STA – EU Service Zone
Product Description
STA is an Access Management solution that enables you to centrally manage and control access to applications through the configuration of context-aware policies and the enforcement of appropriate authentication requirements.
STA includes a rich set of authentication functions, as well as user and token management.
It delivers fully automated, highly secure authentication-as-a-service, with flexible token options tailored to the unique needs of your organization, substantially reducing the total cost of operation.
Deployment is made easy through the flexibility and scalability of automated workflows, vendor-agnostic token integrations, and broad APIs. In addition, management capabilities and processes are fully automated and customizable—providing a seamless and enhanced user experience.
STA enables a quick migration to a multi-tier, multi-tenant cloud environment, protecting everything, from cloud-based and on-premises applications to networks, users, and devices.
For a list of existing issues as of the latest release, refer to Known Issues.
Service Packs
10/11/2024
This service pack release of STA introduces the following feature:
- Enhanced SAML integration capabilities: Three filters (Groups that start with, end with, and contain) have been added to map groups with appropriate roles to the return attributes of a SAML response. For more information, see the documentation.
10/10/2024
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-70119 | UI improvements to the Entra ID application template. Note: To switch to the new UI, you must create a new application on the STA console. Otherwise, continue using the UI that you already have. The functionality of the UI is unchanged. |
09/13/2024
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-70835 | Branding in the User Portal functions correctly. |
08/28/2024
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-70029 | Self-provisioning functions correctly. |
08/27/2024
This service pack release of STA introduces the following feature preview:
- STA integration with MS Entra ID External Authentication Method (EAM): Microsoft has recently announced the public preview release of Microsoft Entra ID EAM capability. STA can now be integrated as an EAM in Entra ID. For more information, see the documentation.
STA integration with MS Entra ID EAM is a preview feature. Contact Thales Customer Support to request access to this feature.
08/26/2024
This service pack release of STA introduces the following feature:
- Flexible Passwordless Authentication Journeys: With this feature, administrators can configure alternative authentication options available to users at login time. Providing secondary authentication options helps organizations improve FIDO adoption and reduce helpdesk calls by enabling users to be self-sufficient. Some IDP authentication screens displayed to the user will change slightly. For more information, see the documentation.
07/31/2024
This service pack release of STA introduces the following feature and resolves the issue listed below:
- Case-sensitive ID: By selecting upper or lower case in application templates, STA can now be configured for SAML integrations with applications expecting case-sensitive username and return attributes. For more information, see step 4 in SAML applications and Custom SAML applications.
Issue | Synopsis |
---|---|
SAS-66547 | Allow IDP response claim to return username in lowercase, uppercase, or mixed case. |
04/02/2024
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-67461 | Custom product names display correctly in email messages. |
SAS-60296 | Date formats used in APIs are processed correctly. |
03/28/2024
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-68484 | CBA authentication functions correctly for new tenants. |
03/19/2024
This service pack release of STA introduces the following feature:
- Support for Microsoft Entra ID multiple identities: Users with multiple roles can access their role-specific resources from their primary account. For more information, see the documentation section.
03/07/2024
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-68261 | Valid password characters are processed correctly. |
SAS-68025 | STA correctly integrates with the Azure Conditional Authentication Factors application. |
02/22/2024
This service pack release of STA introduces the following features and resolves the issue listed below:
-
SafeNet Agent for Windows Logon documentation: Now available online.
-
Conditions: The OS condition now supports the following latest OS versions: iOS 17, iPadOS 17, macOS 14, and Android 14.0.
Issue | Synopsis |
---|---|
SAS-67371 | SAML authentication functions correctly for Microsoft Office 365. |
01/22/2024
This service pack release of STA introduces the following feature:
- Audit logs for management actions on local groups: The audit logs capture a record of operator actions to local (internal) groups. These actions include adding, editing, and deleting a local group. These logs don't include synchronized groups.
12/21/2023
This service pack release of STA introduces the following feature and resolves the issues listed below:
- Enhanced STA Console User Search: The user search functionality in the STA console has been upgraded by incorporating criteria to indicate whether a user is locked or unlocked in the external user directory. For more information, see the documentation section.
Issue | Synopsis |
---|---|
SAS-65339 | Intermittent disconnection of LDAP Sync agent is resolved. |
SAS-65189 | MobilePASS+ allowed targets are working as expected. |
SAS-65709 | Remote Logging versioning issue is resolved. |
SAS-59537 | RADIUS attributes for vendors that were previously missing have been added. |
SAS-65982 | When user seletected the Send Validation by SMS option while requesting a token from the self-service portal, the confirmation link was not sent to their mobile device. This issue is resolved, and the confirmation link is now included in the SMS sent to the user's mobile, facilitating the token enrollment. |
SAS-67048 | Provision Button on the Assignment tab is functioning as expected. |
SAS-65103 | The syslog server timestamp format is fixed. |
12/07/2023
This service pack release of STA introduces the following feature:
- Enhancements to Usage Report for Service Providers: The Usage Report for Service Providers feature is enhanced to include the number of Registered Users as one of the metrics that can be viewed and exported. For more information, see the documentation.
11/28/2023
This service pack release of STA introduces the following feature:
-
Visual location display in MobilePASS+ push notifications: This feature displays a live map within push notifications to help the user identify any fraudulent push requests. Push notifications show the location from where the authentication attempt was made. Support for displaying maps is available in MobilePASS+ v2.4 and later.
11/18/2023
This service pack release of STA introduces the following feature:
Improvement in Microsoft Entra ID MFA integration to support special scenarios of B2B and B2E: This feature allows switching STA mapping from User Principal Names (UPN) to ObjectID when performing multi-factor authentication (MFA) with Microsoft Entra ID. This enhancement provides smooth authentication to B2B and B2E large enterprise users in acquisition scenarios. For details, see the documentation.
10/27/2023
This service pack release of STA introduces the following feature:
- Usage Report for Service Providers: This feature provides a new tool for service providers to view and export the usage data of their customers, enabling them to optimize their billing process in the context of Usage Based Billing offers. Refer to the documentation for details.
10/26/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-66119 | Added optional configuration to specify TLS maxVersion for mutual authentication endpoints. |
10/25/2023
This STA documentation update introduces the following change:
Azure AD renamed to Microsoft Entra ID in the documentation: Azure AD is renamed to Microsoft Entra ID in the STA documentation.
10/23/2023
This STA feature release introduces the following feature:
- IDP Orchestration - Redirection to multiple-external identity providers (IDP): STA enables enterprises with varied requirements (due to mergers, acquisitions, data residency rules, and so on) to configure and redirect to multiple external IDPs for authentication purposes. Redirection can happen based on users, groups, or applications.
10/03/2023
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-65935 | BSIDCA-Istio rules updated to split traffic between old and new BSIDCA. |
SAS-60232 | Custom OIDC application integration works correctly on Android. |
SAS-58866 | REST API for STA calls to Authenticator endpoints are allowed. |
09/27/2023
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-65844 | SAML applications function correctly in Amazon integrations. |
SAS-65577 | Assertion URL is saved correctly. |
09/15/2023
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-65113 | SMS messages are correctly formatted. |
SAS-63838 | MobilePASS tokens are correctly validated. |
SAS-63644 | SFTP connection functions correctly. |
SAS-55514 | License validation caching is implemented and HSM PIN-changes function correctly. |
SAS-13798 | SAS notification emails from customers to the root account can be disabled. |
09/13/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-63877 | STA correctly generates JSON text for the Azure Conditional Authentication Factors app. |
09/11/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-65556 | User details are correctly updated using a SCIM/REST API. |
07/18/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-64416 | Android-based custom applications open correctly. |
07/06/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-63404 | Applications load as expected. |
07/04/2023
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-63984 | The Logout URL and Assertion URL can be saved as expected. |
SAS-63983 | The Assertion Consumer Service URL(Redirect Binding) can be set using the generic template. |
06/22/2023
This service pack release of STA introduces the following feature:
- MobilePASS+ push with number matching: Number matching in SafeNet MobilePASS+ secures push authentications to protect against MFA fatigue or push bombing attacks. Number matching gives control to the user for every login request, because they must select the number that appears during authentication. Refer to the documentation for details about how to enable this feature.
06/21/2023
This service pack release of STA introduces the following feature and resolves the issues listed below:
- SMPP SMS plug-in: Short Message Peer to Peer (SMPP) is a new option in the custom SMS settings that allows for the transfer of short messages to and from the user. This functionality is available in Virtual Servers > Comms > Communications > SMS Settings (Custom) > SMS Plugin.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-62966 | When groups are synchronized, if a user is a member of multiple groups, only the specified groups are included. |
SAS-61842 | Synchronization tasks proceed correctly. |
06/20/2023
This service pack release of STA introduces the following features:
-
MobilePASS+ push with number matching: Number matching in SafeNet MobilePASS+ secures push authentications to protect against MFA fatigue or push bombing attacks. Number matching gives control to the user for every login request, because they must select the number that appears during authentication. Refer to the documentation for details about how to enable this feature.
-
Usability improvements for external identity providers: These include UI improvements and error handling on the configuration page, and improvements in Authentication and Access Logs to add more specifications and to cover timeout scenarios.
06/19/2023
This service pack release of STA introduces the following feature:
- MobilePASS+ installer link for Windows 10: On Windows 10, when a user adds an authenticator, the installer link points to version 2.5.0.
06/13/2023
This service pack release of STA introduces the following features:
-
Multiple redirect URLs for OIDC applications: This feature provides the ability to configure multiple redirect URLs for a single OIDC application. It supports POST binding as well as redirect binding flows of authentication depending on the service provider’s compatibility.
