NetIQ CloudAccess

Version 1.1.1

Release Notes

Date Published: June 2013
 

 

What's New?

System Requirements

Installing This Version

Verifying the Installation

Known Issues

Additions to Documentation

Contact Information

Legal Notice

 

 

NetIQ CloudAccess is an appliance that provides a simple, secure way to manage access to Software-as-a-Service (SaaS) applications for corporate users. It provides out-of-the box security and compliance capabilities for SaaS services including full user provisioning, dynamic credentialing, privileged user management, Single Sign-On (SSO), and compliance reporting.

This version includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the CloudAccess forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups.

For more information about this release and for the latest release notes, see the CloudAccess Documentation Web site. To download this product, see the CloudAccess product Web site.

What's New?

The following section outlines the key features and functions provided by this version.

Enhancements and Software Fixes

NetIQ CloudAccess 1.1.1 includes the following enhancements, as well as software fixes that resolve several previous issues.

Includes Option to Configure a Second NIC

CloudAccess now includes the option to configure a second NIC on each node in the cluster. For more information, see the NetIQ CloudAccess Installation and Configuration Guide.

Performance Improvements

This release includes various performance improvements.

Error When Adding a Node to a Cluster

When you add a node to an existing cluster, CloudAccess now adds the node successfully as expected without a timeout error. (799978)

With Prompt Before Provisioning, Claiming Existing Salesforce Account May Be Slow, and User May See SSO Error

When using the Prompt Before Provisioning option to claim an existing Salesforce account, Single Sign-On (SSO) no longer fails intermittently with errors. Once the existing account has been claimed successfully, CloudAccess now presents a popup window to allow the user to proceed to Salesforce. (775133)

Simultaneous Logout from Office 365 Does Not Work Correctly

Users that have authenticated to Office 365 through CloudAccess are now logged out properly when clicking the Sign Out link on the Office 365 pages. (775884)

The Connector for Office 365 Does Not Detect When You Change the DNS Name or the Key Pairs for the CloudAccess Cluster

The Connector for Office 365 now automatically detects when you change the DNS name or the key pairs for the CloudAccess cluster. (784293)

Only 1500 Members of an Active Directory Group Can Be Mapped to Roles

When translating Active Directory group memberships to role memberships, CloudAccess no longer retrieves only the first 1500 members of the group. (792582)

Renaming Groups in an Identity Source May Disable Users in SaaS Applications

When you rename or move a group in an identity source, and that group has role mappings with approvals in CloudAccess, group members are no longer disabled in the SaaS applications and CloudAccess does not generate new approval requests for those users. Similarly, when you rename or move a mapped group without approvals, group members are no longer temporarily disabled in the SaaS applications and then re-enabled. (798639, 800128)

Fatal Error Logged When Policy Mapping Page is Accessed

The /var/log/catalina.out log file on the master node no longer logs the following event whenever the Policy Mapping page in CloudAccess is accessed: [Fatal Error] :-1:-1: Premature end of file. (797102)

Approval and Reporting Pages Are Blank If Master Node Is Not Running

Instead of displaying a blank Approval or Reporting page when the master node is not running, CloudAccess now displays an appropriate error message to indicate that administrative functions are dependent on the master node. (755282)

Navigation Through the Connector for Google Apps in Internet Explorer 9 Does Not Work Correctly

Using the tab key to navigate through the Connector for Google Apps in Internet Explorer 9 now works as expected. (787762)

Users See Unhelpful Error During Sign-On if Connector for Office 365 is Disabled or Deleted

If the Connector for Office 365 is disabled or deleted in CloudAccess, when users try to sign in to Office 365, the following error message now appears: The target service provider was not recognized. Access to that service provider is currently not available. Unable to complete request at this time. (789105)

Uninstalling Connector for Office 365 on Windows Server May Not Remove Connector from CloudAccess

If you uninstall the Connector for Office 365 on the Windows server while it is unable to communicate with the CloudAccess appliance, CloudAccess now displays the server health status as red and displays the following error message: Unable to login to Office 365 account or remote service not available. (792280)

Removing Mappings Does Not Fully Deprovision Office 365 Accounts

In a configuration where multiple Office 365 authorizations (for example, user account, license, and two group memberships) have been mapped to a single eDirectory group, when you delete the mapping on the Policy Mapping page, user accounts are now correctly deprovisioned at the Office 365 account. (801825)

Return to Top

System Requirements

This version of the product supports upgrades only from NetIQ CloudAccess 1.1.

