SafeNet Agent for ADFS Release Notes
SafeNet Agent for Active Directory Federation Services (ADFS) supports a federated identity management solution extending distributed identification, authentication, and authorization services to web-based applications across organization and platform boundaries.
Multi-Factor Authentication (MFA) has traditionally meant using a smart card or other second factor with AD-based authentication, such as Integrated Windows Authentication. This type of MFA can impose client-side requirements, such as smart card drivers, USB ports, or other client hardware or software that cannot always be expected with Bring Your Own Device (BYOD) client devices. ADFS introduces a pluggable MFA concept focused on integration with ADFS policy.
For additional information about features and system requirements, refer to SafeNet Agent for Active Directory Federation Services (ADFS).
For a list of existing issues, refer to Known issues.
Release Information
Version 3.0.0 (02/2026)
SafeNet Agent for ADFS version 3.0.0 introduces the following features and resolves the issue listed below:
-
User Choice of Authenticators (UCA): Enables users to select their preferred enrolled authentication method during AD FS sign-in and optionally save it for future use. See user choice of authenticators (UCA).
-
FIDO: Adds support for FIDO authenticators, enabling strong, phishing-resistant authentication using security keys and platform authenticators.
-
TLS 1.3: Adds support for the TLS 1.3 protocol to enhance transport security.
-
Number matching: Introduces MobilePASS+ push authentication with number matching for AD FS. Users must enter the number shown on the sign-in page into the push notification, helping prevent MFA fatigue and push-based attacks.
-
Extended operating system support: SafeNet Agent for ADFS is now compatible with Windows Server 2025.
Resolved issues
| Issue | Synopsis |
|---|---|
| SASNOI-18677 | Thales branding is now used throughout SafeNet Agent for ADFS. |
Version 2.43 (10/2023)
SafeNet Agent for ADFS version 2.43 introduces the following feature and resolves the issues listed below:
- Extended Operating System Support: SafeNet Agent for ADFS is now compatible with Windows Server 2022.
Resolved issues
| Issue | Synopsis |
|---|---|
| SASNOI-14351 | Summary: After upgrading to v2.41 or v2.42 date-wise logging was disabled. Now logs are generated with file location and date after the upgrade from v2.41 to v2.42 or v2.43. |
| SASNOI-14088 | Summary: Due to multiple IPs in the header, users were not able to authenticate. Authentication succeeds when the customer has configured the header to contain multiple IP addresses. |
Version 2.42
SafeNet Agent for ADFS version 2.42 introduces the following features:
-
FIPS support: The FIPS mode within the operating system with AES-GCM and RSA key standards as well as the FIPS mode for decrypting the agent’s BSID key.
-
Enhanced Security: The AES-GCM encryption algorithm is now used to provide faster and a more secure way to protect data exchange between SafeNet Agent for ADFS and the SAS/STA solution.
Version 2.41
SafeNet Agent for ADFS version 2.41 resolves the following issue:
Resolved issue
| Issue | Synopsis |
|---|---|
| SASNOI-10621 | Summary: SafeNet Agent for ADFS now successfully facilitates iPhone users’ login to Office365 with the PUSH authentication while using multiple ADFS server and Farm configuration on the agent. |
Version 2.40
SafeNet Agent for ADFS version 2.40 introduces the following features and resolves the issue listed below:
-
ADFS 2019 (Windows Server 2019) Support: Support for ADFS 2019 (Windows Server 2019) is now added.
-
Use Alternate Login ID: On the SAS MFA Plug-in Manager window Policy tab, under Authentication Processing, the Use Alternate Login ID (e,g. Azure Login ID) check box is added.
Resolved issue
| Issue | Synopsis |
|---|---|
| SASNOI-9909 | Summary: Support for authentication if alternate ID is used in Azure AD. |
Version 2.30
SafeNet Agent for ADFS version 2.30 introduces the following feature and resolves the issue listed below:
- Support for Transport Layer Security v1.2: Support for Transport Layer Security (TLS) v1.2 protocol is now added.
Resolved issue
| Issue | Synopsis |
|---|---|
| SASNOI-9054 | Summary: Descriptive instructions included for Adding Relying Party Trust – Windows Server 2016 section. |
Version 2.21
SafeNet Agent for ADFS version 2.21 resolves the issues listed below.