-
Multiple ACS URLs for SAML applications: This feature provides the ability to configure multiple assertion consumer service (ACS) URLs for a single SAML application.
06/08/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-61583 | Challenge-response SMS and GridSure tokens can be provisioned to users. |
05/31/2023
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-63193, SAS-63400 | SP-side authentication works as expected. |
05/30/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-63134 | You can switch to the On-Boarding tab as expected. |
05/22/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-61328 | Synchronized users can now be deleted through the REST API. |
05/16/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-63133 | Switching to the On-Boarding tab on the STA tab works as expected. |
05/09/2023
This service pack release of STA introduces the following feature:
Improvements to location and anonymizer conditions: The Country Change and Anonymizer conditions are enhanced with more configuration flexibility. Also, the User Location and Country Change conditions are improved to evaluate even in cases where the user's IP address is anonymized. The evaluation is then based on the IP address of the anonymizer. For more information, see the documentation.
04/26/2023
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-59430 | On the STA Token Management console, editing an operator correctly shows the visible containers for that user. |
SAS-57032 | Users who are deleted from AD are also removed from STA. |
SAS-61625 | Errors are resolved and no longer appear in the Sysmon log for MySQL. |
SAS-61192 | Operator provisioning permissions function correctly. |
SAS-54290 | MobilePASS tokens can be allocated to child accounts. |
04/13/2023
This service pack release of STA introduces the following feature and resolves the issues listed below:
- Self-service GrIDsure pattern reset: This feature allows users to reset a forgotten GrIDsure pattern or GrIDsure token PIN as part of the authentication flow after identity verification. For more information, see the documentation.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-61020 | FIDO nickname supports more special characters. |
SAS-60803 | The OIDC well-known configuration file downloads correctly. |
SAS-59807 | IDP reliability improvements. |
SAS-58865 | Usernames are case-insensitive for shared applications. |
03/13/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-54566 | MobilePASS+ risk detection data is now correctly sent to the MobilePASS+ Authenticators tab on the STA dashboard. |
02/13/2023
This service pack release of STA introduces the following feature and resolves the issues listed below:
-
FIDO authenticator import and management API: Enables the import and management of FIDO authenticators for a specific user. Imported FIDO authenticators need to be activated by the end user before they can be used. This ensures that the eligible end user is in possession of the third-party enrolled authenticator. For more information, see the API documentation.
-
Extended STA Redirection Capability to More IDPs: Scope values specify which access privileges are requested for access tokens. For OpenID Connect, scopes are used to request that specific sets of information are made available as claim values. Setting the scope enables redirection to more IDPs with specific claim restrictions. For more information, see Redirecting to an external IDP.
-
Application sharing and realming for Windows Logon Agent: This feature allows using Windows Logon policies with machines shared between users in multiple tenants. For more information, see the documentation.
Issue | Synopsis |
---|---|
SAS-58938 | Template preset multi-value attributes are now editable. |
SAS-58556 | Users who are synchronized with the SafeNet Synchronization Agent can be deleted using the SCIM API if delayed removal is enabled. |
SAS-51232 | The user name is now displayed during FIDO enrollment and authentication instead of an internal identifier. |
SAS-49876 | The timeout to complete a FIDO authenticator enrollment has been increased. |
01/27/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-59246 | Agent configuration files can be downloaded successfully. |
01/20/2023
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-54566 | MobilePASS+ risk detection data is now correctly sent to the MobilePASS+ Authenticators tab on the STA dashboard. |
01/01/2023
STA no longer supports Internet Explorer 11. This applies to all web interfaces of STA, which includes the management consoles, the user login pages, the user portal, and the self-service site. There is no change to support for other browsers as documented in Supported Browsers.
12/12/2022
This service pack release of STA introduces the following feature:
- GrIDsure self-provisioning enhancement: Case-sensitivity is not enforced during self-provisioning if it is not required by the enrollment pattern.
12/07/2022
This service pack release of STA introduces the following feature:
- Self-provisioning for macOS: Allows users to enroll MobilePASS+ authenticators on macOS as part of the authentication flow, when they need it for the first time. Refer to the documentation for details.
12/02/2022
This service pack release of STA introduces the following feature:
- Support for multi-value SAML return attributes: This feature enables the configuration of user/group-specific SAML return attributes that are returned after a successful authentication. Refer to the documentation for details.
12/01/2022
This service pack release of STA introduces the following feature:
- Increased maximum number of tenants for application sharing: This feature increases the maximum number of virtual servers that can be added in a single tenant from 45 to 670.
11/30/2022
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-58121 | Delegated password validation is verified against Okta. |
SAS-47785 | User names that include an asterisk work correctly. |
SAS-24753 | Authentication logs are generated correctly in multi-token scenarios. |
11/21/2022
This service pack release of STA introduces the following feature:
- Multi-domain support for Azure AD federation: Allows users to federate any number of domains to their single STA tenant without having to create any additional virtual servers. Refer to the documentation and the script execution guide for more details.
11/18/2022
This service pack release of STA introduces the following feature:
- Additional choices of session duration and authentication frequency: Increases flexibility for balancing security and user experience by offering a broader range of values for authentication frequency and session duration. Refer to the documentation for more details.
11/09/2022
This service pack release of STA introduces the following feature:
- Self-enrollment for MobilePASS+ on macOS: Allows users to enroll MobilePASS+ authenticators on macOS when an administrator provisions it for the users. Refer to the documentation for more details.
11/02/2022
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-55695 | Token Management console header row cell color customizations are applied correctly to the Operator and Account Manager tabs. |
SAS-55102 | Token Management console font changes work correctly. |
10/24/2022
This service pack release of STA introduces the following feature and resolves the issue listed below:
- End-user choice of authentication methods (at IDP log-on): Provide end-users with the option to choose their preferred IDP authentication method during login based on their active tokens and administrator configuration. Refer to the documentation for more details.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-55623 | IDP security enhancement. |
10/20/2022
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-57172 | Users without an email address can complete inline enrollment. |
SAS-57039 | Provisioning tasks are removed upon completion of inline enrollment. |
SAS-56877 | Content-type header compatible in context of BSIDCA connections. |
10/06/2022
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-52997 | Non-ASCII characters display correctly in application tooltips. |
10/03/2022
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-55776 | Available token count shows correctly in the deallocation process. |
SAS-54542 | Stability enhancements for SafeNet Agent for Remote Logging authentication logs. |
SAS-54290 | Stability enhancements for MobilePASS token allocation. |
SAS-53341 | Paged container scope selection for operator works correctly. |
SAS-53287 | User/Operator access restrictions correctly display the start/stop time and date, based on the time zone of the operator's organization. |
09/22/2022
This service pack release of STA introduces the following feature and resolves the issues listed below:
- Conditions: The OS condition now supports the following latest OS versions: iOS 16, iPadOS 16, and macOS 13.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-56588 | Improved session handling. |
SAS-54362 | Visual feedback during the GrIDsure self-provisioning to indicate that the image is not clickable. |
SAS-52531 | Self-provisioning logs for MobilePASS+ are created correctly. |
SAS-48901 | Language customization for the user portal now supports HTML tags. |
09/20/2022
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-53386 | The SafeNet Logging Agent can now be downloaded from the STA console. |
09/06/2022
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-54570 | On the STA Token Management console, the loading indicator displays correctly. |
SAS-54080 | Voice OTP works correctly for IDP based authentication flows. |
SAS-53762 | The server-side PIN policy is correctly applied for Google Authenticator. |
SAS-53729 | The primary and secondary token validator URL is displayed in authentication agent settings. |
08/29/2022
This service pack release of STA introduces the following feature:
- Additional choice for CBA user identity: Adding Subject: CN to the choices for extracting the username information from a certificate in the context of Certificate Based Authentication (CBA).
08/24/2022
This service pack release of STA introduces the following feature:
- Self-provisioning for GrIDSure with server-side PIN: Allows users to self-provision GrIDSure, together with a server-side PIN as part of the authentication flow, when they need it for the first time. Refer to the documentation for more details.
08/23/2022
This service pack release of STA introduces the following feature:
- The BSIDCA URL now displays the WSDL schema instead of a page where you can execute functions. The API interface and schema have not changed.
08/18/2022
This service pack release of STA introduces the following features and resolves the issue listed below:
-
Delegated Password Validation - simplified configuration using well-known URL: Introduces a simplified configuration using the well-known IDP URL, which is less error-prone when delegating password validation with a third-party password repository.
-
View number of active users: Allows viewing the number of users with authentication activity, and how it is trending over 30-day periods.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-23885 | Uploading SAML metadata imports required attributes correctly. |
08/11/2022
RADIUS return attributes and Pre-authentication rules, first introduced on 07/21/2022, are re-enabled on STA. In addition, this service pack release of STA resolves the issue listed below.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-55288 | Pre-authentication rules with a challenge condition function correctly after upgrade. |
07/26/2022
This service pack release of STA introduces the following feature:
- Support for pathless SCIM Patch operations: See documentation for details.
07/22/2022
The service pack release on 07/21/2022 is reverted until further notice to ensure correct pre-authentication rule processing.
07/21/2022
This service pack release of STA introduces the following features and resolves the issues listed below:
-
RADIUS return attributes: Added Checkpoint as Vendor for Radius return attributes.
-
Pre-authentication rules: Allows users to choose between different authentication methods (such as push or not push) in two-step authentication. See documentation for details.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-52749 | Synchronized passwords are correctly removed from STA if password synchronization is disabled in the SafeNet Synchronization Agent. |
SAS-53733 | Users who were previously blocked can authenticate to shared applications. |
SAS-54844 | ImmutableID values sync correctly using the SCIM API. |
06/24/2022
This service pack release of STA introduces the following feature:
- Self-provisioning rules for groups: Allows you to define which user groups are entitled to self-enroll authenticators (MobilePASS+, FIDO, GrIDsure). Refer to the documentation for more details.