Note
Once you have started the process of upgrading your appliance, do not perform any other administrative tasks in CloudAccess until the upgrade process has completed and every node in the cluster is running the new version.

For detailed information about hardware and software requirements, see Chapter 2 "Installing CloudAccess" in the NetIQ CloudAccess Installation and Configuration Guide.

Return to Top

Installing This Version

To install CloudAccess, see Chapter 2 "Installing CloudAccess" in the NetIQ CloudAccess Installation and Configuration Guide.

Return to Top

Verifying the Installation

Complete the following steps to verify that the installation was successful.

To check the installed version:

  1. Access the Admin page at https://dns_of_appliance/appliance/Admin.html, then log in with the appliance administrator credentials.
  2. Click the appliance, then click About. The version listed in the window should be 1.1.1-build number.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Initialization Issues

Time Not Synchronized on the ESX or ESXi Server Causes Intermittent Problems

Issue:

If time is not synchronized on the ESX and ESXi servers, intermittent issues can occur, such as roles not being granted to the administrative account for the appliance. (757873)

Solution:

Configure NTP on the ESX or ESXi server.

Initialization Takes a Long Time to Display

Issue:

The initialization page takes a long time to display if there is no DHCP server in your environment. The initialization page eventually appears and assigns a 192.xxx.xxx IP address to the appliance.

Workaround:

Edit the VMX file for the appliance before the first boot. For more information, see “Configuring the Appliance without a DHCP Server” in the NetIQ CloudAccess Installation and Configuration Guide.

Changes to the Preferred DNS Server During Initialization Result in a Static IP Address

Issue:

If you want to change the preferred DNS server, you must select Use the following IP address in Step 1 on the initialization page, which assigns a static IP address to the appliance. (754137)

Workaround:

After the initialization process completes, on the Admin page, change the IP address from static to DHCP.

Administration Issues

Deleting a Node from the Cluster Removes the Node from the Interface, but the VMware Image Still Runs

Leaving the VMware image running allows users to authenticate to a node that does not exist on the Admin page. When you delete a node from the cluster, the appliance deletes the node from the interface, but the VMware image still exists and is running. (755006)

Use the following procedure to delete a node from a cluster:

  1. Remove the node from the L4 switch.
  2. Delete the node from the cluster on the Admin page.
  3. Stop the VMware image on the ESX server.
  4. Delete the VMware image on the ESX server.

CloudAccess Cannot Set TenantName Attribute on Events Sent to Sentinel

Issue:

CloudAccess cannot currently set the TenantName attribute on events sent to Sentinel using the Sentinel Link collector. As a result, for events received from CloudAccess, reporting and identity tracking functionality does not work properly within Sentinel. (812159)

Workaround:

No workaround is available at this time.

Browser Errors If Kerberos Is Not Enabled in the Browser

Issue:

If Integrated Windows Authentication is enabled in CloudAccess, and a user is logged in to a domain where Kerberos is configured but Kerberos is not enabled in the browser, if the user enters invalid credentials at the OSP prompt or clicks Cancel, different browsers may display errors or may not behave as expected. (802257)

Workaround:

To prevent this issue, ensure that Kerberos is configured in the browser.

Health Status Indicates That No Time Server Is Configured

Issue:

After you add a node to the cluster, the health status for the node may display a "No time server configured!" error, even though the node is correctly configured. (816968)

Workaround:

To work around this issue, restart the appliance. CloudAccess displays health status correctly afterwards.

Provisioning Issues

User Email Address Changes in Active Directory Are Not Provisioned to Salesforce

Issue:

User email address changes in Active Directory are not provisioned to Salesforce. (717153)

Workaround:

No workaround is available at this time.

Approval-Based Provisioning Continues Despite Removing the User from a Mapped Group

Issue:

If a user is removed from a mapped group when there is an outstanding approval request, CloudAccess provisions the deleted user to the SaaS application when the administrator grants the approval. (752527)

Workaround:

Verify that the user is a member of the group before granting approval, or deny the request after removing the user from the group.

