Access Manager Appliance 4.5 Service Pack 3 Release Notes

August 2020

Access Manager Appliance 4.5 Service Pack 3 (4.5.3) includes enhancements, improves usability, and resolves several previous issues.

Many of these improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Access Manager forum on our community website that also includes product notifications, blogs, and product user groups.

For information about the previous release, see Access Manager Appliance 4.5 Service Pack 2 Hotfix 1 Release Notes.

For more information about this release and for the latest release notes, see the Documentation page. To download this product, see the Product page.

If you have suggestions for documentation improvements, click comment on this topic at the bottom of the specific page in the HTML version of the documentation posted at the Documentation page.

For information about Access Manager support lifecycle, see the Product Support Lifecycle page.

1.0 What’s New?

This release provides the following enhancements and fixes:

1.1 Enhancements

This release includes the following enhancements:

Support for Behavioral Analytics Using Micro Focus Interset

To enable detection of an unknown threat or anomalies, Access Manager integrates with Interset and leverages its User and Entity Behavioral Analytics (UEBA) capability.

Using the organization's data, Interset establishes the normal behavior for the organizational entities and then, using advanced analytics and machine learning, identifies the anomalous behaviors that constitute potential risks such as compromised accounts, insider threats, or other unknown cyber threats.

For more information, see Enabling Behavioral Analytics Using Micro Focus Interset.

Enhanced Identity Server to Meet the OASIS Specification for SAML 2.0

This release updates Identity Server to meet the OASIS SAML 2.0 Specification. With this update, SAML authentication requests must be digitally signed by the SAML service provider if the AssertionConsumerServiceURL attribute is different than what is specified in the SAML service provider’s metadata.

NOTE:Certain existing SAML federations might stop working if the SAML authentication requests are not signed.

Support for Registering Mobile Devices Using a QR Code

This release introduces the MobileAccess 2 app. Using this app, you can now register your devices using a QR code. For more information, see Registering Users Mobile Devices in the NetIQ Access Manager Appliance 4.5 Administration Guide and MobileAccess Quick Start.

Support for Using a Different LDAP Attribute During Second-Factor Authentication

When using Advanced Authentication with Access Manager, you can use the following two optional properties for authentication methods:

  • AA_LOGIN_FORM_PARAM_USERNAME

  • AA_USERNAME_USERSTORE_ATTRIBUTE

Use these options when you want to use a different LDAP attribute instead of the username for user authentication, such as email ID attribute instead of the username.

For more information about these options, see NetIQ Advanced Authentication in the NetIQ Access Manager Appliance 4.5 Administration Guide.

Support for Using the login_hint Parameter During Multi-Factor Authentication

This release adds support for auto-filling the username in multi-factor authentication if the user has already provided the username using the login_hint parameter.

For more information about this option, see NetIQ Advanced Authentication in the NetIQ Access Manager Appliance 4.5 Administration Guide.

1.2 Updates for Dependent Components

This release adds support for the following software:

  • Apache http version 2.4.43

  • Tomcat 8.5.57

  • JRE 1.8.252

  • Open JDK 1.8 Update 252

1.3 Software Fixes

This release includes the following software fixes:

Component

Bug ID

Issue

Admin-Certificates

218237

Importing SAML metadata text using Administration Console (SAML2 > Create Service) through text option corrupts the posted metadata.xml file.

NIDS-OAuth2.0

218453

When a client application uses the Authorization Code flow and sends the access token to the userinfo endpoint, the attribute type of the query result is not consistent. If the attribute contains a single value, it is sent as a string, and if it contains multiple values, it is sent as an array.

NOTE:While this fixes the inconsistent handling of OAuth attributes, certain OAuth applications might stop working.

NIDS-OAuth2.0

218477

When an unauthenticated user tries to access /nidp/oauth/nam/callback, the browser displays an HTTP 302 error and redirects the user to a blank page.

NIDS-OAuth2.0

239194

When a SAML 2.0 external contract is used for authentication, the id_token request displays NullPointerException error.