06/22/2022
This service pack release of STA introduces the following feature:
- OS condition support for iPadOS: The STA OS policy condition is enhanced to support the iPadOS, therefore enabling detection of the iPadOS, and particular versions of it, on the user’s device. The OS policy condition is also enhanced to support the latest versions of the Windows, Android, iOS, and macOS operating systems.
06/21/2022
This service pack release of STA includes the following features and resolves the issues listed below:
-
Preset Username for Azure Federation: Users will not need to re-enter their Azure userID on the STA IDP logon page. The option is controlled by the Enforce User Name setting in the application template. Refer to the template documentation for more details.
-
Proxy IP addresses included in streamed access logs: The access logs information delivered through Log Streaming now includes the complete chain of IP addresses that can be extracted from the X-Forwarded-For (XFF) header. This includes the client’s IP address, but also the list of IP addresses of proxies that are traversed by the access request in its path to the STA service. This provides the full set of available network path information so it can be used for reference in case of auditing reviews. The left-most IP address reported is that of the client, while other IP addresses are those of proxies being crossed. Some of these proxies will typically be IP addresses of Google Cloud Platform where the STA service is hosted.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-51882 | Intermittent errors during authentication to shared applications are resolved. |
SAS-51716 | STA IDP stability improvements. |
SAS-50977 | Improvements to the MobilePASS+ Authenticators tab interface. |
05/26/2022
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-52463 | Account expiry notifications work correctly. |
SAS-51808 | Interface fixes for MobilePASS self-enrollment. |
SAS-50405 | Fix for PIN change dialog flow in combination with SMS Quick Log authenticators. |
SAS-48401 | SOAP Management API security updates. |
SAS-46684 | Unused capacity is calculated the same on the STA console and Management API. |
SAS-6082 | Operator and Operator Roles are now validated independant from each other to validate report access. |
05/12/2022
This service pack for STA includes the following features and and resolves the issue listed below:
-
Azure Directory Sync: Significantly simplify user synchronization from Azure AD to STA. Support users and groups that exist solely in Azure AD, enabling STA to support all Azure AD user types. Refer to the documentation for more details.
-
REST API for Account Information: This feature allows service providers to retrieve service information pertaining to their managed accounts, including details such as the tenant code, the organization name, the account status, the account type, and the subscription plan.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-49663 | Complex multi-value attributes can now be patched. |
05/10/2022
This service pack release of STA introduces the following feature:
- Self-provisioning for GrIDsure: Allow users to self-provision GrIDsure as part of the authentication flow, when they need it for the first time. Refer to the documentation for details.
04/21/2022
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-48840 | An SMS OTP is now triggered as expected when the override delivery method is allowed for voice OTP and ‘s’ is entered in the passcode field. |
SAS-51991 | KT tokens can now be correctly initialized. |
04/19/2022
This service pack release of STA introduces the following feature:
- Security updates for the Push components
04/14/2022
This service pack release of STA introduces the following feature and resolves the issue listed below:
- Self-provisioning for MobilePASS+ on Chrome OS: Allow users to enroll MobilePASS+ on Chrome OS as part of the authentication flow, when they need it for the first time. Requires Chrome OS devices capable of running Android apps. Refer to the documentation for more details.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-50013 | Windows Logon Agent shows with its correct name on the Access Activity widgets. |
04/13/2022
This service pack release of STA introduces the following feature:
- Simplified self-provisioning for MobilePASS+ on Android: Allow users to scan a single QR code to download MobilePASS+ from Google Play Store and initiate self-provisioning. Refer to the documentation for more details.
04/05/2022
This service pack release of STA introduces the following feature and resolves the issues listed below:
- Portuguese language: Support for the Portuguese language on the STA IDP, self-provisioning, and User Portal pages.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-51153 | Fixes for the Finnish translation |
SAS-48496 | The input validation error UI on the user portal is consistent. |
SAS-42044 | Able to continue inline enrollment on older iOS devices after a fresh MobilePASS+ installation. |
SAS-33016 | Inline enrollment is successful for users who belong to organizations with Umlauts (ä, ö, or ü) in the name. |
03/25/2022
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-48753 | The STA management consoles timeout after 20 minutes of inactivity. |
03/24/2022
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-41603 | Users are no longer prompted to re-enter their user name for their access request in the context of application sharing |
SAS-51488 | Security enhancements |
03/16/2022
This announces the availability of a new STA online documentation portal that provides a new improved design and user experience. The new portal is accessible at https://www.thalesdocs.com/sta/index.html and replaces the previous portal https://www.thalesdocs.com/sta/Content/Home.htm. Hyperlink references from the STA administration consoles and from Thales portals will be updated in the coming days. Please update your bookmarks.
03/16/2022
This service pack release of STA introduces the following features and resolves the issues listed below:
-
Support for simultaneous SMS and email OTP: You can now simultaneously deliver the OTP to users over both SMS and email at the time of login. Configure this functionality on the STA Token Management console in Policy > Token Policies > SMS/Email/Voice OTP Delivery Methods.
-
Account State update: The Account State on the STA consoles is locked when an account is disabled.The REST API for STA and SCIM API for STA use a flag (isActive) that allows you to suspend or activate a user account. When a user account is suspended (isActive=false) or dormant, the Account State displays Locked.
-
The Users - All - With Tokens and Tasks report includes aliases: This report now includes alias3 and alias4.
-
General security improvements
Resolved Issues
Issue | Synopsis |
---|---|
SAS-48840 | Override trigger characters work correctly if the default SMS delivery method is voice. |
SAS-49061 | The Users - Inactive report works correctly. |
SAS-50485 | Large reports, such as Authentication activity, are processed correctly. |
03/08/2022
This service pack release of STA introduces the following features:
-
Users and Groups enhancements in the SCIM API for STA and REST API for STA: API enhancements enabling provisioning and de-provisioning users and groups in STA with all STA attributes.
-
SCIM PATCH, including filters
-
Delete users with assigned tokens
-
Newly exposed attributes
-
ImmutableId
-
userPrincipalName
-
active
-
See SCIM API for STA and REST API for STA for details.
-
-
Microsoft Entra ID Synchronization (Preview): Significantly simplify user synchronization from Azure AD to STA. Support users and groups that exist solely in Azure AD, enabling STA to support all Azure AD user types.
See Microsoft Entra ID Synchronization for details.
-
Immutable ID Management Solution for Azure AD (Preview): Script for Azure that sets Immutable IDs for pure Azure AD users. This is required for any Azure federation including full tenant federation to STA, and Azure Conditional Authentication Factors.
See Immutable ID management solution for details.
Microsoft Entra ID Synchronization and the Immutable ID management solution are preview features without any Service Level Agreement and are not meant for production use. Support will only be provided on a best effort approach.
03/03/2022
This service pack release of STA introduces the following feature and resolves the issue listed below:
- Scalability of STA access policies: It is now possible to configure up to 50 access policies per STA virtual server instead of 20, which was the previous maximum.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-51529 | MobilePASS 8 for Windows msi downloads correctly during self-enrollment. |
03/01/2022
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-51559 | The Chrome River application can be added successfully from the application catalog. |
SAS-51558 | Authentication requests from a specific Java API client are allowed to complete. |
SAS-51557 | Authentication requests from Cachatto Secure Browser are allowed to complete. |
SAS-51488 | Application sharing works correctly if the same username exists in multiple virtual servers. |
SAS-48738 | MobilePASS+ for Windows exe downloads correctly during self-provisioning. |
02/23/2022
This service pack release of STA introduces the following feature and resolves the issues listed below:
- The Operating System policy condition enables you to check for iOS 14, Android 11.0, macOS 10.15, and macOS 11.0.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-50172 | The Domain-Authenticated User Device condition can be configured with a value of 0 days. |
SAS-47964 | Enablement/disablement actions of Integrated Windows Authentication and Delegated Password Validation are explicitly recorded in STA audit logs. |
02/21/2022
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-51370 | IDP auto-trigger works correctly when the default delivery is set to email. |
02/17/2022
This service pack release of STA introduces the following feature:
-
SafeNet Agent for Password Self-Service: The first GA version is an out-of-the box self-service password management solution for forgotten or expired password scenarios.
This agent enables users to reset or change their domain password while accessing a STA-protected web application, using any configured STA authentication method.
02/16/2022
This service pack release of STA introduces the following features and resolves the issues listed below:
-
Parent operator organization displays correctly if child operator views audit logs
-
Service reliability updates
Resolved Issues
Issue | Synopsis |
---|---|
SAS-50572 | Page title on self-enrollment is set to custom product name. |
SAS-49311 | BSIDCA GetProvisioningTasksForUserCount returns correct values for exact string match. |
SAS-47800 | Page title on self-service is set to custom product name. |
SAS-43954 | Azure Conditional Authentication Factors authenticates correctly when shared with child virtual servers. |
SAS-43005 | Self-enrollment pages follow regular console branding. |
SAS-26211 | Operator logon no longer triggers authentication using an email alias. |
SAS-19219 | Parent service dates cannot be set to a value that is earlier than the expiration dates of its children. |
02/09/2022
This service pack release of STA introduces the following improvement and resolves the issues listed below:
-
Design and font update for GrIDsure authentication:
-
Improved readability
-
New font (Roboto) to better distinguish uppercase characters, lowercase characters, and numbers
-
Better contrast using black font on white background
-
Resolved Issues
Issue | Synopsis |
---|---|
SAS-51183 | Shared applications are correctly authenticated on parents for authentication policies that include scenarios. |
SAS-50424 | System cache improvements |
01/31/2022
This service pack release of STA introduces the following feature:
- Finnish language: Support for Finnish language on STA IDP, self-provisioning, and the User Portal.