Resolved issues
| Issue | Synopsis |
|---|---|
| SASNOI-7905 | Summary: ACL and other reported vulnerabilities are now fixed for the agent. |
| SASNOI-7678 | Summary: The agent is now able to fetch the correct IP (from multiple client IPs received in the Auth Request) and thus successfully perform SafeNet authentication. |
| SASNOI-7476 | Summary: The default registry key settings are now updated for the ADFS secondary server. |
Version 2.20
SafeNet Agent for ADFS version 2.20 introduces the following features and resolves the issues listed below:
-
Proxy Settings: The Proxy Settings section (now available at Start > All Programs > SafeNet > Agents > SAS MFA Plugin Manager > Communications) ensures that if a proxy server is configured for the agent, all the requests will pass through the proxy. For details, refer to SafeNet Agent for ADFS.
-
Active Directory Federation Services 4.0 Support: SafeNet Agent for ADFS v2.20 now supports ADFS 4.0, which is the latest ADFS version released by Microsoft and comes bundled with Windows Server 2016. It has many new, useful in-built features for ADFS like support for multiple Lightweight Directory Access Protocol (LDAP) directories and greater flexibility for administering the ADFS configurations, off the shelf.
-
Character Support for Push SMS Grid Tokens: To quickly select PUSH, Grid or SMS (PGS) token to use with the ADFS agent, character support is now provided.
Irrespective of the option selected for the Default OTP Policy field, the 2FA Passcode field behaviour (if Enter a passcode manually option is selected) is decided by the character input; with p defaulting to trigger PUSH (OTP), s to SMS and g to GrIDsure.
On the other hand, if Use my mobile to autosend a passcode (default) option is selected for the Passcode field, a PUSH OTP will be triggered.
Note
If we submit blank with the Enter a passcode manually option selected for the Passcode field, the behaviour will be decided by the Default OTP Policy field.
Rebranding
The following components have been updated with Gemalto branding:
- Installation wizard
- Management console
- SafeNet Agent for ADFS pages
Resolved issues
| Issue | Synopsis |
|---|---|
| SASNOI-4298 | Summary: To quickly select PUSH, Grid or SMS (PGS) authenticator to use with the ADFS agent, character support is now provided. |
| SASNOI-4167 SASNOI-6258 |
Summary: MFA failure issue for ADFS agent deployed in an ADFS Farm is now resolved. The failures were encountered in both the cases, when an OTP is entered manually or if a Push OTP is requested, because the agent was sending an @ symbol instead of the full username for authentication. The @ symbol is not recognized by SafeNet as a valid user name, thus resulting in failures. The ADFS agent is updated to work without Stickiness. |
| SASNOI-4128 | Summary: SafeNet MFA error, SAML Message has wrong signature, encountered while using SAML with MFA API is now resolved. |
| SASNOI-3573 | Summary: The management UI (Communications tab of the SAS MFA Plugin Manager) now supports proxy settings, for single servers as well as for ADFS farm configurations. |
| SASIL-3180 SASIL-2677 |
Summary: SafeNet Agent for ADFS now facilitates logon to Office 365 correctly with a case sensitive User ID. |
| SASIL-3067 | Summary: SafeNet Agent for ADFS now operates correctly after performing a URL username parameter check. |
| SASIL-2912 | Summary: SafeNet Agent for ADFS now operates correctly when working with a Relying Party. |
| SASIL-2833 | Summary: SafeNet Agent for ADFS now operates correctly when working with a Device Registration Service. |
Known issues
This table provides a list of known issues as of the latest release.
| Issue | Synopsis |
|---|---|
| SASNOI-23498 | Summary: For GrIDsure tokens, PIN changes are not supported when the token template specifies the PIN type as Server-side Server Select.Workaround: None |
| SAS-48759 | Summary: Due to some technical limitations, push OTP does not work for customers using Chrome or Edge browsers. Push OTP users in an ADFS environment do not receive push notification and are unable to complete their authentication journey. Customers using AD FS 4.0 on Windows Server 2016 and AD FS 3.0 on Windows Server 2012 are impacted. Workaround: - MFA is expected to work with push OTP service for Internet Explorer. - If Internet Explorer is not an option, we recommend the following to be executed from the ADFS server’s command prompt, as a onetime activity: Set-AdfsResponseHeaders -SetHeaderName “Content-Security-Policy” -SetHeaderValue “default-src 'self' https://.sascloudservice.com https://.safenetid.com 'unsafe-inline' 'unsafe-eval'; script-src 'self' https://ajax.googleapis.com 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;”" |
| SASNOI-6483 | Summary: SafeNet authentication might fail (with "An error occurred. Contact your administrator for more information" message) after installation or upgrade of an AD FS agent deployed in an AD FS Farm. In such a case, users will not be able to reach the SafeNet authentication page (after successful LDAP authentication) for all the requests serviced by secondary server(s). Workaround: After installation/upgrade, restart the AD FS service in the secondary servers. |
| SASNOI-2102 | Summary: When running Repair from Windows Control Panel, an error occurs. Workaround: None. This will be fixed in a future release. |
