Maintenance – App enrollment for users made on previous versions of SecureAuth IdP work correctly after the upgrade. |
9.3.0-4 | 10-May-2019 | EE-1073 | Password Reset LDAP Issue – Administrative Password Reset with History Check functionality now working with LDAP containing protocol requirements. |
EE-1082 | Authentication API Parity – The Yubico OTP option is now available to use via the API and also supported through browser workflow. | ||
EE-1149 | Passcode Registration Screen – When using the Default theme, the SecureAuth Passcode registration screen now works correctly. | ||
EE-1167 | Incorrect SMS MFA Option – When users select the SMS OTP option, they no longer randomly receive an incorrect Link to Accept message. | ||
EE-1182 | Begin Site Redirect Encoding – Begin site redirect is no longer double encoding the request query, causing the realm to break and the workflow to halt. | ||
9.3.0-3 | 12-Apr-2019 | EE-1075 | Data Parsing in SAML Attribute – Data is now correctly parsed when sent in a SAML attribute. |
EE-1124 | OIDC Claim Issue – Sub claim is now present when updates are made to library. | ||
EE-1089 | Application API Proxy Support – Calls made through the Application API correctly honors proxy settings. | ||
EE-1120 | URL Encoding Updates – Updates to URL encoding to ensure security. | ||
EE-1131 | Device Fingerprint Space Issue – The Device Fingerprint cookie name now parses correctly if a space is present in the generated cookie name. | ||
EE-1067 | Logging Updates – Updates to SecureAuth IdP logs to ensure security. | ||
9.3.0-2 | 14-Mar-2019 | EE-1049 | Auto-encrypt Tools Issue – Issue resolved in which auto-encrypting the web.config caused SecureAuth tools to work ineffectively. |
EE-1088 | SecureAuth IdP Requirements for Login for Windows – Changes made to accommodate AD user check issues addressed in Login for Windows v1.0.4. | ||
9.3.0-1 | 20-Feb-2019 | EE-1030 | Google Social ID Login – Modifications made to support Google API updates for Social ID login. |
EE-1049 | Auto-encrypt Tools Issue – Issue resolved in which auto-encrypting the web.config caused SecureAuth tools to not function effectively. | ||
EE-1056 | Web Admin UI Updates – Updates made to the Adaptive Authentication UI reflect supported features. | ||
EE-1067 | Logging Updates – Enhancements made to logging ensure greater security. |
Affected SecureAuth IdP Version: 9.3
Support Information: Contact SecureAuth Support (support.secureauth.com, support@secureauth.com, or 1-866-859-1526) to have the latest hotfix installed on your SecureAuth IdP v9.3.x appliance.
9.2.0 Hotfixes
The following is a list of hotfixes for SecureAuth IdP version 9.2.0.
Release No. | Release Date | Ref ID | Issue |
---|---|---|---|
9.2.0-38 | 07-Jul-2021 | EE-1825 | QR Enrollment Issue – Addressed issue when using an email address during login to the QR enrollment page. Install this hotfix you have:
|
EE-2086 | OTP Value Reusability – Resolves issue when using the API OTP validate endpoint, it was possible to reuse the same OTP at a later time. Install this hotfix if you have:
| ||
9.2.0-37 | 04-Jun-2021 | EE-2110 | Security Optimization – Redirect pages optimized for security best practices. This hotfix is required for 9.2 deployments. |
EE-2152 | QR Code Registration Support – Addressed an issue to support offline QR code registration for OTP in air-gapped appliances to work with SecureAuth Authenticate app. Install this hotfix if you have:
| ||
9.2.0-36 | 26-Feb-2021 | EE-1608 | Resetting IIS Settings – After making changes to IIS and then changes to the SecureAuth Web Admin, the changes made in IIS were reverted to the previous configuration. Install this hotfix if you have:
|
EE-1810 | OIDC Claim Format Issue – The email_verified claim should be sent as a boolean value. Install this hotfix if you have:
| ||
EE-1844 | Security Optimization – Optimized security with request parameters. This hotfix is required for all customers on SecureAuth IdP version 9.2 to ensure the security of the appliance. | ||
EE-1854 | Web Admin Optimization – Removal of unused code and subfolder from the SecureAuth Identity Platform Web Admin project folder. | ||
EE-1861 | Security Optimization – Sanitize sensitive data in Debug Logs. This hotfix is required for all customers on the SecureAuth IdP version 9.2 to ensure the security of the appliance. | ||
EE-1864 | WS-Federation Update – In realms that use WS-Federation, this update requires allow-listing of URLs for the If a There is also a new optional setting to support allow-listing of more than one URL by using a comma-delimited list. Install this hotfix if you have:
| ||
EE-1897 | Performance Enhancements – Update exception handling to improve system performance during login and enrollment workflows. | ||
EE-1960 | Hotfix Installer Update – Hotfix installer updates the cloud certificate URL to use https . | ||
9.2.0-35 | 23-Jul-2020 | EE-1700 | Filebeat Process Improvements – Updates to Filebeats to improve performance. |
EE-1735 | OIDC / OAuth2 Workflow Session Cleanup – Sessions are not properly cleared when user has two browser tabs open when authenticating into a resource. Install this fix if you have:
| ||
EE-1815 | Security Fix – Resolved XSS security vulnerability in path resolution. This hotfix is required for all customers on SecureAuth IdP version 9.2 to ensure the security of the appliance. | ||
EE-1820 | OIDC End Session Redirect – Redirects and session end were not occurring due to parameter requirements. | ||
EE-1830 | WS-Fed and SAML Valid Hours Issue – When the SAML Valid Hours is set to a non-integer value, it does not work for WS-Fed integrations. Install this fix if you have:
| ||
9.2.0-34 | 29-Jun-2020 | EE-1644 | Security Fix – Implemented additional input validation to prevent double curly brackets ( {{ or }} ) in form input fields, including the UserID field. This hotfix is required for all customers on SecureAuth IdP version 9.2 to ensure the security of the appliance. |
EE-1745 | Chrome 404 Error on Manage Accounts Page – Chrome browser would give a 404 error to users on the Manage Accounts (help desk) page if the page timed out and user logs back in, whereas other browsers would redirect them back to the page after authentication. Install this hotfix if you have:
| ||
9.2.0-33 | 03-Jun-2020 | EE-1680 | Debug Log Cleanup – Debug logs required changes. This hotfix is required for all 9.2 appliances. |
EE-1683 | Azure AD Email Lookup Failure – SecureAuth IdP was not able to effectively retrieve the email address from the Azure AD data store. Install this hotfix if you have:
| ||
EE-1707 | Corrupted CyberArk Username – When using CyberArk for the directory credentials, the username would become corrupted during simultaneous connections. Install this hotfix if you have:
| ||
EE-1743 | WS-Trust Blocking Update – Resolves issue where the WS-Trust Blocking service was not using the appropriate IP address for requests when using a load balancer. Install this hotfix if you have:
| ||
9.2.0-32 | 03-Mar-2020 | EE-1373 | IP Evaluation Update – Resolves issue where the IP Eval service was not using the appropriate IP address for WS-Trust requests when using a load balancer. Install this hotfix if you have:
|
EE-1519 | SameSite Cookie attribute support – Required for compatibility with Google Chrome 80. This hotfix is required for all 9.2 appliances. Ensure that the Microsoft .NET patch is applied prior to installing this hotfix. Read https://support.secureauth.com/hc/en-us/articles/360038330652 for more information. | ||
EE-1524 | Azure AD UPN Domain Check – Resolves issue with unnecessary uppercase and lowercase domain name check in username. Install this hotfix if you have:
| ||
EE-1583 | OIDC Session Cleanup – Resolves issue in which sessions were not properly cleared in OIDC realms, making it impossible to log into multiple clients due to values being cached from the first session. Install this hotfix if you have:
| ||
9.2.0-31 | 12-Dec-2019 | EE-1217 | Updates to Audit Logging for OIDC – Audit Logging updated for OIDC workflows to provide more clarity. Install this hotfix if you have:
|
EE-1422 | Adaptive Auth API Response Updates – Resolved issue when using the Authentication API for adaptive authentication calls; not all actions were available to enable the desired workflow. Install this hotfix if you have:
| ||
EE-1491 | Transformation Engine Group Handling – Resolves issue in which the Transformation Engine could not correctly filter groups by full and common name when used together. Install this hotfix if you have:
| ||
9.2.0-30 | 30-Sep-2019 | EE-1206 | TRX Performance Issue – When there is latency reaching the SecureAuth TRX cloud endpoint, it no longer causes application latency, which would impact user login performance. This hotfix is required for all 9.2 appliances. |
EE-1275 | Authenticate App Enrollment Error – URL enrollments no longer fail on devices using iOS 12+ and when push notifications are not allowed for the application. Install this hotfix if you have:
| ||
EE-1315 | Arbitrary File Upload Vulnerability - Resolves issue in which an authenticated privileged user could upload arbitrary file types. This hotfix is required for all customers on SecureAuth IdP version 9.2 to ensure the security of the appliance. | ||
