SafeNet IDPrime Virtual 2.7.0
Issue Month: August 2024
Build Details
-
Server (Full version): 2.6.0.22
-
Windows Client: 2.7.0.611
Product Description
SafeNet IDPrime Virtual (IDPV) is a PKI-based software authenticator that uses latest innovation in software-based smart token technology to combine the strong two-factor security of a smart card. It is cost effective and convenient for the software authentication. IDPV emulates the functionality of physical smart cards used for authentication, email, data encryption, and digital signing to enable the use cases such as VDI, BYOD, backup, and mobility on any device. It secures user private key on HSM with user authentication from OIDC compatible Identity providers (IDPs).
Release Description
SafeNet IDPrime Virtual v2.7.0.611 includes new features and bug fixes from the previous version.
New Features and Enhancements
Three types of installation options are now available:
- Typical: In the Typical installation type, SafeNet IDPV Client and SDK Windows Service are installed to load virtual smart cards on supported devices.
- Complete: In the Complete installation type, SafeNet IDPV Client, SDK Windows Service, and Credential Provider are installed to load virtual smart cards on supported devices.
- Remote Desktop Access (RDP): In the Remote Desktop Access (RDP) installation type, SafeNet IDPV Client and SDK Windows Service are installed to load virtual smart cards on virtual machines for remote access.
| RDP supports | RDP does not support |
|---|---|
|
|
Advisory Notes
Before deploying this release, note the following high-level requirements and limitations:
-
In this release, ADML and ADMX files are not included in the package.
-
For Azure Virtual Desktop (AVD) multi-user session, Microsoft has recommended a minimum of 8 vCPUs, 16-GB RAM, and 32-GB storage. For more information, refer to the Microsoft documentation.
-
It is recommended to install IDPV client before installing SafeNet Authentication Client (SAC Middleware).
-
On a multi-user session supported machine, if an administrator changes the registry value of On Behalf connect from 0 to 1, the Connect On Behalf option in the system tray becomes available for all users. Additionally, if the tenant is set up with the -u flag as true, non-admin users will also be able to create more tokens.
-
If the IDPV Client is installed in the Remote Desktop Access (RDP) mode, then SAC must be installed in the Typical mode.
-
If the IDPV Client installation type is modified from Typical to Remote Desktop Access (RDP) or vice versa, a system reboot is required.
-
If SafeNet IDPV Client is installed using Remote Desktop Access (RDP) mode after the SAC installation, then system reboot is required.
-
After uninstalling IDPV Client, if any application is using PKI, then system reboot is required.
-
Identity Providers (IDPs) need to be configured distinctively for different IDPs. To know about the newly supported IDPs, refer to SafeNet IDPrime Virtual Server Client Integration Documentation.
-
It is suggested not to use the installer upgrade option for the latest IDPV v2.7.0.611 Client installer. Instead, perform a fresh installation. Also, IDPV Client v2.7.0.611 must be installed together with SAC 10.9.3693.0.
-
The Complete installation type is not recommended to be installed with IDPV Client v2.7.0.611.
-
Working of sign and verify in offline mode for SHA384 and SHA512 -PSS mechanisms will depend on the client machine TPM.
-
Simultaneous write operations from different IDPV Client machines is not support for IDPV virtual tokens.
Licensing
SafeNet IDPrime Virtual users can opt between the evaluation and full version software licenses. The evaluation version is free but limits users to create 50 tokens. Users must purchase the full version to create unlimited tokens.
Localization Support
Operating System is localization based. Therefore, it is automatically managed.
The currently supported languages are:
-
English (default)
-
Spanish
-
German
-
French
-
Hindi and Hebrew as experimental
This list is expandable based on Qt cross-platform development solution and its internationalization support.
Default Password
Virtual IDPrime cards are supplied with the following default token password: “000000” (6 zeros) and the Administrator Password must be entered using 48 zeros.
Password Recommendations
We strongly recommend changing all device passwords upon receipt of a token/ smart card as follows:
-
User PIN should include at least 8 characters of different types.
-
PIN character types should include upper case, lower case, numbers, and special characters.
For more information, refer to the ‘Security Recommendations’ section in SafeNet IDPrime Virtual Server-Client Product Documentation.
