- 23 Jul 2024
- 17 Minutes to read
- Print
- DarkLight
- PDF
Release Notes - v24.50
- Updated on 23 Jul 2024
- 17 Minutes to read
- Print
- DarkLight
- PDF
Product Name | Cross Identity |
Version Revision | v24.50 |
Date | 30.04.2024 |
The release notes v24.50 consists of new features introduced in Cross Identity. This new version includes the following items:
New features: 76
Enhancements: 36
What's new in this release:
Sr. No. | New Features | Description |
---|---|---|
Passwordless Authentication | ||
1. | Passwordless Authentication Mobile app | Developed a mobile application to perform Passwordless authentication initiated by a user in the Cross Identity solution. |
2. | Passwordless Authentication API | An API to allow third-party applications to integrate with a system that provides passwordless authentication. |
3. | Passwordless Authentication as MFA | With this, a user can opt for various passwordless authentication methods such as biometric authentication using fingerprint or face ID, or authentication push notification sent to the registered mobile device. |
4. | Passwordless device (laptops and mobile) de-registration | This functionality allows users to remove a passwordless device from the authorized device list and revoke its access to their account or system. |
5. | Passwordless Authentication Events in CI Report/Event Logs | Every Passwordless Authentication event triggered from CIVerifID or WebAuthn will be captured under Reports (End User activities) & Event Logs. |
6. | Magic Link for Initial User Registration | It's a one-time login link sent to a user via email to complete the initial registration process for Passwordless Authentication. |
CI Features | ||
7. | Remove the login prompt when an end user clicks the registration/ manage credentials menu item | The user will validate with any registered MFAs instead of providing his login credentials to access specific restricted menu items such as the Registration menu, Manage credentials and Admin console button. |
8. | Initiate Access Request workflow using API (OAuth/OIDC) | An external system raises a ticket for an access request, triggering an approval workflow in Cross Identity. |
9. | MFA for 'Go to Admin Console | A new target is added as Cross Identity Admin Portal on the Advanced Access Management Policy. With this, an admin can define the Advanced Access Management policy. |
10. | New policy introduced for the IP address under Advanced Access Management. | If a user belongs to an existing IP address, a user should mention the IP address and Cross Identity will validate the same. |
11. | A new policy introduced for the MAC address under Advanced Access Management | If a user belongs to an existing MAC address, a user should mention the MAC address and Cross Identity will validate the same. |
12. | Test connectivity for the IGA application | Added a tab called Test Connectivity on the IGA application to test the connection. |
13. | View the schedular status | An admin can check the status and logs of the schedular, including Recon, Directory, SoT and Workflow. |
14. | A new button is added as 'Deactivate' on the Identities page. | It enables the admin to suspend a user and remove their assigned licenses permanently. |
15. | Support for Bookmark SSO URL | The SSO bookmark URL directs users to the SSO application login page, injecting login credentials for extension-based apps and redirecting to the app's home page for SAML-based apps. |
16. | Account Categories (Regular/Privileged) in IGA | In the IGA application, a tag is either "regular" or "privileged" to establish proper security measures and access control. |
17. | Redirection to MFA login in case of time-out during passwordless authentication | In case of failed passwordless authentication or session timeout, users will be prompted to validate via Multi-Factor Authentication (MFA) instead of using a password. The MFA screen will exclude password options, ensuring secure authentication with alternative factors. |
18. | getuserinfo API to fetch soft token details | A new API is introduced to retrieve username and TOTP secret key information with the last secret key updation date. |
19. | Addition of General Tab in IGA Application | The General tab in the IGA application provides essential details about an application, including its name, connector war file name, application logo, application owner, and other relevant information. |
20. | Account Management Dashboard Creation | We have implemented a dashboard for IGA applications. The dashboard provides insight into accounts and entitlements activities, access requests and access review summaries. |
21. | Natural Language Reporting Using AI | With this feature, you can utilize AI to generate reports using human-like text (free text). |
22. | Comprehensive view of user's entitlements | Users' entitlements can be conveniently viewed in a centralized location under the section titled Identities > Applications. |
23. | Event-based Access Review & Recertification | There is a new workflow for event-based certification. Administrators can establish policies that enable event-based reviews for predefined IAM events. |