12/16/2021
This service pack release of STA introduces the following feature and resolves the issues listed below:
- Additional choices for CBA user identity: This introduces two additional choices for how to extract the username information from a certificate in the context of Certificate Based Authentication (CBA), in this way extending compatibility of CBA with a broader range of certificate issuers. The two new choices are Subject Alternative Name : RFC822 and Subject : SERIALNUMBER.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-47590 | Reporting service stability improvements. |
SAS-46555 | OTP PIN update works correctly after first entering a non-compliant PIN. |
SAS-45445 | BSIDCA "AddRADIUSAttributeToGroup" and "GetRADIUSAttributesForGroup" function correctly. |
SAS-34928 | GrIDsure security enhanced against leaking token state information. |
11/29/2021
This service pack release of STA introduces the following feature:
- Increased the number of groups in SAML return attributes, by increasing the length of the user attribute from 10K to 21K.
11/19/2021
This service pack release of STA introduces the following feature:
- Redirection to an external IDP: STA can integrate with an external identity provider (IDP), to redirect traffic from STA to the other IDP for user authentication. STA remains the primary IDP, orchestrating the use of a secondary, external IDP. Refer to the documentation for details.
10/29/2021
This service pack release of STA introduces the following feature:
-
MobilePASS+ for Chrome OS: Allows you to use MobilePASS+ for Android on Chrome OS with user experience adaptation for the laptop form factor. This requires Chrome OS devices capable of running Android apps. Operators can select Chrome OS as a target for MobilePASS+ enrollment on the STA Token Management console.
Chrome OS support will be available from MobilePASS+ v2.2 for Android, planned for a later release.
10/25/2021
This service pack release of STA introduces the following features:
-
FIDO-based Passwordless Authentication: Allows you to deploy passwordless authentication with STA using FIDO security keys and Windows Hello. Refer to the documentation for more details.
-
Users page redesign: The STA Users detail page is redesigned to accommodate FIDO authenticator management, OTP token management cross-links, and future enhancements. Refer to the documentation for more details.
10/21/2021
This service pack introduces the following change:
Until further notice, Usage Analytics and Data Collection is disabled on STA. While disabled, it is not possible to change the associated opt-in or opt-out data collection tenant setting. When usage analytics is re-enabled in the future, all pre-existing opt-in / opt-out tenant settings will remain as they were just before the function was disabled and data collection will resume. For more information, please also refer to the Knowledge Base article KB0021755.
10/20/2021
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-48235 | Security enhancements. |
10/13/2021
This service pack release of STA introduces the following feature:
- End-user interface customization: Allows you to upload custom language files for end-user logon flows, the user portal, and inline-enrollment. Refer to the documentation for more details.
09/29/2021
This service pack release of STA introduces the following features and resolves the issues listed below:
-
Enhanced message customization for self-enrollment
-
Performance improvements for reporting services
Issue | Synopsis |
---|---|
SAS-47862 | Synchronization Agent and Remote Logging Agent configuration files download correctly. |
SAS-46023 | The Application Management REST API can be used immediately after a virtual server is created. |
SAS-45044 | The list of virtual servers correctly displays for shared applications. |
SAS-42762 | Polish diacritical marks (for example, ą, ć, ź, and ż) display correctly in push notifications. |
09/20/2021
This service pack release of STA introduces the following feature:
- Enhanced infrastructure security
08/31/2021
This service pack release of STA introduces the following feature (formerly in preview):
- MobilePASS+ Risk Detection: Monitors and displays risk parameters associated with SafeNet MobilePASS+ devices in your network. These parameters include OS jailbreak and root status, OS versions in use, possible application tampering, and malware intrusion in order to detect potential risk to the authenticator's integrity. Refer to the documentation for more details.
Acquisition of risk data requires SafeNet MobilePASS+ 2.0 or later.
08/30/2021
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-47208 | All tokens lock in the case of a failed authentication lockout. |
SAS-46992 | The “Extended features” menu on the Token Management console is retitled "Access Management" and reordered to enhance usability. |
SAS-46746 | Enhanced random number generator functionality. |
SAS-46450 | Enhanced provisioning tasks used to manage large numbers of users. |
SAS-46201 | Management API-created groups use proper character encoding. |
SAS-45914 | Generic SMS gateway parameters are handled correctly. |
SAS-44001 | MobilePASS+ biometrics are allowed by default. |
SAS-42454 | 9-character transaction IDs are supported for deallocation. |
SAS-41261 | The Token Management console title is set to the custom product name. |
08/26/2021
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-47971 | STA imports SAML metadata correctly. |
SAS-47967 | Security improvements for API Gateway back end logs. |
08/23/2021
This service pack release of STA introduces the following features and resolves the issues listed below:
-
Backend security enhancements
-
Audit log enhancements for session termination API
-
Voice OTP included in SMS challenge message
Resolved Issues
Issue | Synopsis |
---|---|
SAS-47029 | 'Origin' header value for SAML response is set correctly. |
SAS-46952 | SafeNet is spelled correctly on the IDP login screen. |
SAS-46858 | IDP timeout is increased to be compatible with RADIUS token timeout. |
SAS-46409 | The parent cache is provided with the latest user attributes in the case of shared applications. |
08/12/2021
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-47765 | Application gateway settings are saved. |
SAS-47702 | Branding file limits are enforced correctly. |
SAS-47686 | SAML metadata is uploaded correctly. |
07/26/2021
This service pack release of STA introduces the following feature preview:
- Access Risk Score: Provides adaptive access through a risk score that is based on the user's past access events and external threat intelligence feeds.
Access Risk Score is a preview feature. Contact Thales Customer Support to request access to this feature.
07/14/2021
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-46858 | The RADIUS token timeout is increased. |
SAS-30348 | The "Tokens - Count by Type and State" report generates data correctly when filtered by token state. |
07/08/2021
This service pack release of STA introduces the following features and preview:
-
REST API for SCIM group management: Standardized interoperability and simplified integration with user directories that support the SCIM standard. Provision groups to STA using the SCIM standard protocol. Refer to the documentation for further details and limitations.
-
REST API for SCIM user management: The detailed user response now includes the group membership information for the user, including membership type (direct/indirect).
-
User Session Termination API: Allows manual termination of a user's SSO session in the context of incident management remediation. Refer to the API documentation for further details.
-
Application Gateway: Allows customers to integrate their web applications that do not follow standard methods of communication, such as SAML 2.0 or OIDC.
Application Gateway is a preview feature. Contact Thales Customer Support to request access to this feature.
07/06/2021
This service pack release of STA introduces the following feature previews:
-
API Access Management (Preview): Enables customers to protect against malicious attacks on or misuse of API resources using a third-party API gateway. In addition, it includes sample code and instructions to allow developers to use access management to secure their API.
Refer to the documentation for further details.
-
Open ID Connect Client Credentials flow (Preview): This feature allows customers to integrate applications using the Open ID Connect (OIDC) client credentials flow using the Generic Template – OIDC Client Credentials.
API access management and Open ID Connect Client Credentials flow are preview features. Contact Thales Customer Support to request access to preview features.
07/05/2021
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-45265 | MobilePASS/SafeNet MobilePASS+ enrolls correctly if there are special characters in the device name. |
06/29/2021
This service pack release of STA introduces the following feature and resolves the issue listed below:
- Security updates and performance improvements for certificate based authentication.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-38634 | Certificate Revocation List is correctly cached based on its Time To Live information. |
06/28/2021
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-46449 | On- Boarding on the STA Token Management console functions correctly when browsing accounts. Note: This reverts SAS-29076, which we recently announced. |
SAS-46119 | For offline OTPs that are sent to SafeNet Agent for Windows Logon, server-side PINs are correctly appended or prepended, as configured on the STA Token Management console. |
SAS-43401 | In auto-provision rules, the Issue Duplicate Types option checks active tokens and pending provisioning tasks. |
06/24/2021
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-46802 | SafeNet MobilePASS+ enrollment on the Android operating system functions correctly. |
06/23/2021
This service pack release of STA introduces the following feature:
-
Applications tab: Includes a search function for configured applications.
06/03/2021
This service pack release of STA introduces the following feature:
- Open ID Connect Password Grant flow: This feature allows customers to integrate applications using the Open ID Connect (OIDC) password grant flow using the Generic Template.
06/02/2021
This service pack release of STA introduces the following feature:
-
Application templates are expanded to include:
-
Approved (new) - based on a review of publicly available documentation, but untested. Support for approved templates is provided on a best-effort basis.
-
Verified - based on lab-testing of the integration and fully supported. Verified templates are distinguished by the shield icon that displays next to them in the template list.
With the combination of approved and verified templates, customers will benefit from an increasingly large set of templates for application integrations.
-
05/20/2021
This service pack release of STA introduces the following feature preview:
- MobilePASS+ Risk Detection (Preview): Monitors and displays risk parameters associated with SafeNet MobilePASS+ devices in your network. These parameters include OS jailbreak and root status, OS versions in use, possible application tampering, and malware intrusion in order to detect potential risk to the authenticator's integrity. Refer to the documentation for more details.
Acquisition of risk data requires SafeNet MobilePASS+ 2.0. Refer to this article to participate in the SafeNet MobilePASS+ Beta program.