EE-1334 | Inline Initialization Attribute Clearing – When using Conditional Access for Azure, the Active Directory attribute values that were added during the Inline Initialization self-service process are no longer being cleared. Install this hotfix if you have:
| ||
EE-1357 | mS-DS-ConsistencyGUID Support for Office 365 Integration – The mS-DS-ConsistencyGUID attribute is now supported by SecureAuth IdP to be used as the ImmutableID value for integrations with Office 365. Install this hotfix if you have:
| ||
EE-1363 | Support for AssertionConsumerServiceIndex (SAML) – SecureAuth IdP now supports AssertionConsumerServiceIndex for SAML integrations. Install this hotfix if you have:
For instructions about applying the hotfix for this feature, see SAML integrations using AssertionConsumerServiceIndex hotfix. | ||
9.2.0-29 | 28-Jul-2019 | EE-1298 | Authentication API Updates for User Risk – When using the Authentication API for adaptive authentication, the User Risk feature is now effectively accessed during analysis. Install this hotfix if you have:
|
9.2.0-28 | 27-Jun-2019 | EE-1220 | New userAccountControl Values – SecureAuth IdP now has the most up-to-date userAccountControl values to ensure that certain account statuses are handled appropriately in transactions between LDAP providers and SecureAuth IdP. Install this hotfix if you have:
|
EE-1223 | Enhance Device Recognition Logging – Device Recognition logging was enhanced to make the results of the analysis clearer. Install this hotfix if you have:
| ||
EE-1250 | Reporting Page Time Picker – On the Reporting Page, the time picker functionality now works correctly for realms using the 2016 Light Theme. Install this hotfix if you have:
| ||
EE-1254 | Windows SSO Adaptive Auth Redirect – Realms with Windows SSO for pre-authentication now effectively redirect users per Adaptive Authentication rules. Install this hotfix if you have:
| ||
9.2.0-27 | 05-Jun-2019 | EE-1199 | Third-party JavaScript Libraries Vulnerability – jQuery, Bootstrap, and AngularJS have been upgraded due to a flaw in these libraries that may result in XSS. This hotfix is required for all customers on SecureAuth IdP version 9.2 to ensure the security of the appliance. |
EE-1203 | Incomplete Revocation of App Enrollments – User device enrollments that are revoked on the self-service page are correctly removed when the user immediately re-registers the same device. Install this hotfix if you have:
| ||
EE-1210 | QR Code Missing Secret – Upon successful login to a QR code app enrollment realm, users are now presented with a correct QR Code when a page is refreshed. Install this hotfix if you have:
| ||
EE-1223 | Enhance Device Recognition Logging – Device Recognition logging was enhanced to make the results of the analysis clearer. Install this hotfix if you have:
| ||
9.2.0-25 | 10-May-2019 | EE-1082 | Authentication API Parity – The Yubico OTP option is now available to use via the API and also supported through browser workflow. |
EE-1181 | Novell eDirectory Password Reset Parity – Self-service password reset is now supported for eDirectory integrated realms. | ||
EE-1193 | JWT Missing Claim – In OAuth 2.0 Client Credential Flow, the ‘sub’ (subject) claim is no longer missing in the JWT. | ||
9.2.0-24 | 30-Apr-2019 | EE-1128 | Mobile App PIN Settings – The PIN settings configured for SecureAuth Authenticate are now respected per the configuration or the support. |
EE-1120 | URL Encoding Updates – Updates made to URL encoding to ensure security. | ||
EE-1131 | Device Fingerprint Space Issue – The Device Fingerprint cookie name parses correctly if a space is present in the generated cookie name. | ||
EE-1157 | Transformation Debug Logging – Transformation Engine logging is no longer automatically enabled when Debug logging is enabled, which prevents the potential exposure of sensitive information in the logs. | ||
9.2.0-23 | 14-Mar-2019 | EE-1001 | Phone Number Validation – Invalid phone number formats can now be used in API calls. |
EE-1068 | Logging Updates – Updates made to SecureAuth IdP logs ensure security. | ||
EE-1088 | SecureAuth IdP Requirements for Login for Windows – Changes made to accommodate AD user check issues addressed in Login for Windows v1.0.4. | ||
9.2.0-21 | 12-Feb-2019 | EE-867 | Help Desk Validation Dates Issue – Date values for Certificate Validation Date and Mobile Validation Date fields are no longer missing from the Help Desk page. |
