Advanced Authentication is now available in the Software as a Service (SaaS) model also known as Cloud Edition (CE). Open Text hosts and maintains Advanced Authentication.
For the list of other documents related to Advanced Authentication, see the Advanced Authentication NetIQ Documentation page. For more information about the product and support, see the Advanced Authentication Product website.
If you have suggestions for documentation improvements, click comment on this topic at the bottom of the specific page in the HTML version of the documentation posted on the Advanced Authentication NetIQ Documentation page.
The release number is in the YY.QUARTER.RELEASE format.
Advanced Authentication CE 24.3 includes the following updates:
Advanced Authentication enables the administrator to perform the following for any existing or new chain:
Reorder Methods
Change the sequence of methods available in the chain without removing the method from the list using up and down arrows located beside the Used list.
View the list of associated Events
The list of events that are using a specific chain is displayed in Events using this chain. This option is not editable.
Advanced Authentication allows the administrator to rearrange available chains as needed. This capability is supported for pre-defined and custom events.
This release introduces High Availability drop down in the Cloud Bridge External Repository to achieve uninterrupted service of LDAP servers that stores users’ identity and authentication details.
For more information, see Cloud Bridge External Repository.
This release includes security updates and improvements.
|
Component |
Issue Description |
|---|---|
|
Administration |
Precondition: The Lockout Options policy is configured as follows:
With above settings, a user was locked after 3 failed attempts to authenticate. However, Advanced Authentication did not unlock the locked user post the set lockout period automatically. |
|
Enrollment |
After testing the enrolled TOTP method, when th user clicked Save button, an error message Invalid OTP is displayed. |
|
SAML2 |
When a user tried to authenticate to a SAML2 event, authentication seemed successful. However, the web page got into an infinite refresh loop. |
|
Web Authentication |
The Nginx reverse proxy rejected the authentication request from users that included several userGroups attributes. Also, displayed an error message stating bad request. |
|
OAuth2 |
When a user attempted to authenticate to an OAuth2 event on iPhone, respective chains were not displayed. This happened when the device language was set to German. |
|
Reports |
When the administrator created a new report, selected preferred Report type and clicked Save, the chart was not displaying appropriate values instead displayed Loading... |
|
Administration |
In the Fingerprint method, Specified fingers included two list, Selected fingers and Available fingers with incorrect labels. Labels have been corrected. |
|
Self-Service Portal |
Irrespective of the option set in Display Rules of the TOTP method by the administrator, both instructions (OATH toke and QR code) were displayed during the enrollment to users. |
Advanced Authentication CE 24.2 includes the following updates:
This release includes security updates and improvements.
|
Component |
Issue Description |
|---|---|
|
Repository |
Previously, the User Name attributes and User Lookup attributes included the otherMailbox attribute as default in a Cloud Bridge External Repository. This attribute is not indexed by Active Directory and was causing performance issues. Now, when you create a new Cloud Bridge External Repository, the otherMailbox attribute is not included as default value in User Name attributes and User Lookup attributes. NOTE:For the existing Active Directory Cloud Bridge External Repositories, we recommend removing the otherMailbox attribute from User Name attributes and User Lookup attributes. Removing this attribute enhances search and performance of the repository. To remove otherMailbox attribute, perform the following steps:
|
|
Administration |
In Cloud Bridge External Repository, the administrator was unable to set Search one level only for the Base DN and Group DN. |
Advanced Authentication CE 23.4 includes the following updates:
This release includes the following enhancements:
Advanced Authentication facilitates auto-enrollment of smart cards using the PKI method. The auto-enrollment capability is dependent on the availability of a specific value in the altSecurityIdentities attribute of the LDAP repository for a specific user.
The auto-enrollment is supported on Windows machine that has Advanced Authentication Device Service installed on it.
With this release, the Lockout Options policy is enabled by default.
From this release, Advanced Authentication includes the following enhancements in Emergency Password and Password methods:
Minimum password length is set to 10 characters by default.
Complexity requirements is enabled by default.