05/19/2021
This service pack release of STA introduces the following feature and resolves the issue listed below:
- Time-based re-authentication: Allows access policies to enforce re-authentication on access attempts after specified periods of time. Refer to the documentation for more details.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-46205 | nextAudit SAML integration functions correctly. |
05/13/2021
This service pack release of STA introduces the following features:
-
REST API for SCIM user management: Standardized interoperability and simplified integration with user directories that support the SCIM standard. Provision users to STA using the SCIM standard protocol. Refer to the documentation for further details and limitations.
-
Optional use of hex-encoded object ID: The new header Object-Id-Format allows you to switch the format of the object ID from the default base64 to hex, eliminating the need to URL encode a request.
-
Improvements for the REST API: Code optimizations allow us to increase the existing rate limits on the API to these new values:
-
Users and groups (REST API for STA and SCIM): 25 requests/s or 750 requests/min global
-
Applications and templates: 10 requests/s or 180 requests/min global
-
Logs: 5 requests/s or 10 requests/min per tenant
-
04/29/2021
This service pack release of STA introduces the following feature and resolves the issues listed below:
- Increased RADIUS token timeout: The RADIUS token timeout is increased to 60 seconds, to provide enough time for the completion of Push OTP authentications.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-45024 | The subscription plan information is displayed correctly in the Settings. |
SAS-29076 | Unused capacity is displayed consistently across STA and through the BSIDCA API. Tokens that are reserved through provisioning tasks are not included in the unused capacity. |
04/05/2021
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-43996 | In the Authentication Activity, the PUSH challenge IP address is correct. |
SAS-43613 | Clicking a report name opens the report. |
SAS-43289 | On the self-service site, inheritance functions correctly for the Inheritance of self-service "Update my Security Questions and Answers" page. |
SAS-42069 | The links in the self-enrollment instructions work correctly. |
SAS-31578 | In the Token Request report, the Process State, Approved Level 1 By, and Approved Level 1 On fields are filled correctly. |
03/23/2021
This service pack release of STA introduces the following features and resolves the issues listed below:
-
Account Delegation API: A function used to consume a delegation key to setup delegation between two virtual servers. Refer to AddExternalOperator in WSDL BSIDCA API Developer Guide.
-
Resolve Duplicate Usernames During Sync: An option to automatically resolve user identifier conflicts and continue the sync process. Refer to the documentation for more information.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-44622 | The Average Authentications per User metrics are generated correctly. |
SAS-44451 | The total authentications per month are calculated correctly. |
SAS-43995 | The Authentication History - Chronological Descending report is generated correctly. |
SAS-43893 | Security enhancement. |
SAS-43623 | Tokens are correctly assigned with BSIDCA in high-load use cases. |
SAS-43311 | The Users - Inactive report is generated correctly. |
SAS-27861 | The Resend option for provisioning tasks functions correctly. |
03/16/2021
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-44940 | Trend Micro integration functions correctly. |
03/09/2021
IMPORTANT NOTICE: SafeNet Synchronization Agent Upgrade
Since March 9, 2021, anyone using SafeNet Synchronization Agent v3.5 or earlier versions that do not support differential synchronization must upgrade. The latest SafeNet Synchronization Agent is available to download from the support site.
Failure to upgrade will prevent all user synchronization transactions from succeeding.
03/01/2021
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-44409 | Trend Micro Apex One integration functions correctly. |
SAS-44366 | SAML return attributes are saved correctly. |
SAS-43893 | Security enhancement. |
SAS-43211 | Logout from the User Portal functions correctly. |
02/18/2021
This service pack release of STA introduces the following feature and resolves the issues listed below:
- Thales Branding STA Token Management Console: A modernized look and feel for the STA Token Management console.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-43068 | Application sharing functions correctly. |
SAS-42991 | BSIDCA, used for provisioning tokens, assigns tokens correctly during bulk operations. |
SAS-42764 | Security updates for the STA Token Management console. |
SAS-42419 | Updated the MobilePASS download link. |
SAS-32943 | Configure Self-Service Modules correctly adds languages. |
02/15/2021
This service pack release of STA introduces the following feature:
-
Network Logon Policy: Supports the following OTP logon and unlock authentication requirements for users inside or outside of IP networks:
-
Every access attempt
-
Once every < 1,2, 3, or 8 hours; 1, 2, or 3 days; or 1 week >
Refer to the documentation for more details.
-
01/28/2021
This service pack release of STA resolves the following issue:
Issue | Synopsis |
---|---|
SAS-44044 | The application/JWT MIME type is supported for OIDC authentications. |
01/25/2021
This service pack release of STA introduces the following features:
-
Thales Branding STA Console: A modernized look and feel for the STA Access Management console.
-
Delegated Password Validation: Allows customers to delegate password validation against a customer defined password repository. This avoids synchronizing hashed passwords to STA as well as synchronization delays when the password changes. Refer to the documentation for more details.
01/21/2021
This service pack release of STA resolves the following issues:
Issue | Synopsis |
---|---|
SAS-43913 | Users with an email address that contains a hyphen can be added or updated using REST API. |
SAS-43556 | Requests for user filters with "\" in the username are supported. |
SAS-43211 | The logout function proceeds correctly when initiated from the User Portal or from applications accessed via the User Portal. |
01/15/2021
This service pack release of STA introduces the following features and resolves the issues listed below:
-
Multi-Mode Authentication Settings: Enable validation of OTP codes against all of a user's tokens during a pre-authentication rule triggered challenge response. Refer to the documentation for more details.
-
MobilePASS 8 download links are updated to the latest MobilePASS 8.4.6
Resolved Issues
Issue | Synopsis |
---|---|
SAS-42991 | Tokens are correctly assigned when using the SafeNet Management Web API. |
SAS-42764 | Security enhancements. |
01/11/2021
This service pack release of STA resolves the following issue:
Issue | Synopsis |
---|---|
SAS-43635 | Security enhancement for audit and application logs. |
12/14/2020
This service pack release of STA introduces the following feature:
- Access Trend Drill-down: This feature allows customers to navigate from the STA dashboard to the associated access logs, to facilitate the investigation and analysis of trends. This feature is available in the STA and STA Premium subscription plans.
12/02/2020
This service pack release of STA introduces the following feature:
- Change in RADIUS token challenge behavior: For users with a single RADIUS token assigned, the IDP will no longer issue a challenge automatically. Challenges can be manually triggered by the user entering a single character or one of the dedicated trigger characters.
11/30/2020
This service pack release of STA introduces the following feature:
- Domain-Authenticated User Device: This policy condition checks whether the user authenticated with the same device to the Windows domain within a specified number of days. This condition can be used to reduce end-user friction when the user is accessing an app from a device that is recognized based on a previous log-on to the Windows domain.
11/26/2020
This service pack release of STA introduces the following feature and resolves the issue listed below:
-
Thales branding of STA error pages: Any service-related error pages now feature a Thales SafeNet Trusted Access design.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-42915 | Push requests function correctly for network configurations that include RD Gateway and WLA. |
11/25/2020
This service pack release of STA introduces the following feature and resolves the issue listed below:
- General performance and database improvements.
Issue | Synopsis |
---|---|
SAS-41853 | "Override default delivery method with trigger" correctly sends a single challenge email when the configured SMS option is overridden. |
11/12/2020
This service pack release of STA introduces the following features:
-
The Operating System policy condition enables you to check for iOS 13 and Android 10.
-
The Access Log Filters feature enables you to filter by application name.
-
The User Device condition is renamed Known User Device. The functionality of this condition has not changed.
11/11/2020
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-42696 SAS-42137 |
Redirects from vSec (OIDC) and SAP Ariba (SAML) function correctly. |
SAS-42645 SAS-42765 |
Kerberos authentication works with large Kerberos tickets. |
10/21/2020
This service pack release of STA introduces the following feature and resolves the issue listed below:
- Application Sharing between Tenants: This feature allows applications configured in one STA virtual server (or tenant) to be shared with other STA virtual servers for access policy control and users reach. This supports large organizations that want management separation between business entities, or have multiple corporate directories, and still need to use and protect common corporate applications. Only virtual servers of type Service Provider are allowed to share applications.
Issue | Synopsis |
---|---|
SAS-42137 | Users can successfully log in to the SAP Ariba application from their service provider's URL. |
10/19/2020
This service pack release of STA introduces the following features:
-
Anomalous Trends: The STA dashboard highlights when an abnormally high proportion of access failures is detected. This allows customers to identify problem trends that may reflect usability or configuration issues. This feature is available in STA and STA Premium subscription plans.
-
Access Log Filters: This feature introduces the ability for operators to filter logs on the basis of outcome value and application name. This helps view the logs that are most relevant to an analysis, investigation, or support case. This feature is available in all subscription plans.
Limitation: The ability to filter by Application is not yet functional. The per-application filter can be selected but the outcome displays the logs for all applications.
10/14/2020
This service pack release of STA introduces the following feature and resolves the issue listed below:
-
User and group management APIs enhancements: The enhancements also support integration with IGA systems:
-
Get applications assigned to a user
-
Get applications assigned to a group
-
Get groups assigned to a user
Refer to the API Documentation for full details.
-
Resolved Issue
Issue | Synopsis |
---|---|
SAS-40227 | Auto-provisioning rules apply to users that are created with the REST API for STA. |
09/23/2020
This service pack release of STA introduces the following features:
-
Thales Branding: A new default branding is applied. The first phase changes the MobilePASS+ application icon, color schemes in MobilePASS+, and related enrollment pages in STA, as well as the end user-visible IDP login flows and UserPortal.
By the end of the year, Thales branding is expected everywhere in STA and key agents, such as NPS, OAM, and Java API. More details will be provided in future STA newsletters and this CRN.
Be assured that only the default branding is adjusted. Existing branding customizations in STA will be retained. Reverting a customization to the default will apply the new default Thales branding.