EE-1025 | Help Desk “Update” User Account – Incorrect profile data is no longer automatically saved since the Update button is now properly disabled. | ||
EE-1027 | URL Encoding Update – Updates made to URL encoding to ensure security. | ||
EE-1029 | Google Social ID Login – Social ID login feature was updated due to modifications made by Google API. | ||
9.2.0-20 | 21-Dec-2018 | EE-997 | OATH Token JSON Encryption Issue – Data is now correctly read when JSON encryption is selected as the OATH token storage method. |
EE-1000 | Multi-Data Store Timeout – Data tab on a realm configured for multi-data stores now loads faster without timeouts. | ||
9.2.0-19 | 15-Nov-2018 | EE-867 | Cert and Mobile Validation Dates – Cert Validation Date and Mobile Validation Date values now correctly populate the Help Desk page. |
EE-937 | Begin Site Redirect Encoding – Begin site redirect is no longer double encoding the request query, causing the realm to break and the workflow to halt. | ||
9.2.0-19 hotfix – machine learning | Non-issue changes:
| ||
9.2.0-18 | 10-Oct-2018 | EE-678 | SAML Consumer UI – When adding a provider for SAML consumption, SecureAuth IdP Web Admin UI no longer disables editing provider information. |
EE-917 | Unable to Save KBQ / KBA Value – When saving the "helpdesk challenge" on the Self-service Account Update page, the user's knowledge based answer is now saved when data is encrypted. | ||
9.2.0-17 | 07-Sep-2018 | EE-899 | Debug Logging Issue – Self-service Password Reset page now logs correctly on all configurations. |
EE-895 | Symantec VIP Credentials Display – Symantec VIP Credentials table now displays all user information on the Help Desk and Self-service pages. | ||
EE-903 | Country Check Cloud Services – When Cloud Services are down, users are no longer stopped during login when SecureAuth IdP performs a country check. | ||
9.2.0-13 | 18-Jul-2018 | EE-862 | Country Code Support Issue – Certain country codes were not being supported for phone call and / or SMS TOTP delivery. |
9.2.0-10 | 03-Jul-2018 | EE-839 | Adaptive Authentication IPv6 Processing – Adaptive Authentication policies returned invalid data for users with IPv6 addresses. |
9.2.0-9 | 11-Jun-2018 | EE-785 | Adaptive Authentication Redirection – Redirecting the user via an Adaptive Authentication policy with a static query string parameter resulted in a query string with an invalid format. |
9.2.0-8 | 05-Jun-2018 | EE-743 | User Risk Analysis Response – When retrieving a user risk score from certain third-party providers, SecureAuth IdP was not reading a valid score due to a null reference. |
9.2.0-7 | 23-May-2018 | EE-769 | Windows SSO Enhancement – Some IIS settings necessary for Windows SSO / authentication must be manually entered in the web.config, but SecureAuth IdP would remove all these settings if a change was subsequently made on the Workflow tab. |
EE-791 | Adaptive Authentication Redirect Caching – SecureAuth IdP was caching query string parameters from previous Adaptive Authentication redirection URLs, causing redirection failures. | ||
9.2.0-5 | 24-Apr-2018 | EE-703 | Novell eDirectory Lookup – During login, a user’s profile was not being accessed successfully. |
EE-721 | CyberArk Vault Credential Lookup – In multi-domain environments, SecureAuth IdP was not able to retrieve credentials successfully. | ||
9.2.0-4 | 24-Apr-2018 | EE-709 | SA Cloud Timeout and Fail Open – Due to extended timeouts and no fail open functionality, users were unable to log in when SA Cloud services are down. |
9.2.0-3 | 21-Mar-2018 | EE-604 | User Risk Score Bearer Token Authorization – The format for the OAuth2 Bearer Token used when importing a User Risk Score was causing an error, resulting in the inability to import the risk score. |
9.2.0-2 | 10-Mar-2018 | EE-587 | Account Management Updates – Users could access Help Desk pages from the Portal despite not being a member of the designated group set up on the administrative page. |
EE-619 | Interface / Customization Communication – Customizations referencing a certain interface were no longer able to communicate with it. | ||
EE-616 | PIN Not Saved – When updating the PIN field in the self-service realm, the PIN was not successfully saved, causing errors when attempting to use the PIN in subsequent login attempts. |
Affected SecureAuth IdP Version(s): 9.2
Support Information: Contact SecureAuth Support (support.secureauth.com, support@secureauth.com, or 1-866-859-1526) to have the latest hotfix installed on your SecureAuth IdP v9.2.x appliance.
9.1.0 Hotfixes
The following is a list of hotfixes for SecureAuth IdP version 9.1.0.
