Advanced Authentication as a Service (SaaS) Release Notes 2021

Support NFC Cards for Web Authentication

Advanced Authentication extends the Card method capabilities to enable users to use Near Field Communication (NFC) cards to authenticate to OAuth 2.0/ OpenID Connect, SAML 2.0 events, and Advanced Authentication portals.

Cloud Bridge Repository Improvements

Following are the user interface changes related to the Cloud Bridge external repository:

RADIUS

The RADIUS authentication fails intermittently.

Provision to Change the Password

Now, Helpdesk Administrator can enable users to reset the password using the option Password must be changed. With this option set to ON, the user must change the password during subsequent logon to the portals.

For more information, see Password in the Advanced Authentication - Helpdesk Administrator guide.

Administration Portal

There are two vertical scroll bars on few portals, such as Administration, Self-Service, Helpdesk, and Tokens Management.

Administration Portal

When an administrator adds SAML identity provider details in the Web Authentication method and uploads the valid metadata, an error message, Wrong IdP metadata format is displayed. Due to this error, the administrator is unable to save the changes to the method.

Web Authentication

When a user logs in to aa_domain/accounts with an expired password, the user gets authorized to the integrated product seamlessly instead of getting the login page.

Cloud Bridge Repository Setup Wizard

The Quick Start is introduced on the left pane of Advanced Authentication Administration portal. This feature is available only during the first time login to the portal. This feature helps administrators to understand the prerequisites and configure the Cloud Bridge repository.

For more information, see Quick Start in the Advanced Authentication - Tenant guide.

Custom Branding Settings of Web Authentication Events in the Custom Branding Policy

The Custom Branding settings of Web Authentication events have been relocated from Web Authentication policy to the Custom Branding policy.

For more information, see Customizing the Login Page of Web Authentication Events in the Advanced Authentication - Tenant guide.

Support for Out-of-Band Method

Advanced Authentication introduces the Out-of-band method to facilitate users to authenticate through the OOB portal or a new Authentication Agent for Web application. During authentication, the authentication request is sent to the OOB portal, Authentication Agent for Web or Authentication Agent for Windows. Users are required to log into the portal, Authentication Agent for Web or Authentication Agent for Windows and accept the request to authenticate successfully.

For more information, see Out-of-Band in the Advanced Authentication - Tenant guide.

Users can access the OOB portal using the URL: https://<AdvancedAuthenticationServerdomainname>/oob/ui and succeed the authentication chain to log into the portal. You can install the Authentication Agent for Web application from the OOB portal using Google Chrome on any computer, laptop, tablet or smartphone. You can also any other browser that support Progressive Web application.

For more information, see Logging In to Out-of-Band Portal in the Advanced Authentication- User guide.

Administration Portal

If the Master server initiates the fast synchronization and administrator tries to initiate the full synchronization on the Web server simultaneously, then the full synchronization fails.

Administration Portal

Sometimes, users are accidentally removed from the Advanced Authentication database after the full sync or fast sync due to some conditions.

RADIUS

Sometimes, during the full synchronization, the LDAP servers do not return the users. This results in users marked for removal. The user marked for removal cannot succeed the RADIUS authentication.

Customize the Hostname for Each Tenant

Earlier, a single URL is shared among all tenants.

For example, https://aa.cyberresprod.com/account/login

Now, tenant administrators can request a unique URL based on their tenant name.

For example, https://<tenantname>.cyberresprod.com/account/login

Following are some changes related to this feature:

Administration Portal

The Out-of-band method is not working appropriately.

Support for Installing the Cloud Bridge Agent on RedHat

You can install the Cloud Bridge agent on RHEL 8.3 server using the Podman instead of a docker-compose.

The administrator is required to run the generated script on the RHEL server.

For more information, see Installing Cloud Brigde Agent in the Advanced Authentication - Tenant guide.

Option to Lock Users Who Fail While Testing the Enrolled Methods

The Lock if authenticator test was failed option is introduced in the Lockout Options policy. This option enables you to lock the users who have failed an authenticator's test in the Self-Enrollment portal for the number of times specified in Attempts failed.

For more information, see Lockout Options in the Advanced Authentication - Tenant guide.

Cloud Bridge Agent

A space in the username of the administrator and space while configuring the DN details cause the failure of Cloud Bridge agent installation.

Enrollment Portal

After integrating a product with Advanced Authentication, a user of the integrated product is granted access to the new Enrollment portal with an expired password.

Enrollment Portal

If a user tries to test any enrolled method on the Enrollment portal, an error message that states the event could not be found is displayed.

Enrollment Portal

When a user tries to enroll the TOTP authenticator and chooses manual TOTP, instead of populating the auto-generated secret, the TOTP secret field is blank.

Web Authentication

When some users try to authenticate using SAML, the authentication fails.

This issue occurs because the Advanced Authentication replaces the space character with question mark(?) in the SAML assertion.

Settings to Retrieve User Groups after Authentication

The options, Return Group on Logon and Groups are introduced in all events (existing and new events). These options allow an administrator to retrieve the list of groups a user is associated with after successfully authenticating to an event.

For more information, see Configuring an Existing Event in the Advanced Authentication - Tenant guide.

Improved Certificate Selection for PKI Method

The Key field in the PKI authenticator in the new Enrollment Portal populates only the certificates with the authentication key and its expiry date.

It is possible to click the button Show All to show all the certificates.

For more information, see PKI in the Advanced Authentication- User.