-
User-Initiated Enrollment for iOS/Android Mobile Devices: Enables end users to enroll the first or an additional MobilePASS+ software authenticator while they are accessing a resource from an iOS/Android device to the same device. In this scenario, the QR code is replaced by an activation link.
09/21/2020
This service pack release of STA introduces the following feature and resolves the issues listed below:
-
New MobilePASS+ icon on self-enrollment pages: We’ve started re-branding the STA service and applications to Thales. While this is being rolled out in phases, you may notice some inconsistencies. For instance, the MobilePASS+ icon may display differently between the app stores and STA consoles. Please bear with us as the various components and environments are being updated. We expect the re-branding to be complete by the end of the year. We’ll keep you updated with announcements in our monthly STA Newsletter.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-40934 | User matching is no longer case-sensitive for Azure Conditional Authentication Factors. |
SAS-40609 | Improved error handling for corrupted user data. |
SAS-39932 | Token details report for large virtual servers completes successfully. |
SAS-38696 | Maximum capacity threshold notifications are only sent once for each trigger event. |
SAS-37807 | Filter options are applied correctly for Authentication Metrics (Rolling YTD) and Authentication Metrics Detailed (Rolling YTD) reports. |
SAS-35994 | Renamed Users - Locked Tokens - Compliance report description to “Reports users with locked passwords and tokens”. |
09/16/2020
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-40961 | Inline-enrollment functions correctly. |
08/27/2020
This service pack release of STA introduces the following feature:
-
Usage Analytics and Data Collection
Following the announcement made on 05/26/2020 in this CRN, and communications in previous Newsletters, usage analytics and data collection is now enabled.
The purpose of this capability is to help Thales understand usage trends and patterns, and ultimately improve your experience with the STA product. The only data that is collected is focused on the operator’s use of the management consoles. Thales is committed to treating the information that is collected with the utmost care and confidentiality. As such, the data is anonymized to protect the privacy of the individual, will remain in the same region as the service, and will only be used to analyze aggregated statistical trends. Finally, the collected data does not contain personally identifiable information (PII) and will strictly be used for Thales’ internal use.
Customers have, at any time, the ability to opt out from usage analytics and data collection. For more information, please refer to Knowledge Base article KB0021755.
08/20/2020
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-36387 | Push OTP authentication succeeds if a user doesn't have an email address. |
SAS-39553 | Users can be synchronized successfully. |
SAS-39628 | On the STA Token Management console, Virtual Servers > Snapshot > Authentication Activities and Virtual Servers > Assignment > [user] > Authentication Activities are limited to 100 records. |
SAS-39638 | The BSIDCA ProvisionUsers method successfully assigns tokens to multiple users. |
SAS-39834 | Security enhancements against a cross-frame scripting vulnerability. |
08/12/2020
This service pack release of STA introduces the following features:
- SafeNet Agent for macOS Logon v1.1.0: Introduces support for Push OTP.
08/10/2020
This service pack release of STA resolves the issue listed below:
Issue | Synopsis |
---|---|
SAS-40670 | SAML Signature Key Name is correctly set. |
Note: This upgrade of the STA IDP enforces valid certificates for SAML request validation. If, after this upgrade, “Invalid requester” displays when trying to authenticate to a service provider, follow these instructions:
-
As a temporary workaround, you can disable signature validation on the incoming SAML request to immediately enable authentication with the service provider. This option is only available for generic template integrations or templates that expose the functionality.
We recommend to update the request signing certificate as soon as possible.
-
Logon to the STA Management Console.
-
Browse to the affected application.
-
In Advanced Settings, select “Skip request signature validation”.
-
If enabled with the same expired certificate, assertion encryption must be disabled. This will require an update by the service provider, too.
-
Save Configuration.
-
-
For a permanent solution, please work with your service provider to update the SAML request signing certificate.
Afterward, the certificate must be imported into STA via metadata import or manual certificate import before re-enabling “Verify request signature”.
Refer to the documentation for more detailed instructions.
07/20/2020
This service pack release of STA introduces the following features:
User interface enhancements on the STA Access Management console:
-
Optimized display of authentication requirements in access policies
-
Collapsible sub-menu in Settings
-
Separated self-provisioning and MobilePASS+ settings
07/13/2020
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-40338 | Support for Google Chrome, version 84 and later. |
SAS-40096 | Prevent intermittent authentication blocking for OIDC applications. |
SAS-39658 | Support application names with “-“ character in the Application Management REST API. |
07/09/2020
This service pack release of STA introduces the following features:
-
Email OTP using e trigger: Allow users to type “e” in the passcode field of an authentication prompt, to have their OTP delivered by email, or “s” to have it delivered by SMS. If the user types any other character or leaves the passcode field empty, the OTP will be delivered by the configurable default method.
-
Updated SMS plugin
06/18/2020
This service pack release of STA introduces the following feature:
- SafeNet Agent for Windows Logon 3.3 enables you to base the unlock policy on the location of the user by using network conditions to define the IP addresses that are valid for the user.
06/17/2020
This service pack release of STA introduces the following features:
-
OIDC custom-defined and multi-value claims:
-
Modify existing predefined claims and add custom claims in OIDC responses to adapt to service provider requirements.
-
Create multi-value claims with values mapped to customer text and returned as arrays in the OIDC response.
-
-
Performance improvements to the STA console.
06/11/2020
This service pack release of STA introduces the following feature:
- General performance and database improvements.
06/09/2020
This service pack release of STA introduces the following feature:
-
Group Management API:
- A REST API that can be used to manage the STA group life cycle using a REST API to create, read, update and delete groups, and change group membership.
Refer to the API documentation for full details.
06/04/2020
This service pack release of STA introduces the following feature:
-
Optimized UI design for Modern Authentication on the IDP: Enhances the usability during authentication to a O365 application using Microsoft Modern Authentication. Graphical elements for branding are removed from the screen and margins are adjusted to avoid scrolling.
Before
After
05/29/2020
This service pack release of STA introduces the following feature:
-
Log Streaming: This feature allows customers to retrieve STA access, authentication, and audit logs (1) on an ongoing basis.
The feature provides the options to do this through the use of the new SafeNet Logging Agent v2.0.0.x, or that of the new Logs API function. Information about how to configure the feature and agent download are provided in the new Log Streaming menu of the STA Access Management console.
The SafeNet Logging Agent v2.0.0.x retrieves your logs automatically and relays them to a syslog endpoint of your choice. It is suitable for sending logs to a SIEM or to another system that can be configured as a syslog endpoint. The Logs API function is best fit for integration of log retrieval in custom log processing or log storage applications that are not syslog endpoints.
(1) Audit logs generated from actions taken in the STA Token Management console are not supported by this feature.
05/26/2020
This service pack release of STA introduces the following new features:
-
Access Outcome Trends: This feature enhances the STA dashboard to display a 30-day historical view of detailed access event outcomes. This historical view helps to quickly identify access failure trends that may reflect usability or configuration issues. This feature is available in the STA and STA Premium subscription plans.
-
Opt-out Option for Usage Analytics and Data Collection: As communicated in our recent May Newsletter, we will be introducing usage analytics and data collection in the coming months. The purpose of this is to help us understand usage trends and patterns, and ultimately improve your experience with the STA product. The only data that is collected will be focused on the operator’s use of the management consoles. We are committed to treating the information that is collected with the utmost care and confidentiality. As such, the data will be anonymized to protect the privacy of the individual, will remain in the same region as the service, and will be used only to analyze aggregated statistical trends. The data collected will not contain personally identifiable information (PII) and will strictly be used for Thales’ internal use.
In advance of rolling out usage analytics and data collection, which is planned for June 15, 2020, we are now introducing the ability to opt out from it for your tenant. As such, if you desire, you may opt out from usage analytics and data collection now or at any point in the future. Once opted out, you will also be able to opt back in. The option is available to you from inside the STA Access Management console, from the Terms of Service page link that is accessible at the bottom right of the console. Screen shots are provided below for your reference. For more information about usage analytics and data collection in STA, refer to the Knowledge Base article KB0021755, which is available on our Support Portal.
05/21/2020
This service pack release of STA introduces the following feature:
-
MobilePASS+ Enhanced Approval Workflow support for Windows:
-
Approve push authentication requests without requiring the MobilePASS+ application to launch.
-
Approve push authentication requests directly from a notification.
-
Approve No PIN push requests from the Windows lock screen.
-
This feature can be enabled on the STA Token Management console and requires MobilePASS+ for Windows running on Windows 10.
05/19/2020
This service pack release of STA introduces the following feature:
-
Application Management API:
-
A REST API that can be used to add SAML applications that are in the STA application catalog from application metadata. The generic template is not supported.
-
Full application assignment functionality that is used to manage application authorization
-
Access & Audit Logging for all API calls
-
Refer to the API documentation for full details.
05/14/2020
This service pack release of STA introduces the following feature:
- General performance and database improvements.
05/04/2020
This service pack release of STA resolves the issue listed below:
Resolved Issue
Issue | Synopsis |
---|---|
SAS-38806 | Dormant account notifications are sent only if the alert is configured. |
04/29/2020
This service pack release of STA introduces the following features:
-
REST API for STA:
-
The Delete operation for users is blocked if the user has tokens assigned or is an operator.
-
Enforcement of virtual server capacity. When the user capacity is maximum, users cannot be created regardless of the user type.
-
User attributes that contain an empty string or a value that is not set are no longer returned.
-
04/23/2020
This service pack release of STA introduces the following feature:
- Logon policies managed through STA - This feature introduces logon policies in STA which are automatically updated in the Windows Logon agents without the need to rely on an external configuration management system such as Active Directory group policies. The feature also allows customers to enforce a maximum time period for unlocking the user's PC without an OTP.