Re-enabled User Has Role That Was Previously Assigned

Issue:

If you assign a user to a role in CloudAccess and then remove that user from the identity source, CloudAccess does not automatically remove the role assignment. So, if the user's context in the identity source is later restored, CloudAccess shows that user as having the same role that was previously assigned. (765609)

Workaround:

To work around this issue, before you remove a user in the identity source, ensure that you have revoked all roles from that user on the Roles page in CloudAccess.

Policy Mapping Issues

No Connectors Are Displayed on the Policy Mapping Page

Issue:

The Policy Mapping page does not display the connectors for the SaaS applications.

Solution:

There are two possible solutions:

  • Verify that the connectors are configured properly and enabled. For more information, see the appropriate sections for configuring connectors in the NetIQ CloudAccess Installation and Configuration Guide.
  • Click the Refresh List icon in the upper-right corner of the Policy Mapping page.

The Policy Mapping Page Returns a 500 Internal Server Error

Issue:

If the master node is not running, the Policy Mapping page returns a 500 Internal Server Error. (755282)

Workaround:

Solve the problem that caused the master node to stop running, or promote another healthy node to master. The Policy Mapping page is dependent on the master node.

CloudAccess Does Not Reconcile Pending Approvals with Changes to Policy Mappings

Issue:

CloudAccess does not reconcile pending approvals with changes to policy mappings. Users with pending approvals are granted the pending requests even if the mappings were removed after the requests were launched. (787938)

Workaround:

If a policy mapping for a resource occurs by mistake, decline all the requests for that resource. If a policy mapping for a resource occurs correctly, but then the mapping is removed, simply decline all outstanding approval requests. You can often avoid this issue by ensuring that requests are approved or denied in a timely manner.

Using Multiple Browsers or Browser Windows Can Result in Duplicate Mappings

Issue:

If you simultaneously use more than one browser or browser window to map authorizations, CloudAccess does not warn you if you inadvertently do the same mapping in two different browsers. Clicking Refresh displays two identical mappings on the Approvals page, but only one of them is a valid mapping. If you remove one of the mappings, CloudAccess may not actually deprovision the user until you remove the authorization that is mapped to the group. (815825)

Workaround:

You can avoid this issue by using only one browser when creating policy mappings. To work around this issue, on the CloudAccess Policy page, manually remove all duplicate authorization mappings from the role, then map the desired authorizations back to the role.

Using Wildcards for Filtering on Roles Page Does Not Work As Expected

Issue:

If you use wildcards such as an asterisk (*) or question mark (?) in the Filter field on the Roles page, CloudAccess does not correctly filter results. (813540)

Workaround:

No workaround is available at this time. To ensure accurate results, do not use wildcards for filtering on the Roles page.

Reporting Issues

Reports Display Information from Deleted Connectors

Issue:

After you delete connectors, reports still contain information about the deleted connectors. (756690, 745937)

Workaround:

No workaround is available at this time.

Mapping Report Displays Numeric Values Appended to Data in the Authorization Name Column

Issue:

The numeric value in the mapping report appears after deleting and recreating mappings for connectors. (753321)

Workaround:

No workaround is available at this time.

Reports May Not Accurately Show Approvals

Issue:

When you use policy mapping to map an Active Directory group to a Google Apps resource with approval required, the Overview report, the Resource by Resource report, and the Resource by User report may not show the actual current state of the user's resource allocation. If you do not use approvals, mappings work as expected and are shown correctly in the report. (789437)

Workaround:

No workaround is available at this time.

User Issues

Authentication to SaaS Application Fails in Internet Explorer 9 if Kerberos is Enabled, but the User is not Authenticated to Active Directory

Issue:

Login to the SaaS applications using Internet Explorer 9 fails if Kerberos is enabled, but the user is not authenticated to the Active Directory domain. (713247)

Workaround:

This is a known Internet Explorer issue and the Microsoft incident number is 687000. The user must be authenticated to Active Directory to log in.

Google Users Can No Longer Log in After Enabling Single Sign-On

Issue:

After implementing CloudAccess, you might have some issues with existing Google Apps for Business accounts. Any users that either do not exist in the identity store, or are not merged with the existing Google account, can no longer log in to the Google domain. For example, user jsmith has an account in Google Apps for Business. You implement CloudAccess with single sign-on. User jsmith attempts to log in to the Google domain and fails. Google Apps for Business does not allow direct login and single sign-on to the domain.