NIDS-SAML2.0

228605

The target parameters of an OAuth request get truncated while executing the post-authentication method.

NIDS-SAML2.0

217902

Identity Server logout cookies do not get cleared during SLO (single logout) request.

NIDS-SAML2.0

218532

After upgrading Access Manager from 4.5 Service Pack 1 to 4.5 Service Pack 2, SAMLAuthnReq fails with the following error:

Unable to complete request at this time. ACS Index and the ProtocolBinding attributes are mutually exclusive as per the SAML2 specification

Rule Based Authentication

215926

Risk-based authentication Time of Login rule fails if you provide a combination of weekday and weekend time range.

NIDP-WS-Trust

219393

Configuring ms-DS-ConsistencyGuid as immutable ID for Office 365 fails as Access Manager is unable to fetch the correct value from Active Directory.

NIDS-WS-Fed

212791

Configuring objectSid as immutable ID for Office 365 fails as Identity Server sends unreadable values.

2.0 Installing or Upgrading

After purchasing Access Manager Appliance 4.5.3, you can access the product in the Customer Center. The activation code is in the Customer Center where you download the software. For more information, see Customer Center Frequently Asked Questions.

To access a full version of Access Manager:

  1. Log in to the Customer Center.

  2. Click Software.

  3. On the Entitled Software tab, click the appropriate version of Access Manager Appliance for your environment to download the product.

The following files are available:

Table 1 Files Available for Access Manager Appliance 4.5.3

Filename

Description

AM_453_AccessManagerAppliance.iso

Contains Access Manager Appliance .iso file.

AM_453_AccessManagerAppliance.tar.gz

Contains Access Manager Appliance .tar file.

NOTE:This release does not support installation or upgrade of Analytics Server. For a fresh installation of Analytics Server, use AM_443_AnalyticsServerAppliance.iso file, then upgrade Analytics Server to 4.4 SP3 version by using AM_443_AnalyticsServerAppliance.tar.gz file. If you are already using a previous version of Analytics Server, then upgrade to Analytics Server 4.4 SP3. For more information about installing Analytics Server, see Installing Analytics Server in the NetIQ Access Manager Appliance 4.5 Installation and Upgrade Guide.

3.0 Additions to Documentation

The following topics have been added to the documentation:

4.0 Verifying Version Number after Upgrading to 4.5.3

After upgrading to Access Manager Appliance 4.5.3, verify that the version number of the component is indicated as 4.5.3.0-117. To verify the version number, perform the following steps:

  1. In Administration Console Dashboard, click Troubleshooting > Version.

  2. Verify that the Version field lists 4.5.3.0-117.

5.0 Supported Upgrade Paths

To upgrade to Access Manager Appliance 4.5.3, you need to be on one of the following versions of Access Manager:

  • 4.4 Service Pack 4 Hotfix 3

  • 4.5 Service Pack 1 Hotfix 1

  • 4.5 Service Pack 2 Hotfix 1

  • 4.5 Service Pack 2

IMPORTANT:If you are using SQL database with the existing Risk-Based Authentication (RBA) data and you are upgrading to Access Manager 4.5.3, you must run a utility to de-normalize the database. This is to ensure that your existing RBA data does not become irrelevant. For more information about this utility and how to run it, see Denormalizing SQL Database in the NetIQ Access Manager Appliance 4.5 Installation and Upgrade Guide.

For more information about upgrading Access Manager Appliance, see Upgrading Access Manager Appliance in the NetIQ Access Manager Appliance 4.5 Installation and Upgrade Guide.

6.0 Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. There are no new issues other than the issues mentioned in Access Manager Appliance 4.5 Service Pack 2 Hotfix 1 Release Notes. If you need further assistance with any issue, please contact Technical Support.

7.0 Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information website.

For general corporate and product information, see the NetIQ Corporate website.

For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.

8.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.netiq.com/company/legal/.

Copyright © 2019 NetIQ Corporation. All Rights Reserved.