Release No. | Release Date | Ref ID | Issue |
---|---|---|---|
9.1.0-59 | 07-Jul-2021 | EE-1814 | SAML OneTimeUse Condition Support – Added support for the SAML OneTimeUse condition. |
EE-1844 | Security Issue – Resolved security issue with request parameters. This hotfix is required for SecureAuth IdP 9.1 deployments. | ||
EE-2110 | Security Optimization – Redirect pages optimized for security best practices. This hotfix is required for SecureAuth IdP 9.1 deployments. | ||
9.1.0-58 | 24-Jul-2020 | EE-1778 | OIDC / OAuth2 Workflow Session Cleanup – OIDC queries in OAuth workflows are not read correctly when a user has two browser tabs open when authenticating into a resource. Install this fix if you have:
|
EE-1815 | Security Fix – Resolved XSS security vulnerability in path resolution. CVSS Score: 5.3 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. | ||
EE-1830 | WS-Fed and SAML Valid Hours Issue – When the SAML Valid Hours is set to a non-integer value, it does not work for WS-Fed integrations. Install this fix if you have:
| ||
9.1.0-57 | 29-Jun-2020 | EE-1644 | Security Fix – Implemented additional input validation to prevent double curly brackets ( {{ or }} ) in form input fields, including the UserID field. CVSS Score: 2.0 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. |
9.1.0-56 | 12-Jun-2020 | EE-1690 | Updates to Audit Logging for OIDC – Audit Logging updated for OIDC workflows to provide more clarity. Install this hotfix if you have:
|
EE-1781 | Transformation Engine Issue – Resolves issue in which the Transformation Engine did not work correctly when used with WS-Federation. Install this hotfix if you have:
| ||
9.1.0-55 | 28-Feb-2020 | EE-1511 | Session Timeout Length – Increased session timeout length to accommodate specific use cases. Install this hotfix if you have:
|
EE-1519 | SameSite Cookie attribute support – Required for compatibility with Google Chrome 80. This hotfix is required for all 9.1 appliances. Ensure that the Microsoft .NET patch is applied prior to installing this hotfix. Read https://support.secureauth.com/hc/en-us/articles/360038330652 for more information. | ||
EE-1558 | OTP Value Reusability – Resolves issue when using the API OTP validate endpoint, it was possible to reuse the same OTP at a later time. Install this hotfix if you have:
| ||
9.1.0-54 | 12-Dec-2019 | EE-1429 | Enhanced Device Recognition Logging – Device Recognition logging enhanced to make the results of the analysis clearer. Install this hotfix if you have:
|
EE-1469 | Device Recognition NULL Values – Resolves issue where “NULL” is returned in the Device Recognition profile as a score for a field, and the profile fails to match. Install this hotfix if you have:
| ||
EE-1499 | API Update for Hashed PIN – Using the API to update a user’s PIN no longer fails when the PIN is stored hashed. Install this hotfix if you have:
| ||
EE-1512 | mS-DS-ConsistencyGUID Support for Office 365 Integration – The mS-DS-ConsistencyGUID attribute is now supported by SecureAuth IdP to be used as the ImmutableID value for integrations with Office 365. Install this hotfix if you have:
| ||
9.1.0-53 | 15-Oct-2019 | EE-1342 | Cross-Site Request Forgery Vulnerability – CSRF tokens have been added to the administrative web interface. CVSS Score: 4.7 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. |
EE-1336 | RBAC Group List – Resolves issue where a list of groups are created for a specific role type and not all groups were available to select, even after typing the full group name. Install this hotfix if you have:
| ||
EE-1363 | Support for AssertionConsumerServiceIndex (SAML) – SecureAuth IdP now supports AssertionConsumerServiceIndex for SAML integrations. Install this hotfix if you have:
For instructions about applying the hotfix for this feature, see SAML integrations using AssertionConsumerServiceIndex hotfix. | ||
9.1.0-52 | 13-Aug-2019 | EE-1272 | AuthCode Validity Issue – Only one AuthCode can be used in OIDC workflows for a client to obtain an access_token. Install this hotfix if you have:
|
EE-1312 | Cross-Site Request Forgery Vulnerability – CSRF tokens have been added to the administrative web interface. CVSS Score: 6.7 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. | ||
EE-1315 | Arbitrary File Upload Vulnerability – An authenticated privileged user can no longer upload arbitrary file types. CVSS Score: 8.4 This hotfix is required for all customers on SecureAuth IdP version 9.1 to ensure the security of the appliance. | ||
9.1.0-51 | 25-Jul-2019 | EE-1287 | Device Recognition Data Storage Issue – When storing the Device Recognition Profiles (Device Fingerprints) in the SQL data base in JSON format, all data is now correctly stored. Install this hotfix if you have:
|
9.1.0-50 | 26-Jun-2019 | EE-1220 | New userAccountControl Values – SecureAuth IdP now has the most up-to-date userAccountControl values to ensure that certain account statuses are handled appropriately in transactions between LDAP providers and SecureAuth IdP. Install this hotfix if you have:
|
9.1.0-49 | 03-Jun-2019 | EE-1199 | Third-party JavaScript Libraries Vulnerability – jQuery, Bootstrap, and AngularJS have been upgraded due to a flaw in these libraries that may result in XSS. CVSS Score: 5.2 This hotfix is required for all customers on version 9.1 to ensure the security of the appliance. |
9.1.0-48 | 10-May-2019 | EE-1179 | Inline Password Reset Issue – Using the 2016 Light Theme, the Inline Password Reset pages now work as expected for all use cases. |
9.1.0-47 | 14-Mar-2019 | EE-1131 | Device Fingerprint Space Issue – The Device Fingerprint cookie name now parses correctly if a space was present in the generated cookie name. |
EE-1069 | Logging Updates – Updates to SecureAuth IdP logs to ensure security. | ||
EE-1028 | URL Encoding Updates – Updates to URL encoding to ensure security. | ||
9.1.0-46 | 30-Nov-2018 | EE-930 | Log Database Collection – SecureAuth IdP no longer stops creating log entries when records grow very large (2,147,483,647+). |
EE-986 | Google ID Social Login – Issue resolved in which Google API changes caused SecureAuth IdP’s social login feature for Google Apps to stop working. | ||
EE-991 | Begin Site Redirect Encoding – Begin site redirect is no longer double encoding the request query which had been causing the realm to break and the workflow to halt. | ||
9.1.0-45 | 06-Sep-2018 | EE-906 | eDirectory Group Issue – Error no longer occurs when attempting to add a user to a group in eDirectory via the Create User function. |
EE-123 | Timeout Message Display – When users are logged out of Secure Portal based on timeout, the notification now displays the timeout message configured on the realm. | ||
9.1.0-44 | 27-Jul-2018 | EE-847 | OIDC Subject Claim Issue – Introspection endpoint was failing when access token subject claim contained a client ID. |
9.1.0-42 | 21-May-2018 | EE-786 | OIDC EndSession Redirect – Redirect and session end was not occurring due to the 'post_logout_redirect_uri' parameter requiring the presence of the 'id_token_hint' parameter. Redirect now functions with the presence of 'client_id' only, and does not require 'id_token_hint'. |
9.1.0-41 | 07-May-2018 | EE-746 | Create User Failure for eDirectory – Create User page integrated with eDirectory was not functioning due to hardcoded attribute information. NOTE: This fix enables the creation of users, but certain functionalities of the page are not supported for eDirectory at this time. |
EE-749 | Proxy Settings for OIDC Encryption Key Retrieval – Proxy settings configured in SecureAuth IdP are not applied when retrieving OIDC encryption keys. | ||
EE-718 | Create User Group Designation SQL – Create User page with SQL data store integration does not associate users to groups on the page during creation. NOTE: This fix requires a new stored procedure provided by SecureAuth Support (see contact information below). | ||
9.1.0-40 | 26-Apr-2018 | EE-731 | Novell eDirectory Lookup – During login, a user’s profile was not accessed successfully and the self-service password reset was unsupported. |
EE-642 | Mobile QR Code Enrollment – When device limitation is enforced, false errors would occur during QR code enrollment. | ||
EE-703 | SA Cloud Timeout and Fail Open – Due to extended timeouts and no fail open functionality, users were unable to log in when SA Cloud services are down. | ||
EE-446 | Errant Calls to Invalid URLs – Calls made for IP Evaluation were hitting the wrong endpoint URLs. | ||
EE-629 | Bad IPv6 Handling – During Adaptive Authentication analysis, IPv6 calls created issues with the evaluation. | ||
9.1.0-39 or earlier | Various | EE-559 | JWT Missing Claim – In OAuth 2.0 Client Credential Flow, the ‘sub’ (subject) claim was missing in the JWT. |
EE-586 | Encryption Functionality – Encryption functionality was static due to the disability of this feature. | ||
EE-533 | OTPValidateThrottle PUT Call – OTPValidateThrottle PUT call was resetting the count for both values (Select vs. Validate counts). | ||
EE-514 EE-521 | Self-service PIN Update – The Update button needed two clicks to save new PIN information. | ||
EE-470 | RADIUS Server Timeouts – RADIUS Server requests were timing out when under a high load. | ||
EE-482 | Slow Response – When connected to a Syslog Server, too many UDP clients created a massive slow down. | ||