Solution:

Give users authorization to access the Google Apps for Business resource through CloudAccess.

  1. (Conditional) If the matching account exists in Active Directory, skip to Step 2. Otherwise, create a matching account in the identity store (Active Directory).
  2. Grant the user authorization to the Google Apps for Business resource by adding the user to the proper group in Active Directory. Or, map the Active Directory group to the Google Apps for Business group through the Policy Mapping page. For more information, see “Loading Google Apps for Business Authorizations” in the NetIQ CloudAccess Installation and Configuration Guide. The two accounts merge when the user receives authorization for Google Apps for Business through the Policy Mapping page. CloudAccess automatically generates a new password and resets the Google Apps for Business password. When users access the resource after the merge occurs, they automatically log in to Google Apps for Business through single sign-on.

Time Synchronization Issue

CloudAccess depends on timestamps to function properly. Time must be synchronized between the VMware host, each CloudAccess node in the cluster, and the workstations administering CloudAccess.

Issue:

If time is not synchronized, provisioning fails, configurations fail, and authentication for users fails.

Solution:

Use the following items to resolve time synchronization issues:

  • Ensure that all nodes in the cluster reside in the same time zone.
  • Configure NTP on the ESX or ESXi server.
  • If you convert the OVF file to a VMX file, deselect the default option Edit Settings > Options > VMware Tools > Synchronize guest time with host. (748923)

Connector Issues

Logging Out of Identity Provider Welcome Page Does Not Result in Logout from SaaS Connectors

Issue:

Logging out of the Identity Provider welcome page may not result in logout from the SaaS accounts, depending on support and configuration for SAML Single Logout at the SaaS provider. Many SaaS providers do not support the SAML Single Logout service. The same issue exists with service provider-initiated logouts. (753156)

Workaround:

Close the browser to allow the abandoned browser session to time out, so the session cannot be accessed again.

Admin Page Does Not Provide a Way to View SaaS Metadata

Issue:

The Admin page in CloudAccess does not currently provide a means of viewing the critical content in an uploaded metadata file, such as when configuring the Connector for Salesforce. (793495)

Workaround:

No workaround is available at this time. Since metadata for connectors must be unique, ensure that the metadata file is correct before uploading it.

Office 365 Installer May Fail During CloudAccess Credential Validation or Login

Issue:

When you install the Office 365 connector on the ADFS host, the installer prompts you for login credentials and the DNS name for the CloudAccess cluster. When you click Next, the installer validates your credentials against the CloudAccess appliance. Intermittently, the installer displays an error message incorrectly stating that the credentials are invalid. After the installer has gathered the remaining information required for installation, another failure may occur and the installer may display the following message: Incorrect username or password provided. Please verify the NetIQ CloudAccess credentials. (775245)

Workaround:

Click Next repeatedly without modifying the credentials you entered. Validation eventually succeeds and the installer advances to the next step.

Display Name Does Not Change in Office 365 after Changing in Identity Source

Issue:

If you change the display name of a user in Active Directory or eDirectory, the display name in Office 365 is not updated accordingly. CloudAccess constructs the display name from the first and last name and does not synchronize the display name and full name from the identity source. (794602)

Workaround:

To work around this issue, change the user's first and last name in the identity source instead of the display name.

Access Connector Toolkit Does Not Provide a Logout Option

Issue:

The Access Connector Toolkit does not currently provide a logout option, though the session does time out after 60 minutes of inactivity. (789303)

Workaround:

Close the browser after you finish working in the Access Connector Toolkit.

Renaming Authorization at Office 365 Account Requires Policy Remapping in CloudAccess

Issue:

If an authorization at the Office 365 account is renamed, any existing policy mappings in CloudAccess are lost, because CloudAccess uses the account name rather than the underlying static ID of the authorization for policy mapping. (811460)

Workaround:

No workaround is available at this time. After changing the Office 365 authorization name, use Policy Mapping to re-map and Approvals to re-approve if necessary.