24. | Enhance Track Request Page for Entitlement Requests by Including Application Names | The addition of application names on the Track Request page for entitlement requests simplifies the identification process, enabling users to associate entitlements with specific applications easily. |
25. | Implementation of a Password Policy Restricting User Attribute Use | Administrators can configure the password policy, selecting specific user attributes to restrict and enhance security measures. Users attempting to reset passwords using blacklisted user attributes will receive notifications, ensuring compliance with policy standards. |
26. | Introduce the "Category" field as a built-in attribute for both Account and Entitlement | Introduced a "Category" field with values "Regular" (default) and "Privileged" for both Account and Entitlement entities. When an account is linked to privileged entitlements, CI automatically sets its "Category" to "Privileged". |
27. | Intermediate Page for New Users during SAML SSO Flow | Enhances the Cross Identity user portal's SAML SSO flow for new users, presenting an intermediate page for account activation during SAML application access. This feature streamlines onboarding new users by guiding them to set a new password and login before granting access to the target application. |
28. | Email API provider to be integrated for SMTP | Integrated Email API provider to leverage the capabilities of the external Email API provider for enhanced email notifications while still retaining the option to use the inbuilt SMTP gateway |
29. | Manage multiple Sessions for End Users | This feature maintains the sessions for end users by restricting one browser session per user instead of multiple sessions to enhance system security and ensure that each user account is accessed individually. is_concurrent_login_allowed key should be set as 0 in the fluidiam_client table. |
30. | Add Dept, MFA Registration & Source columns in the License Reports | Added 3 new columns in the license reports to display the department, MFA registered for by the user, and the source of the user. The Department column provides information about the department associated with each user. The MFA Registered column displays the multi-factor authentication methods registered by each user, separated by commas, encompassing various options such as Soft Token, Security Questions, Email OTP, SMS OTP, and Passwordless Authentication. The Source column indicates the origin of each user, whether from an integrated system (SoT), a Continuous Integration (CI) process or through CSV import. |
31. | The password field should be in Read-only mode after a user clicks on the Sign-in button | Enhanced the sign-in experience by implementing a read-only mode for the password field after clicking the "Sign in" button to prevent accidental password modification while the sign-in process is underway. |
32. | Smart Client Application integration | This feature allows the user of the CI Launchpad and associated smart client applications, to seamlessly access multiple applications with Single Sign-On (SSO) to avoid repetitive logins. |
33. | Admin Capabilities to Reset User Password/MFA Re-Registration | A new tab under the identities section is introduced that allows the admin user to reset the user's password/ Security questions/ Soft token so that when the user reaccesses CI he/she will be prompted to register or setup a new password. |
34. | Password visibility toggle | Admin/end user can view the password entered by clicking the password visibility toggle on the password fields. |
35. | CI Admin - Capturing and Storing AD Login Details for SSO Integration | CI Admin can capture and store the login details (username and password) of users when they log into the CI system, which is set to use Active Directory (AD) authentication, so that these credentials can be utilized to implement Single Sign-On (SSO) for web-based/ extension-based applications (AD Integrated applications), enhancing user experience and maintaining security. |
36. | Update the changed password for Extension-based/Thick-Client Applications | This allows users to update the changed password of their credentials for multiple applications in one go on Cross Identity’s End User Portal. |
37. | Integration of Tenant Creation and Modification in MSSP/Consumption Portal | The client creation option is available on the MSSP Portal for the CI Admin users to create and modify tenants directly in the portal without needing a separate URL. |
38. | Option of initiating all Provisioning and de-provisioning activities based on schedule. | This feature allows admins to schedule various User Lifecycle Management (ULM) operations, such as Create User, Modify User, and more, on a Daily, Weekly, Monthly, or Yearly basis. The scheduler configuration includes options for specific days, start times, and intervals, providing flexibility in managing user accounts seamlessly. |
39. | Enhancing Fail Transaction Identification and Re-Triggering | Admins now benefit from enhanced error identification and messaging for failed transactions in the IGA connector. This includes a wide range of operations like Add, Modify, Delete, Suspend, Restore, Password Change, Password Unlock, Entitlement Add, and Remove Entitlement. Admins can quickly address issues with accurate error messages and conveniently re-trigger operations to ensure seamless functionality once resolved. |