Compatibility Information
Operating Systems
Following operating systems are supported:
Client Operating Systems
-
Windows 10 (2004 or higher)
- Microsoft Trusted Platform Module (TPM 2.0) for Offline Mode
-
Windows 11 (23H2 or higher)
Middleware
-
SafeNet Authentication Client 10.9.3693.0
-
SafeNet Minidriver 10.9.3120.0
Virtual Smart Card Features
Below table specifies the various features that are supported by IDPV:
| Features: | Device: SafeNet IDPrime Virtual |
|---|---|
| Number of Keys | 15 max |
| RSA Key Size | 2048 bit |
| RSA Padding | PKCS#1 v1.5 |
| Hash and Signature Schemes | • SHA-2 512-bit • CKM_SHA1_RSA_PKCS_PSS • CKM_SHA256_RSA_PKCS_PSS • CKM_SHA384_RSA_PKCS_PSS • CKM_SHA512_RSA_PKCS_PSS |
| Supported APIs | PKCS#11 V2.20, PKCS#15, MS CryptoAPI and CNG(CSP,KSP), PC/SC |
| Supported cryptographic algorithms | 3DES, SHA-256, RSA upto 2048, RSA PSS |
Execution of Third-Party Security Tools
-
Aqua Trivy 0.34.0
-
Anchore Grype 0.53.1
-
Open Collective Dockle 0.1.16
-
Anchore Syft 0.62.1
-
Cisco ClamAV 2.6.5
Compatibility with Third-Party Applications
Following third-party applications are supported:
| Solution Type | Vendor | Product Version |
|---|---|---|
| Virtual Desktop Infrastructure (VDI) | VMware VSphere | vSphere 7.0.3.01400 |
Identity Access Management (IAM) Identity Management (IDM) |
vSEC:CMS | vSEC:CMS 6.9 |
| Certificate Authority (CA) | Microsoft (Local CA) |
For All Windows platforms |
| Browsers | Mozilla | Firefox 123 or higher |
| Microsoft | Edge (Chromium) 121.0.2277.112 or higher | |
| Chrome 122.0.6261 or higher | ||
| Remote Desktop Applications | Devolutions | 2022.1.23.0 |
| Royal TS | 6.1.50425.0 | |
| Dameware | 12.2.2.12 |
Compatibility with Thales Applications
Virtual IDPrime cards can be used with the following products:
-
SafeNet Authentication Service Private Cloud Edition (SAS PCE) with Keycloak / SafeNet Trusted Access (STA)
-
SafeNet Authentication Client (SAC) 10.9.3693.0
-
SafeNet Minidriver 10.9.3120.0
Resolved and Known Issues
This section lists the resolved and known issues that exist in this release. The following table defines the severity of the issues listed in this section.
| Severity | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Resolved Issues
| Issue | Severity | Synopsis |
|---|---|---|
IDPV-6827 |
M | Refresh token behavior conflicting with Windows system level cookies in Azure IDPV Client. |
| IDPV-10054 | M | User is not able to move to the Offline mode in Typical the installation type. |
| IDPV-7911 | H | MSSQL database is not working after migration. |
| IDPV-8004 | H | When the client undergoes an upgrade, the offline bundle expiry is updated. Once the expiry period of the bundle ends, the user is unable to go online. |
| IDPV-6579 | M | Only the Import API code is updated as it was having scope for code optimization. |
| IDPV-7207 | L | Incorrect message on swagger interface in case of Generate CSR response-UI Issue. |
| IDPV-7202 | H | IDPrime virtual server API gives 200 response without response body, in case the database connection fails. |
| IDPV-5746 | L | In Provisioning APIs, Import pfx certificate in case of wrong cert and wrong password is getting 500 error. |
| IDPV-6118 | M | For Okta IDP, the redirect URL is opening in Internet Explorer. |
| IDPV-5983 | M | Provisioning API (Import Cert) is allowing the same certificate to be uploaded multiple times. |
| IDPV-6850 | H | JWT signing key rotation is not handled. |
| IDPV-8166 | H | For IDPV Windows Client, upgrade from version 2.5 to version 2.6 is not functioning as expected. |
| IDPV-7965 | L | The Azure redirect authentication URL opens intermittently during Azure IdP authentication. However, there is no impact on the functionality due to this issue. |
| IDPV-6448 | L | In Domain joined machine, IDP window is opening up again in the first instance and not on subsequent activities. |
| IDPV-6591 | L | IDPV Client is redirecting after authentication if redirect URL is configured for SSP. |
| IDPV-7926 | M | Data is not synchronized across multiple machines that are used by a user. |
| IDPV-7187 | M | Integrated browser used in IDPV Client is using browser version IE7, browser upgrade is required in IDPV Client. |
| IDPV-4503 | L | The quality error pop-up during the initialization if the Pin is not matching for preserver token settings. |
| IDPV-6589 | H | MFA setup is not supported through IDPV client login window. |
| IDPV-8743 | M | Upon entering an incorrect token PIN, balloon error notifications will be displayed, depending on the number of attempts made. |
| IDPV-8369 | H | Outlook can use offline virtual smart card even after the token is expired. |
| IDPV-8341 | H | When the user clicks Go To Online after the offline token is expired, the refresh token is expired before the timeout period. |
| IDPV-8624 | H | The offline feature is not user-friendly for the Smart card offline usage. |
Known Issues
Below are the known issues that exist in this release.