Office 365 User Licenses Are Not Always Removed During Deprovisioning

Issue:

When you deprovision Office 365 users, CloudAccess may not consistently remove all licenses and authorizations for those users. (815104)

Workaround:

No workaround is available at this time. After you deprovision users, check to ensure that all licenses, security groups, and other authorizations have been removed. If necessary, remove any remaining authorizations manually.

Office 365 Single Sign-On Does Not Work After Changing Signing and Decryption Keys at ADFS

Issue:

In a configuration where users are successfully using single sign-on (SSO) to Office 365, if you change the "Token-decrypting" and "Token-signing" keypairs at the ADFS server, SSO stops working. Even if you import the new certificates by clicking Refresh Metadata in the Office 365 configuration panel and clicking Apply, when users click the Office 365 auth card on the OSP welcome page, SSO fails and an exception is logged in the catalina.out file. (802158)

Workaround:

To work around this issue, run the Connector for Office 365 .msi installer and select Repair mode. Single sign-on works correctly after you run Repair.

First and Last Names Are Not Updated When a User Uses Single Sign-on to Google Apps with an Existing Account

Issue:

After CloudAccess provisions a user with an existing account, the user is provisioned correctly, but when the user uses single sign-on with an existing account, the First Name and Last Name are not updated to match the values from the identity source. This issue does not affect users with new accounts. (796583)

Workaround:

No workaround is available at this time.

Service Provider-Initiated Login to Salesforce and NetIQ Access Manager Does Not Work Correctly

The following limitations currently exist with the Connector for Salesforce and the Connector for NetIQ Access Manager:

  • The standard Connector for Salesforce supports multiple domains. However, the Salesforce single sign-on (SSO) connector does not support multiple domains. So, if you use the SSO Connector for Salesforce, you must use the https://saml.salesforce.com URL.
  • In Safari or Internet Explorer 9, if you attempt a service provider-initiated login from Salesforce, the Salesforce site does not send a SAML2 AuthnRequest XML document with the SAML Request. As a result, the Welcome page appears instead of the logged-in Salesforce page. This is Salesforce behavior and cannot be addressed in the Connector for Salesforce. This behavior does not occur in Internet Explorer 10. The same behavior occurs with the Connector for NetIQ Access Manager using Safari or Internet Explorer 9 or 10. (813313)

Single Sign-On to Box.com Fails if User Session Timeout Is Set to 75 Minutes Or Longer

Issue:

If you set the user session timeout for the cluster to 75 minutes or longer, the Box connector displays an error when users attempt to use single sign-on to Box. (814752)

Workaround:

To ensure that single sign-on works for the Box connector, set the User session timeout value to 74 minutes or less. This is a cluster-level setting so it will affect behavior of user sessions not using Box as well.

Return to Top

Additions to Documentation

Behavior of Service Provider-Initiated Login To Salesforce When Kerberos Is Enabled

If you have Kerberos enabled on your CloudAccess cluster, service provider-initiated login attempts to Salesforce may result in the browser being left at the OSP welcome page after authenticating to the OSP instead of being redirected back to Salesforce. This issue occurs only if Kerberos is enabled on the CloudAccess cluster, but it occurs regardless of whether Kerberos single sign-on (SSO) occurs to the OSP or another authentication is used instead (for example, when the workstation is not a member of the Active Directory domain).

You can prevent or address this issue by changing an option on the Single Sign-On Settings page at Salesforce. This page includes a new radio button named Service Provider Initiated Request Binding with two options: HTTP POST (selected by default) and HTTP Redirect. If you have Kerberos enabled on your CloudAccess cluster, select HTTP Redirect instead of the default HTTP POST option. If you do not have Kerberos enabled on the CloudAccess cluster, you do not need to change this option.

This issue occurs on workstations running Windows 7 and Internet Explorer 9, but does not occur with Firefox on Windows 7.

Google Apps Mail Attachment Limit

The CloudAccess Connector for Google Apps for Business currently has a maximum attachment size of 10 MB for the Google Apps Mail proxy.

Return to Top

Contact Information

Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For general corporate and product information, see the NetIQ Corporate Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and product user groups.

Return to Top

Legal Notice

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NONDISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or nondisclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the US Government or by a US Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

© 2013 NetIQ Corporation and its affiliates. All Rights Reserved.

For information about NetIQ trademarks, see http://www.netiq.com/company/legal/.

Return to Top