EE-417 | Tivoli Directory Device Recognition – Device / Browser Profiles were not accurately saved to Tivoli user profiles. | ||
EE-483 | Link-to-Accept with Proxy – Link-to-Accept did not properly go through the configured proxy settings (both SMS and email). | ||
EE-480 | Device Recognition on IE10 – PixelRatio property analyzed for fingerprinting was unsupported in IE10 and therefore returned a null response and invalid browser profile. | ||
EE-464 | YubiKey Validation Call Failure – API calls to validate the YubiKey login fail due to character limitations in the string. | ||
EE-376 | Account Management Error – Updating the OATH Seed on the Account Management page created an error due to split directory integrations for membership and profile. | ||
EE-429 | SMTP Timeout Errors – Using the Authentication API to request OTP emails, the user experienced SMTP timeout errors. | ||
EE-366 | HID Token Read Failure – Login process was unable to read the OATH Seed from an HID token for MFA, and SecureAuth IdP was unable to read the OATH Seed from HID token for post-authentication. | ||
EE-337 | 2016 Light Theme Login Page – When pasting a password (from password manager, for example), the Submit button did not change color and the mouse cursor showed the ‘no entry’ icon. Clicking the button worked, but visually appeared as though it would not. | ||
EE-329 | Verbiage Customizations – When a user’s browser is not set to English and the preferred language is not selected in the SecureAuth IdP configuration, then the browser defaulted to English, but without the verbiage customizations made in the Web Admin. | ||
EE-345 | Invalid Username not Updating – With workflow type set to Username & Password, when the user entered an invalid username and then corrected it, the username was still considered invalid and the page reverted the text back to the original invalid entry. | ||
EE-328 | OTPValidate Throttle not Counting – Instead of creating a unique counter for OTPValidate, the MultiFactorIntervalThrottle counter was used instead. | ||
EE-320 | Login for Windows UI – Various UI defects were resolved in Login for Windows. | ||
EE-303 | Username Overflow – On the Account Management page, the username overflowed into the next text box. | ||
EE-295 | OIDC Redirect URI with Localhost – For OIDC integrations, the Redirect URI did not support localhost. | ||
EE-248 | NumberProfile API Server Error – Requests to the phone number analysis endpoint with an invalid number (e.g. 123456789) generated a server error response. | ||
EE-265 | Password Requirements for Create User Page – Password requirements configured on the Web Admin were not applied to the Create User page. | ||
EE-263 | Unwanted Verbiage on Page – A flag on a page displayed unwanted verbiage on client-side pages. | ||
EE-203 | Duplicate Knowledge Based Questions – Users were able to select the same KBQ multiple times, thus only having one question to answer for Multi-Factor Authentication. | ||
EE-255 | No Automatic Redirect – Users were not automatically redirected from SecureAuth IdP with an OIDC token to the relaying application. | ||
EE-212 | Invalid User Error – LDAP users attempting to log in continually received an “Invalid User” error. | ||
EE-202 | OATH Token Invalidation – After upgrading to version 9.1, existing OATH Tokens were no longer valid and required re-provisioning. | ||
IDP-1721 | Login for Windows Configuration – Configuration settings for new Login for Windows product were not available in the Web Admin. | ||
EE-183 | FIPS Compliance – SecureAuth IdP updates were made for FIPS Compliance requirements. | ||
IDP-2554 | Admin API HMAC Authentication – It was possible to remove HMAC authentication from the Admin API. | ||
EE-119 EE-175 | Authentication API Throttling – The Multi-Factor Throttling count doubled based on selection and validation of the OTP, thereby rendering the configuration inaccurate. | ||
IDP-2524 | Web.config URL Update – Values for some URLs were incorrect in the web.config. | ||
IDP-2486 | Compilation Error – The SISU code file contained a compilation error. | ||
IDP-2516 | ChangePassword Error – Username was missing a domain slash for Change Password via the API. | ||
IDP-2497 | Link-to-Accept UI Update – Color of the button was incorrect. | ||
IDP-2512 | Authentication API OATH Token Failure – OATH Token was not working as a viable Multi-Factor Authentication option via the Authentication API. |
Affected SecureAuth IdP Version(s): 9.1
Support Information: Contact SecureAuth Support (support.secureauth.com, support@secureauth.com, or 1-866-859-1526) to have the latest hotfix installed on your SecureAuth IdP v9.1.x appliance.