40. | CI Device Trust Solution | This solution ensures secure application access by permitting only users with managed devices, supported on Android, validated through device certificates. Unmanaged devices trigger authentication measures, including potential multi-factor authentication, reinforcing security. |
Segregation of Duties (SoD) | ||
41. | SoD listing page | Introduced new columns like policy status, owner, and active violations count, along with buttons for policy management. It includes admin configurations for enabling/disabling SoD checks and defining access control for different roles. |
42. | General tab of SoD policy | The general tab of SoD Policy contains fields for Policy Name, Description, and notification settings for SoD owners/reviewers. Users can specify the days before the review completion date to trigger notifications, with a save button to apply configuration changes. |
43. | SoD policy owner | Configuration for adding reviewers, configuring steps, and changing the owner. It also removes the option for roles, renames "delete owner" to "change owner," and includes provisions for viewing allocation details. |
44. | SoD policy rules | Implemented conflict checks in role definitions and provided warnings for conflicts. It includes notifications to the SoD owner and admins regarding conflicts, allowing for policy review and modification. |
45. | SoD Reviewer | Added the SoD reviewer tab for the addition, editing, and deletion of reviewers for a policy. It introduces step duration configuration, and task delegation, and provides options to view allocation details and review tasks. |
46. | SoD Campaign | SoD campaigns enable administrators to preview and run campaigns for violations related to SoD policies. It allows initiating campaigns to identify violations and triggering reviews for corrective actions by SoD owners/reviewers. The feature includes options for running previews to evaluate violations before triggering campaigns and provides detailed campaign information for tracking and management. |
47. | SoD owner rule | Implemented conflict checks for new rule creations, preventing violations of existing SoD policies. It disables adding conflicting accesses and notifies admins via email and notifications, ensuring resolution before saving. Additionally, it logs violations and resolutions, maintains error handling and prevents publishing SoD policies with conflicts. |
48. | SoD violation role access | The violated user cannot be re-evaluated in the campaign until the violation acceptance date expires. |
49. | SoD policy rule for a manually added user to a static role | Whenever a user is added to a static role, SoD policy is enforced to comply with regulatory requirements. |
50. | Search policy in SoD | A button is added to search the policies already created. |
51. | SoD client creation pricing | Consumption-based license pricing fields for SoD and Passwordless Authentication options during client creation. |
52. | Violation of SoD policies post recon | The system will identify any violations of SoD policies post a reconciliation is performed for an application. |
53. | Out of Office, SoD delegated reviewer | A reviewer can set up the out-of-office delegation in his absence to another reviewer. |
54. | Display icon against users with violated accesses
| A warning icon is displayed to an identity if it violates any SoD rule. |
55. | SoD addition to menu listing for admins and users
| SoD must be a part of the menu items accessible to the administrator. SoD is available on the end-user portal menu not on the administrator portal. |
56. | SoD Review Violation
| The SoD Review Violation enhancement allows admins to enforce SoD policies by triggering validations upon assigning users to static roles, generating alerts for violations, enabling reviewers to approve or revoke access with notifications, and maintaining logs for audit purposes. |
57. | Scheduler for SoD | Implemented schedulers for SoD notifications to owners and reviewers based on policy configuration. It includes automating campaign delegation after the reviewer's step duration, sending reminders before the step duration ends, and re-triggering campaigns for mitigated accesses of violated users. Additionally, it includes updating email notification templates to remind about campaign task completion deadlines. |
58. | SoD Dashboard | Introduced a "Summary" submenu in the SoD section for a comprehensive dashboard overview of violations. Widgets display various metrics such as total violations, closed violations, accepted violations, new violations, users with the most violations, and more, with drill-down details and PDF download capability. |
59. | SoD reports | Reports for all the activities related to SoD will be captured in the Admin portal under the "Reports" section. |
60. | SoD Violation in Access Request | Users are warned of potential SoD violations when requesting access to the CI portal, with warnings visible to both requesters and approvers. |