04/20/2020
This service pack release of STA resolves the issue listed below:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-38194 | March statistics are included in reports. |
SAS-37123 | Dormant account alerts are sent. |
SAS-36455 | The token change logs identify the user who modified the token. For provisioning rules it is a system user, for operator-initiated provisioning it is the operator, and for self-provisioning it is the user. |
SAS-35920 | Error messages clarify that operator and account manager roles must be removed from reports and provisioning rules before the roles can be deleted. |
SAS-29720 | Operator roles are saved properly, when changes are made on the STA Token Management console, in Policy > Role Management. |
SAS-20250 | The Users - Locked account report has been renamed to Users – Locked tokens. It shows the locked tokens. |
03/28/2020
This service pack release of STA resolves the issues listed below:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-37987 | Database performance improvements. |
SAS-37886 | Database performance improvements. |
03/25/2020
This service pack release of STA introduces the following feature and resolves the issues listed below:
- Security enhancements for the Azure Conditional Authentication Factors integration.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-37890 | Database performance improvements. |
SAS-37866 | Database performance improvements. |
03/21/2020
This service pack release of STA resolves the issues listed below:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-37837 | Database performance improvements. |
SAS-37836 | Database performance improvements. |
03/20/2020
This service pack release of STA introduces the following feature and resolves the issue listed below:
- Security enhancements for the Azure Conditional Authentication Factors integration.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-37808 | Database performance improvements. |
03/18/2020
This service pack release of STA resolves the issue listed below:
Resolved Issue
Issue | Synopsis |
---|---|
SAS-37742 | Database performance improvements. |
03/16/2020
This service pack release of STA resolves the issue listed below:
Resolved Issue
Issue | Synopsis |
---|---|
SAS-37702 | Database performance improvements. |
03/13/2020
This service pack release of STA resolves the issue listed below:
Resolved Issue
Issue | Synopsis |
---|---|
SAS-33098 | Improved display performance of the Virtual Servers tab on the STA Token Management console. |
02/28/2020
This service pack release of STA introduces the following feature:
- Security enhancements for the Azure Conditional Authentication Factors integration.
02/27/2020
This service pack release of STA introduces the following feature and resolves the issue listed below:
- General system stability improvements
This service pack release of STA introduces the following features and resolves the issue listed below:
-
Customization of subscription plan change alerts: Allows customization of the email and SMS alert templates for the STA product subscription plan alert.
-
Security updates and STA Access Management console performance updates
Resolved Issue
Issue | Synopsis |
---|---|
SAS-35359 | When multiple tokens are assigned to a user, the token status is displayed correctly on the STA Access Management console and user portal. |
01/31/2020
This service pack release of STA introduces the following feature:
-
REST API for STA: A new, modern API is introduced to expose administrative functionality for custom workflows and integrations, such as user provisioning and IGA.
The initial preview allows you to programmatically manage the STA user life cycle using a REST API to create, read, and update internal and synchronized users.
A direct link on the STA Access Management console provides access to API documentation using Swagger. Swagger allows your development team and operators to visualize and interact with the API resources without having any of the implementation logic in place.
Authentication uses API keys that are bound to STA users or service accounts, and is not tied to STA operators.
The ability to manage child tenants is provided, based on the service account rights and tenant visibility.
The APIs will gradually be expanded to include group and application management.
01/30/2020
This service pack release of STA resolves the following issues:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-36295 | SAML metadata upload successfully. A permission error is no longer triggered. |
SAS-35989 | Usernames with special characters are accepted on the STA login screen. |
SAS-35924 | Switching between the STA Access Management console and STA Token Management console no longer results in a permission error. |
01/24/2020
This service pack release of STA introduces the following update:
- Software enhancements and security updates for certificate-based authentication (CBA).
01/23/2020
This service pack release of STA introduces the following features and resolves the issue listed below:
- Subscription plan change alerts: A new email/SMS alert is introduced to optionally notify operators about changes to the subscription plan.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-34663 | Provisioning works correctly when password enrollment is restricted in Policy > Token Policies > Token Restrictions. |
12/12/2019
This service pack release of STA resolves the issues listed below:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-35554 SAS-35191 |
STA supports special characters in the SAML or OIDC state attributes. |
12/05/2019
This service pack release of STA introduces the following features and resolves the issues listed below:
-
Self-enrollment of additional MobilePASS+ authenticators: Enables users to enroll backup or replacement devices on demand without administrator intervention, triggered from the OTP Authentication screen. Administrators can restrict the number of tokens that can be enrolled via self-enrollment.
|
-
Integrated Windows Authentication (Kerberos) on the User Portal: STA now supports Integrated Windows Authentication (Kerberos) on the User Portal. In addition, the landing page for the User Portal, enables users to easily bookmark the page.
-
Switch user during the authentication flow: Enables users to change their username during the authentication flow unless the username was preset by the service provider.
-
Redesign of authentication settings: Authentication settings are moved from a dedicated icon on the main navigation to a section in the Settings menu.
The Logon tab in the Policies section is not functional at this time. It supports a feature that is planned for a later release.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-35115 | Billing reports on records prior to September 17th, 2019 are generated correctly. |
SAS-34753 | Application help is linked to the template version from which the application was created. |
11/28/2019
This service pack release of STA resolves the issues listed below:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-34538 | In Self-Enrollment > Configuring Self-Enrollment > Configure Self-Enrollment Pages, the character limit for each field has been increased to 4000. |
SAS-34537 | The self-service portal always returns the same response whether or not the user exists. |
SAS-34535 | To increase security for the Resend SMS option on the Self-service portal, a generic message is displayed regardless of whether the user enters a correct PIN or user ID. The message states: "If this user ID exists and has a mobile number, you will receive a new SMS Token Code shortly." |
SAS-32379 | Organization Capacity alerts are generated successfully. |
SAS-24186 | For authentication attempts with a GrIDsure token, the self-service portal always returns a GrIDsure response whether or not the user exists. |
11/06/2019
This service pack release of STA resolves the issues listed below:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-33918 | On the self-enrollment page, the MobilePASS and MobilePASS+ links for iPadOS 13 are correct. |
SAS-33511 | When a user completes the MobilePASS+ token enrollment, any static password or AD password that is assigned as a token is removed from their token list. |
SAS-30329 | In COMMS > Custom Branding > Custom Buttons, selecting the Reset button, or selecting the Default option and then selecting Apply, reverts to the default button color. |
10/24/2019
This service pack release of STA resolves the issue listed below:
Resolved Issue
Issue | Synopsis |
---|---|
SAS-34260 | Certificate Based Authentication functions correctly in cases where a root Certificate Authority (CA) issuer is identified by the Organizational Unit (OU). |
10/22/2019
This service pack release of STA resolves the issue listed below:
Resolved Issue
Issue | Synopsis |
---|---|
SAS-24132 | When accessing an application from an iOS device, the push authentication can now also be accepted from that same device. |
10/18/2019
This service pack release of STA resolves the issues listed below:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-33780 | Tokens are correctly allocated from the On-Boarding tab. |
SAS-31968 | Custom email addresses are correctly saved. |
SAS-29635 | The Change Log correctly records tokens that are revoked. |
10/04/2019
This revision of the Customer Release Notes combines the content of two release dates: 10/04/2019 and 10/02/2019.
This service pack release of STA introduces the following features and resolves the issues listed below:
-
STA Access Management console Settings > Branding > User Login and Operator Login replace Comms > Custom Branding > IDP Login & Operator Login functionality in the STA Token Management console.
-
The Snapshot tab loads more quickly.
-
The Service Metrics - Total Active Users per Month (Rolling YTD) report includes columns for: Product Plan and Custom #1 - #3.
Note: You may need to exclude the new columns from existing scheduled reports if they are not required.
-
The Application tab on the STA Token Management console is removed. To manage applications, select Applications from the Extended Features menu.
-
Passwords and ICE tokens are not available for provisioning in Virtual Servers > Policy > Token Policies > Token Restrictions.
-
The status of synced passwords is displayed only for synced passwords in the STA Token Management console under Virtual Servers > Assignment > User Detail. See the illustration which follows.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-33881 | Enrollment proceeds without intermittent interruptions. |
SAS-33702 | Duplicate provisioning tasks are prevented so that the token inventory is not depleted. |
SAS-32433 | Race conditions that allow assigned tokens to also be in inventory are prevented. |
10/02/2019
This service pack release of STA resolves the issues listed below:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-33502 | The number of IP addresses supported by scenarios is increased. |
SAS-33376 | Domain passwords ending with two & characters in a row are supported. |
09/23/2019
This service pack release of STA introduces the following feature:
- Unified Logs: Allows you to view access logs and their associated authentication logs in one place in the STA Access Management console, therefore improving the work flow for help desk personnel and anyone else who needs to consult the logs.
The unified logs presented in the STA Access Management console include authentication logs that go back to one week prior to this release. Older authentication logs are not available for display by the Unified Logs feature but may still be extracted through the Authentication History report which can be produced from the STA Token Management console.
09/12/2019
This service pack release of STA introduces the following features and resolves the issues listed below:
-
Windows Logon 3.0: The new Windows Logon 3.0 agent is now available for download and installation directly from the STA console. It is found under the Applications tab through the Windows Logon application template. The agent is now easier to deploy without configuring the authentication nodes. This version of the agent supports Windows 10 only.