Hotfixes Knowledge Base articles and downloads - SecureAuth IdP v9.0.x and earlier
Hotfix Documentation, Description and Download | For SecureAuth IdP version(s) |
---|---|
SecureAuth IdP ProfileWS Hotfix 170412 Hotfix Description and Download Description: This hotfix makes the appliance more secure, strengthening the integration with the Credential Provider, by validating the username, password, and Time-based Passcode (TOTP) via Integrated Windows Authentication (IWA) and SecureAuth Cloud Services. Release Date: April 12, 2017 Hotfix File: https://downloads.secureauth.com/resources/CredProvider/ProfileWsHotfix.zip | 8.0 to 9.0.1 |
SecureAuth IdP 9.0.2 Bug Fix Hotfix HF.902_454 Hotfix Description and Download Description: This hotfix includes bug fixes for SecureAuth IdP version 9.0.2. Release Date: January 20, 2017 Hotfix File: https://downloads.secureauth.com/patches/HF.902_454.zip | 9.0.2 |
SecureAuth IdP Update Default Credentials Hotfix 161110 Hotfix Description and Download Description: This hotfix resolves a potential security vulnerability for credentials used in the Web Services (Multi-Data Store) configured on the Membership Connection Settings section of the Data tab and on the FBA WebService section of the Workflow tab. If the SecureAuth IdP administrator has not changed the default password after initial configuration of the SecureAuth idP appliance, then the appliance may be vulnerable. Release Date: November 30, 2016 Hotfix File: https://downloads.secureauth.com/patches/SAHotfix161110.exe | 7.0 to 9.0.1 |
SecureAuth IdP SAML Consumer Hotfix 160505 Hotfix Description and Download Description: This hotfix resolves an issue in which certain SAML conditions are not being calculated properly in SecureAuth IdP, and also resolves handling subsequent SAML assertions signed as SHA-256. Release Date: May 19, 2016 Hotfix File: https://www.secureauth.com/sites/default/files/hotfix160505.msi | 8.1 to 8.2 |
SecureAuth IdP 2016 Light Theme Hotfix HF820-66 Hotfix Description and Download Description: This hotfix resolves issues related to the 2016 Theme, and should be applied to IdP appliances running version 8.2. If you are not affected by issues this hotfix addresses (see documentation for details), it is recommended you install SecureAuth IdP version 9.0 or greater. Release Date: February 12, 2016 Hotfix File: https://www.secureauth.com/sites/default/files/hf820-66.exe | 8.2 |
SecureAuth IdP 8.1 Event Viewer Logging Hotfix Hotfix Description and Download Description: This hotfix resolves the issue for SecureAuth IdP appliances running 8.1 that are not generating logs to the Event Viewer. Windows Event Viewer is used by the system administrator to view events for all programs on a machine to monitor its performance, identify and troubleshoot issues, etc. Release Date: August 17, 2015 | 8.1 |
SecureAuth IdP Security Hotfix HF-15728 Hotfix Description and Download Description: This hotfix resolves an issue in which unauthorized users could gain administrative access in some configuration scenarios. It is recommended you install this hotfix on all appliances running versions 6.0 through 8.0.3. Rename the file with a .exe extension after downloading the file. Release Date: May 13, 2015 Hotfix File: https://downloads.secureauth.com/patches/Hotfix15728._xe | 6.0 - 8.0.3 |
SecureAuth IdP 8.0.2 Post Authentication Cleanup Utility Hotfix Hotfix Description and Download Description: This hotfix resolves an issue for configuration scenarios that give authenticated users access to content that should be restricted only to authorized users. SecureAuth recommends applying this hotfix on all SecureAuth IdP appliances running versions 6.0 through 8.0.1. Rename the file with a .exe extension after downloading. Release Date: February 17, 2015 Hotfix File: https://downloads.secureauth.com/patches/setup._xe | 6.0 - 8.0.1 |
SecureAuth IdP 8.0 New Builds on Windows 2012 R2 Hotfix Hotfix Description and Download Description: This hotfix resolves three known issues in the 8.0 release and should be applied to SecureAuth IdP 8.0 builds on Windows 2012 R2 shipped before September 24, 2014. Issues resolved in this hotfix: Release Date: September 24, 2014 Hotfix File: https://www.secureauth.com/sites/default/files/sa80_hotfix.zip | 8.0 |
SecureAuth IdP 7.5 Hotfix for WS-Federation Hotfix Description and Download Description: This hotfix resolves an issue for SecureAuth IdP version 7.5 in which the SecureAuth.IdentityModel.WSFederation.dll can cause errors in WS-Federation workflows. This hotfix updates the DLL to restore proper operation of the WS-Federation capability. This issue, resolved in SecureAuth 7.5.1, only impacts 7.5. Release Date: July 18, 2014 Hotfix File: https://www.secureauth.com/sites/default/files/secureauth.identitymodel.wsfederation.zip | 7.5 |
SecureAuth IdP 7.4 ASPNETDB Datastore and Fingerprinting Hotfix Hotfix Description and Download Description: This hotfix resolves the issue for SecureAuth IdP versions prior to 7.5 in which users receive a .NET error during the pre-authentication portion of the workflow in environments using an ASPNETDB datastore with device fingerprinting. Release Date: February 21, 2014 Hotfix File: https://www.secureauth.com/sites/default/files/updateschema2.zip | 6.0 - 7.4 |