61. | Delete the SoD Policy option | This feature enables users to remove Separation of Duties (SoD) policies, accessible only after disabling them. |
CI Mobile App | ||
62. | Authenticate to CI Mobile App | Log in to the Cross Identity App with username and password (Both CI and AD login). |
63. | Multifactor Authentication for Global Login into the App | Enabled MFA for global-level authentication into the CI mobile App. Users must authenticate through one of the MFA factors (SMS OTP/ Email OTP/ Security Questions/ Soft Token). |
64. | Single Sign On through CI Mobile App | Perform Single Sign-On for applications that support Federated Protocols (SAML) to Mobile Apps (Business/ Enterprise Apps). |
65. | Device Restriction for Android | Restrict users to access the CI Mobile App based on certificate authentication. |
66. | Application-level MFA | CI App prompts for App level MFA (SMS OTP/ Email OTP/ Security Questions/ Soft Token/Passwordless Authentication) during SSO based on the AAM Policy. |
67. | Reset Password through the CI Mobile App | The user can reset the password on the CI App. |
68. | Unlock Account through the CI Mobile App | The user has the ability to unlock his account on the CI App. |
69. | Automatically Launch CI Mobile App for Installed users when users access the CI URL on the browser | CI automatically launch the CI mobile app instead of a browser when they access the URL on the browser (if the user has installed the mobile app on their device). |
Integrated Windows Authentication | ||
70. | Support Integrated Windows Authentication (IWA) with CI-AuthAgent | CIAuth Agent collects the device information and automatically fills in the username when the user is accessing the CI login page. |
71. | Seamless Access to Cross Identity Launch Pad with CI Authentication Agent. | Enhance the user experience by enabling seamless access to the Cross Identity Launchpad through the CI Authentication Agent. Users can securely log in without manual input of credentials, as the system automatically validates device and user information, granting access upon successful verification and providing clear error feedback when necessary. |
CI Windows Login (CWL) | ||
72. | Password-based Authentication to Windows Login | Users can log in to the Windows systems using their Cross Identity credentials (internet-enabled). Users can log in to the Windows system using the domain credentials (internet-enabled). |
73. | Passwordless Authentication to Windows Login | Users can log in to the Windows systems by authenticating on the CIVerifID app through the passwordless authentication flow (internet-enabled). |
74. | Offline Authentication to Windows Login with CI Credentials | If users do not have internet connectivity on their Windows Systems, they can log in to the Windows systems using their Cross Identity credentials and validate with a TOTP. |
75. | Reset/ Change Password in CI (Password-based authentication) | After resetting the user's password in CI, the user will be able to login to CI and Windows with the new password. |
76. | MFA Prompt (Soft Token TOTP) during login for domain and non-domain users | Users will be prompted for step-up authentication with Soft Token TOTP while logging in to Windows with CWL. |
Enhancements
Sr. No. | Enhancements | Description |
---|---|---|
1. | Added a drop-down Contains and Not Contains under Advanced Access Management > Network Range. | The policy will determine the MFA action based on the value selected in the drop-down. |
2. | Fine-tune Cross Identity On-Prem Agent Code | Remove all unwanted libraries, and log messages. |
3. | Introduced additional filter under Track Request on end-user portal | Added Status and Application name filter to enable the search for access requests. |
4. | Enhance Captcha Configuration page under Security | Enable check-boxes for Cross Identity pages only after the Site and Secret keys are saved in Cross Identity. |
5. | Standard Format to Generate an authorised token | Now a standard format is followed to generate an authorized token. |
6. | Admin to reset/unlock end- user's password | Added a tab to reset/unlock the user's password from the Identities page. |
7. | RPSA Support for Cross-Identity Cloud | To facilitate communication of a new password from Active Directory (AD) to the RPSA agent, the REST API endpoint is implemented within the agent. This enables the RPSA agent to invoke the API and relay the updated password of the AD user. |
8. | License on Consumption Portal Dashboard | Display both licenses (IGA & AAM) on the Consumption Portal Dashboard. |
9. | License not revoked after user deletion | When a user is deleted from the Cross Identity, the associated license will also be deleted. |
10. | Email template for manager-initiated Access Review | Defined email template for application account and entitlement and role revoke. |
11. | AD password reset | The validation of the current password in the backend before resetting the password for the AD user should be removed. |
12. | Combine suspend and restore buttons on the Identities menu | The Suspend and Restore button in the Identities page of the Admin console will be combined into one single button and a new status ‘SUSPENDED’ will be introduced to indicate the temporary suspension of the user. |