This release revised the following reports to include accurate information about users who have auto-enrolled a method however not authenticated at least once, along with details of users who have authenticated using the auto-enrolled method:
Enroll Activity Stream
Users
Authenticators
This release includes security updates.
|
Component |
Issue Description |
|---|---|
|
Administration |
When a user attempted to login with the expired LDAP password, the authentication failed even when the Logon with Expired Password was set to Allow for an event. Invalid credentials message was displayed to users. |
|
Administration |
The Event_name parameter was missing for the IDs 102, 103, 104, 106, and 107 in CEF logs. |
|
Administration |
With the SSL disabled, Advanced Authentication was unable to establish a connection with the configured repository. |
|
Administration |
In some circumstances, the scheduled fast sync for a Cloud Bridge External Repo failed to trigger and execute. |
|
Administration |
On the Select Authentication Chain screen during the login process, the focus is not on Next button by default. |
|
Administration |
The Smartphone Enrollment by link was not working as expected. |
|
Administration |
An option, Import Tenant has been deleted for Tenant Administrators. |
|
Events |
For any event, if the Logon with expired password was set to Ask to change, then a user attempted to authenticate with the expired password, a prompt to change the password was not displayed. However, an error message Login failed, try again was displayed. |
|
Self-Service Portal |
Users were allowed to enroll the SMS OTP method without any phone number tagged to their profile. |
Advanced Authentication as a Service 23.2.1 includes the following updates:
This release includes the following enhancement:
Advanced Authentication simplifies the user experience with the step-up authentication feature. The step-up authentication facilitates users to authenticate with a method just once throughout the session and prevents re-authentication with the same method that has succeeded for another event during the session.
For more information, see OAuth2 Event and SAML 2.0 Event in the Tenant Administration Guide.
This release includes updates to some of the open source components.
This release includes updates to the following components to enhance security:
|
Component |
Issue Description |
|---|---|
|
External Repository |
The fast synchronization process (runs every five minutes by default) fails to retrieve the changes. |
|
Events |
Earlier, the Oauth2 and SAML events with similar Client IDs were allowed. Now, Advanced Authentication does not allow the creation of events with duplicate Client IDs. However, if there are duplicate events available then you must correct the duplicate ID’s before creating any new events. |
|
Repository |
When two repositories are configured and the browser was set to a non-english language, the login fails if the repository name is not prefixed to the username. This happens when the user record is not found in the first repository that the server validates. |
Advanced Authentication as a Service 23.2.0.1 includes the following update:
|
Component |
Issue Description |
|---|---|
|
Smartphone Method |
When a user attempts to authenticate to any event using an authentication chain that includes the Smartphone method, the logon process might appear as successful; however logon fails and user is prompted to log in again. |
Advanced Authentication as a Service 23.2.0 includes the following update:
This release includes the following:
In this release, Advanced Authentication is integrated with Single Sign-on. Advanced Authentication facilitates administrators to add federated services and applications in the Applications module. This enables end-users to access several services with a single set of credentials and prevents the need to manage multiple credentials.
Single Sign-on applies different standards, such as OAuth, SAML and so on for granting the federated access to various services and applications.
For more information, see Single Sign-on.
This release includes security improvements.
Advanced Authentication 23.2.0 deprecates the following from the Edit Cloud Bridge External repo page:
Expiration time (hours)
Generate Script
Advanced Authentication does not provide the script required to install the Cloud Bridge Agent.
For more information on prerequisites and procedure to install the Cloud Bridge Agent, see Installing the Cloud Bridge Agent. Contact the SaaS Operations team to obtain the Cloud Bridge Agent install script.
Advanced Authentication as a Service 23.1.1 includes the following update:
|
Component |
Issue Description |
|---|---|
|
Administration |
In Cloud Bridge External Repository, with the Fast Sync Enabled is set to OFF if the administrator performs full synchronization, the HTTP 400 - Bad Request error is displayed instead of HTTP 405 - The Cloud Bridge Agent has been configured to NOT support Change collection error. |
Advanced Authentication as a Service 23.1.0 includes the following update:
Advanced Authentication as a Service 23.1.0 release addresses CVE-2023-24468.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information website.
For general corporate and product information, see the NetIQ Corporate website.
For interactive conversations with your peers and NetIQ experts, become an active member of our community. The NetIQ online community provides product information, useful links to helpful resources, blogs, and social media channels.
Copyright 2014 - 2023 Open Text
The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/en-us/legal.