Administration Portal

When an administrator tries to delete the groups added to the chains, following error message is displayed:

AttributeError 'LogonChainGroup' object has no attribute 'obj_id' (Internal Server Error)

Administration Portal

The login operation takes longer than the expected time due to the /api/v1/list call.

Enrollment Portal

When users configure the browser to remember credentials and try to enroll HOTP or TOTP method in new Enrollment Portal, the browser auto-fills OATH Token Serial and OTP using the available data.

RADIUS

The RADIUS server does not return the msRADIUSFramedIPAddress attribute if the hexadecimal value of that attribute contains a negative value.

Provision to Restore the Default Branding

The Restore button is introduced in Custom Branding policy to reset customized the user interface settings and revert to default settings.

For more information, see Custom Branding in the Advanced Authentication - Administration guide.

Administration Portal

When an administrator refreshes the Methods page in Administration Portal, the method images are not displayed and if the administrator opens the Security questions method, the Add question button blends in with the background and does not work.

Administration Portal

While configuring a repository, after an administrator adds an external server with an SSL certificate, the LDAP SSL setting in the Current configuration section is not identical to the SSL setting under External servers.

Enrollment Portal

Pre-conditions in the SMS method:

With the above pre-conditions, when a user enrolls the SMS method, a field to specify a phone number is not available. However, the user saves the enrollment without a phone number and the following message is displayed:

There is no available category for the required method.

Web Authentication

When an administrator tries to customize the Web Authentication page, the changes made in JAR file are not reflected in the Web Authentication pages.

Fast Synchronization for eDirectory

Administrators can achieve fast synchronization for eDirectory with the assistance of the Change-log module.

For more information, see Enabling Fast Synchronization for eDirectory Repository in the Advanced Authentication - Tenant Administration.

New Position for LDAP CA Certificate

The LDAP CA Certificate field in Cloud Bridge External repository to upload SSL certificate has been placed outside of Advanced Settings.

For more information, see Adding a Cloud Bridge External Repository in the Advanced Authentication - Tenant Administration.

Support for Filters in SCIM Endpoint

SCIM endpoint supports the following filters with the respective attributes and operations to retrieve appropriate details:

Administration Portal

If there is a chain with two or more methods and the second method is the OTP method that has multiple categories enrolled. During authentication with this chain, the default category of the OTP method is auto-selected without prompting a user to select the preferred category and OTP is sent to the respective device. This issue occurs on the Administration and Helpdesk portals.

Cloud Bridge

When an administrator changes the repository settings in Cloud Bridge External repository, such as Base DN, the changes are not updated even after saving the changes.

Enrollment Portal

If a user tries to log in to the new Enrollment Portal when the LDAP repository is down, the following incorrect error message is displayed:

This Page isn't working.

Enrollment Portal

When a user tries to enroll any method, such as Smartphone, U2F, and so on, the Categories drop down is not available on the new Enrollment portal. However, the category is selected by default without allowing the user to select the preferred category. This issue occurs when the administrator adds more than one category.

Enrollment Portal

The method names in new Enrollment Portal are not displayed in localized language.

Enrollment Portal

After deleting and recreating a tenant, when a tenant administrator tries to log in to new Enrollment Portal, the authentication fails and an error message is displayed.

SCIM repository

When an administrator adds one thousand users to SCIM repository, only ten users are displayed. Later, if the administrator adds thousand users, twenty users are displayed. For each thousand user entries, only ten user entries are processed and returned.

Web Authentication

Web authentication Password page displays Micro Focus Access instead of the product name Advanced Authentication and does not match with new Enrollment portal login pages. This is misleading users.

Option to Hide the Left Navigation Pane

This release introduces a hamburger menu option in the Administration Portal to hide or display the left navigation pane.

Updated the Easy Button Script

The easy button script that assists in installing the Cloud Bridge is updated to store data in the .evn file instead of the data.cfg file.

Administration Portal

When an administrator tries to delete a repository, the following error message is displayed:

ValueError PEM certificate was invalid (Internal Server Error)

Administration Portal

When an administrator sets the Expires or Max-Age attribute in cookies, the browser does not remove the cookies after closing the browser.

Cloud Bridge

Rebooting the host operating system that contains the Cloud Bridge agent fails to initiate the container.

Enrollment Portal

Using the Internet Explorer 11 browser, when a user accesses the Enrollment portal and edits the enrolled methods related to Device Service, the browser does not respond. This issue occurs after updating to Advanced Authentication 6.3 Service Pack 3.

Administration Portal

When an administrator uploads the LDAPS CA certificate, the Advanced Authentication server verifies whether the certificate meets the set standards and removes the new lines.

Administration Portal

When an administrator tries to export the tenant configuration, the export fails and displays an error message.

Administration Portal

When an administrator initiates an API call to add a group to the SCIM managed repository, a 404 error is displayed.

Administration Portal

If the Cloud Bridge Agent is unavailable and a tenant administrator tries to log in to the Administration portal, there is a significant delay to display the following message:

Repository Agent has failed to respond.

Web Authentication

When a user tries to authenticate, after specifying the credentials, the user is redirected back to the login page if the signAuthnRequest and ForceAuthn attributes in SAML SP are set to True.

New Enrollment Portal

The secondary tenants are unable to enroll the Facial Recognition and the U2F methods on the new Enrollment portal.

Cloud Bridge

When eDirectory is configured as the repository, and a user tries to log in to an event using the email address as the username, the authentication fails.

Cloud Bridge

This release resolves several synchronization issues.

Multitenancy

When a user tries to authenticate to the SaaS tenant, the following error message is displayed:

No available authentication chain was found.