13. | Re-size the search bar field on the Identities menu | The search bar length is shortened to align all the buttons. |
14. | Move the filter icon next to the reset button on the Identities page | It gives space to the new Magic link button. |
15. | The identities page search bar refresh removed | Refresh and cancel buttons are removed to search for the identity seamlessly. |
16. | API for a list of active users in Cross Identity | A new API is created to fetch the list of active users in Cross Identity. |
17. | A mandatory column should be displayed on the Identities menu | Username, full name, email address, department, mobile, and status are the mandatory fields. |
18. | Show the corresponding logo | During SP SSP flow, display the corresponding application logo on the login pages. |
19. | Client creation with SoD menu | Adding SoD and Passwordless Authentication in the License menu. |
20. | License Report | Generates a report with the list of licensed user details (both assigned and non-assigned licenses) from the Reports Section. |
21. | Display identity creation method when a user is created from CI API | When an identity is created via the CI add user API, the method will be mentioned as "Identity was created via Cross Identity (CI) API" in the Other Tab of an identity. |
22. | Sync with User profile attribute to be disabled if mapped against "Username" and Expression | In the IGA Application Account Attributes, if the username attribute has been selected, the Sync back option will be disabled. |
23. | Email Notification for Delegated Access Request | Email notification will be sent when any access request has been delegated to another user for approval. |
24. | Email Notification for Certification Action in Case of Multi-Level Reviewer | Once the reviewer takes an action of either Retain or Revoke, the respective identity will receive an email notification stating that the Access has been Retained or Revoked. |
25. | Implement the "nonce" parameter in the OIDC flow | Enhance security in the OIDC flow by implementing the "nonce" parameter, ensuring that login tokens generated by the Identity Provider (IdP) can only be used once, thereby preventing potential replay attacks. This addition strengthens client session association with the ID-Token, enhancing overall security measures. |
26. | Update Heading for Soft Token MFA Registration Step | Enhancement made to the soft token registration process, focusing on the updated heading to provide clearer guidance to end users. With this enhancement, the heading now displays: "Please enter the TOTP code below to complete the registration." |
27. | Update Prompt for Entering Soft Token Code | Enhancement made to the prompt for entering the Soft Token code. The previous heading "Please enter 6 digit numeric code" has been updated to "Open your MFA app again, get the 6 digit numeric code and enter these 6 digits below. Click Verify" in the MFA registration page and the "Registration Menu" page. |
28. | Branding & Tagline modifications on the CI Admin Portal | Branding on the CI Admin portal has been changed from Cross Identity to Cross Identity. |
29. | Improve the UI on mobile browsers | The CI UI on mobile browsers has been improved. Upon login to the CI user portal, the user will be taken to the Landing Page. The menu section is now minimized during the login. |
30. | Enhance user identification in reports | Under the End User Activities reports section, the admin will be able to view the user's username, full name and email address as separate columns by default. |
31. | Improved User Experience for Forgot Password Flow | The username entered in the CI login field will automatically be updated when the user subsequently clicks on "Forgot Password/ Unlock Account,” instead of re-entering it. |
32. | Alignment of MFA Screens UI and terminology changes | Label changes in the soft token registration screens and alignment have been improved for a better user experience. |
33. | UI changes required in the Security menu item on the CI’s Admin Portal | Label changes made in the CI IDP details. |
34. | Enhance Security for TOTP Verification API through OAuth/OIDC Integration | Integrated OAuth 2.0 and OpenID Connect (OIDC) with our TOTP verification API, so that the API can securely authenticate and authorize client applications, ensuring that only legitimate requests are processed, and user authentication is handled securely. |
35. | Remove user-role membership in CI after import, if a user is removed from a group in AD | This enhancement ensures that users removed from AD groups are promptly unassigned from corresponding Cross Identity roles when AD import is initiated, enhancing access management consistency and efficiency. |
36. | Include firstname and lastname in the Email template instead of a username. | Email notification templates have been enhanced to include Firstname and lastname as per the attribute in CI, instead of username. |
Reference Documents
Installation Guide
Sr.No. | Version | Month | Document name |
1. | 24.50 | April 2024 |
Admin Guide
Sr.No. | Version | Month | Document name |
1. | 24.50 | April 2024 |
User Guide
Sr.No. | Version | Month | Document name |
1. | 24.50 | April 2024 |