| Issue | Severity | Synopsis |
|---|---|---|
| IDPV-10264 | M | Summary: User is unable to connect to the IDPV Client when there is a difference between system time and the current zone. Workaround: Update the system time to the current time zone. |
| IDPV-8342 | H | Summary: When a user is in the Offline mode and tries to login with an expired offline token, the user gets the "Invalid PIN" message, but IDPV stays in the Offline mode with the Blue tray icon. Workaround: None |
| IDPV-10228 | M | Summary: Multiple notifications appear on system lock when IDPV Client is installed in the Complete mode and IDPV server is invalid / not reachable. Workaround: User can edit the IDPV server registry (in case of invalid server) and restart the service. |
| IDPV-10210 | M | Summary:In a multi-user session, if a user clicks Connect in the system tray, the user will go offline with a warning message, "Network unavailable". Workaround: None |
| IDPV-10217 | M | Summary: Virtual Reader is not getting Installed in the Repair mode. Workaround: None |
| IDPV-10218 | L | Summary: When services are restarted while the system tray is in offline mode, SAC temporarily hangs. Workaround: None |
| IDPV-10209 | L | Summary: The IDPV client behavior (in the Offline mode) on a physical is different than on a virtual machine. Workaround: None |
| IDPV-10154 | H | Summary: After installing a new version of the IDPV Client following the uninstallation of the previous version, the Connect and Disconnect options in the system tray are disabled. Workaround: None |
| IDPV-10141 | M | Summary: In a multi-user session on an AVD machine, after login and certificate import, SAC goes into the not responding state. Workaround: None |
| IDPV-10122 | M | Summary: Modifying IDPV client from the Non-PCSC to Complete mode doesn't work. Workaround: None |
| IDPV-10100 | L | Summary: If the IDPV client is installed in the Complete mode and the user attempts to modify it, the Typical mode is selected by default in the installer UI. Workaround: None |
| IDPV-10033 | L | Summary: Registry entry (HKEY_CURRENT_USER) is not getting created for some users. Workaround: None |
| IDPV-9993 | M | Summary: TLS fails with FireFox when more tokens present.Workaround: None |
| IDPV-9870 | M | Summary: After uninstalling the SafeNet IDPV client, the x64 folder located at C:\Program Files (x86)\Thales\SafeNet IDPrime Virtual\ location is not deleted if other applications are using SAC. Workaround: None |
| IDPV-10050 | M | Summary: If SafeNet IDPV Client is installed using remote desktop access after the SAC installation, then system reboot is required. Workaround: None |
| IDPV-8123 | M | Summary: Bundle Expiry is upgraded after the IDPV client upgrade. Workaround: None |
| IDPV-8132 | L | Summary: Negative memory space is left when more certs (size) are uploaded. Workaround: None |
| IDPV-5433 | M | Summary: In case of invalid password in offline bundle, the displayed error message is vague. Workaround: None |
| IDPV-3333 | L | Summary: SAC/IDPV Client doesn't decrement the retry counter if the user PIN is less than 4 characters. Workaround: None |
| ASAC-15236 | L | Summary: In case of preserve token settings, user PINs do not synchronize, whereas admin PINs are synchronized. Workaround: None |
| IDPV-4078 | M | Summary: When connecting the SafeNet IDPrime Virtual application through Credential Provider, the User Account Control window blocks the SafeNet Trusted Access login window. User Account Control window gets hang and requires to restart the machine. Workaround: Disable User Account Control (UAC) 1. On the Windows taskbar, select Start > Control Panel. 2. Click User Accounts, and then click Change User Account Control settings. 3. Enter the admin credentials. 4. Drag the slider one-step down to Notify me only when apps try to make changes to my computer (default). 5. Click OK. |
| IDPV-3334 | H | Summary: If the user tries multiple incorrect PINs in Offline Mode and then restarts the service in online mode, the User PIN retries do not synchronize with the IDPV server. Workaround: None |
| IDPV-5072 | H | Summary: DPoD is not working on Alpine based docker. Workaround: None |
| IDPV-5424 | L | Summary: Momentarily, there are two IDPV icon visible in system tray. Workaround: None |
| IDPV-5710 | H | Summary: Friendly name doesn't appear when certificate is imported via Import API. Workaround: None |
| IDPV-8673 | M | Summary: Unable to uninstall IDPV Client after upgrading it with the Credential Provider component. Workaround: None |
| IDPV-8681 | M | Summary: IDPV Client upgrade fails to go to online. Workaround: None |
| IDPV-8683 | L | Summary: The Token PIN window takes some time to display the incorrect password error. Workaround: None |
| IDPV-8752 | L | Summary: Token PIN prompt is getting displayed for blocked tokens. Workaround: None |
| IDPV-8761 | L | Summary: Upon entering the token PIN, exiting the System try, and restarting the IDPV client prevents the completion of the offline process, leaving the user in Online mode. Workaround: None |
| IDPV-8626 | H | Summary: Virtual smart card is automatically switching to the offline mode. Workaround: None |
| IDPV-8945 | L | Summary: User needs to update the registry and then restart the services when internet is not available. Workaround: None |
Related Product Documentation
The following documentation is associated with this release:
ThalesDocs
We have attempted to make the documentation complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product.