-
Subscription Plan Downgrade: Allows you to downgrade a subscription plan (for example from STA Premium to STA, or from STA to STA Basic). Downgrading a subscription is subject to contractual rules and commercial agreements.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-32244 | Changes to Synchronization Agent settings can be saved. |
SAS-30132 | Added the following timezone offset option: UTC-02:30. |
09/09/2019
This service pack release of STA introduces the following feature:
- Country Change condition: Allows you to check whether the access attempt of a given user originates from a different country compared to the previous successful access by the same user. Use this condition to step-up authentication or deny access in these situations.
08/29/2019
This service pack release of STA introduces the following feature and resolves the issue listed below:
-
Access Logs and Audit Logs: To further simplify navigation on the STA console, the Access Logs and Audit Logs are now accessed from the Home tab.
The presentation of the Access Logs and Audit Logs is updated with an improved UI. These improvements include a new timezone selector that allows you to view the logs in either local time or UTC time, and a refresh button that allows you to display the latest logs captured by the system. The refresh button replaces the old filter reset button.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-31946 | The mapping for OIDC claims can now be edited. |
08/09/2019
This service pack release of STA resolves the issues listed below:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-31324 | OTP delivery via email works correctly. If the email subject contains line feed or carriage return characters, the characters are replaced with a white-space. |
SAS-30866 | The language on the self-service portal can be changed by the end user. |
SAS-30803 | Account managers who do not have an operator role are able to access the STA console. |
SAS-28382 | SMS messages over 160 characters are now correctly split into multiple 160 character messages. The following are counted as multiple characters: \b (backspace), \n (newline), \r (carriage return), ^ ~ | € [,],{,} |
SAS-24379 | Changes to the Custom Title on the Self-Enrollment page can be saved. The Custom Title field is grayed-out if "Use Inherit Customization" is in use. |
Issue 2 of this release adds resolved issues: SAS-30866, 28382, and 24379.
08/01/2019
This service pack release of STA resolves the following issues and provides security enhancements:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-32162 | When an operator tries to log in with an unknown user ID, the logs correctly indicate the failure reason as Invalid User. |
SAS-31851 / ASCO-11538 | The IDP login screen correctly forwards to the application instead of displaying "Already logged in". |
SAS-31422 | Operators who belong to many groups can successfully log in to the management consoles. |
SAS-31413 | Operators can log in when there is an apostrophe in their email address. |
SAS-30947 | STA waits until Kerberos ticket collection completes. |
SAS-30630 | The Users page is now displayed properly when accessed from the shortcut link on the STA Token Management console. |
07/31/2019
This service pack release of STA introduces the following features:
-
Anonymizer condition: Checks whether the access request originates from behind an anonymizer (VPN, proxy, or Tor) that hides the originator’s real IP address. This condition uses a regularly updated IP intelligence database that keeps track of anonymizers in the public network. You can combine the anonymizer and network conditions to remove false positives that could be caused by the detection of legitimate customer proxies. Use the anonymizer condition to step-up authentication or deny access in these situations.
-
User Device condition: Checks whether the access request originates from a known device for this user. This condition determines whether this user has successfully authenticated using this device in the specified period. This condition allows you to lower authentication requirements and reduce user friction when authenticating with a known device.
-
Enhanced Operating System condition: Allows you to identify situations where the operating system of the connecting user is not included in a specified list of operating system types or versions. This feature makes it easy to configure policy behavior for cases where the connecting machine’s OS falls outside of the list of OS types and versions supported by the your IT group.
The features are available in the STA and STA Premium plans.
07/17/2019
This service pack release of STA resolves the following issues:
Resolved Issues
Issue | Synopsis |
---|---|
SAS-31086 | The Service Metrics – Total Active Users per Month (Rolling YTD) report works correctly. |
SAS-31812 | Existing policies are displayed correctly and the global policy setup screen is not displayed when the STA Access Management console is accessed from a new machine, a different browser, or a browser with cleared cookies. |
07/11/2019
This service pack release of STA introduces the following change:
- The product name displayed at the top of the operator login page for the STA Token Management console (previously known as the SAS console) is changed from SafeNet Authentication Service to SafeNet Trusted Access as a follow up to the merging of SAS with STA. For customers who have configured a custom product name, the custom name remains unchanged.
06/26/2019
This service pack release of STA resolves the issue listed below:
Resolved Issue
Issue | Synopsis |
---|---|
SAS-31264 | Inline enrollment is successful on iOS devices when server-side PIN is selected in the token template. |
06/19/2019
This service pack release of STA merges SafeNet Authentication Service (SAS) and SafeNet Trusted Access (STA) to form a combined access management and authentication service named SafeNet Trusted Access.
This introduces the following changes:
-
The product name is changed from SafeNet Authentication Service to SafeNet Trusted Access.
-
Three subscription plans are introduced: STA Basic, STA, and STA Premium.
-
Customers with SAS service subscriptions are upgraded to the STA Basic subscription plan. Customers with STA service subscriptions are migrated to the STA Premium subscription plan.
-
A new Extended Features shortcut links menu is added to the SAS console, which is now referred to as the STA Token Management console. This new shortcut menu provides a fast way to navigate to the access management capabilities in the STA console.
Product Name Change
The product name has changed from SafeNet Authentication Service to SafeNet Trusted Access.
This new product name will appear in the operator console, system generated emails, self-service portal, and enrollment pages. For customers who have configured a custom product name, that custom name remains unchanged.
The product name that appears on the user’s login page will also be changed in the coming weeks. This change will be communicated separately.
Three Subscription Plans are introduced
STA is now available in three subscription plans:
-
STA Basic
-
STA
-
STA Premium
The three plans have the following features:
STA Basic | STA | STA Premium | |
---|---|---|---|
SAS functionality | All | + | + |
Authentication methods | All authentication methods that are offered by SAS Domain password |
+ Kerberos |
+ Certificate-based authentication |
Applications | Applications page SAML & OIDC templates User portal |
+ | + |
Policies | Apply policies to groups of users | + Apply policies to groups of users and applications |
+ |
Conditions | Network (IP address ranges) |
+ OS, location |
+ |
Session | Session timeout control | + | + |
Authentication frequency | Once per session | + Every access attempt |
+ |
SAS service subscriptions are upgraded to STA Basic
SAS service subscriptions are now upgraded to STA Basic subscriptions. This comes with new features that were previously accessible to only STA customers:
-
Access management policies for different groups of users: Control access decisions and authentication requirements to applications based on the user's group membership.
-
Access management policy scenarios based on network context: Control access decisions and authentication requirements to applications based on which network the user is connecting from.
-
User-initiated token enrollment – also referred to as inline enrollment: Customers can configure the ability for users to self-provision their SafeNet MobilePASS+ token. Self-provisioning means that users who don't already have a token can immediately enroll a new token on their own when they need it, without using an enrollment email.
The Applications page of the SAS console now points to the Applications page in the STA Access Management console (the STA console).
Default operator (with the operator role) are automatically granted permissions to access the STA Access Management console (the STA console). They can extend this permission to other operator roles that are configured by the customer.
STA service subscriptions are upgraded to STA Premium
STA service subscriptions are now migrated to STA Premium subscriptions. They continue to benefit from the full set if capabilities offered by their STA service.
STA subscription plan information can be viewed in the STA console
Customers can view their STA subscription plan information from the STA Access Management console.
New Extended Features shortcuts menu
A new shortcut links menu is introduced on the SAS console (the STA Token Management console) to allow operators to rapidly navigate to useful functions in the STA Access Management console. Only operators who have permission to access the STA Access Management console can view this menu.
New embedded short-cut links
Embedded shortcut links are added to the Applications and Policy tabs of the STA Token Management console. These shortcuts allow operators to rapidly navigate to the associated functions on the STA Access Management console.
06/12/2019
This service pack release of SAS resolves the issue listed below.
Resolved Issue
Issue | Synopsis |
---|---|
SAS-31183 | MobilePASS+ tokens can be enrolled with a server-side PIN on iOS devices. |
06/06/2019
This service pack release of STA introduces the following feature:
Links to SAS console: A new shortcut links menu is introduced on the STA console to allow operators to rapidly navigate to specific functions on the SAS console. Only operators who have permission to access the linked functions can view the associated menu item.
06/04/2019
This service pack release of STA introduces the following features:
-
SAS as a multi-factor option in Microsoft Azure AD: Customers with at least an Active Directory Premium P1 subscription can integrate SAS as a multi-factor option into their Azure AD Conditional Access Policies. This feature includes:
-
Support for multiple token types, including hardware tokens
-
Easy integration with a simple copy & paste operation
-
06/03/2019
This service pack release of SAS resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-30244 | The BSIDCA ProvisionUsers method can be used to assign tokens to multiple users. |
SAS-28112 | Any restrictions on IP address ranges that are set in the SAS console under Policy > Role Management > Allowed Management IP Range apply to both the SAS and STA consoles with OIDC-based logins. |
05/21/2019
This service pack release of SAS introduces the following changes and resolves the issues listed below:
-
Inline Enrollment: You can offer your users the option to self-provision a SafeNet MobilePASS+ token. Self-provisioning means that users who don't already have a token can immediately enroll a new token on their own, without using an enrollment email.
-
Import of Yubico Personalization Tool PSKC format
-
Default storage period of reports set to 365 days
-
Reports default to “Run now”
-
Updated MobilePASS 8 to latest version 8.4.5.3
Resolved Issues
Issue | Synopsis |
---|---|
SAS-29574 | Locked tokens correctly display in the Tokens tab. |
SAS-29325 | Authentication activity is correctly sent to the Remote Logging Agent. |
SAS-28293 | Accounts can be deleted. |
SAS-28023 | Stale MSM notification profiles are correctly removed during token enrollment, avoiding duplicate push notifications. |
SAS-27093 | The text on buttons is bolded to more easily distinguish between valid (black) and invalid (grayed-out) options. |
SAS-26080 | An IDP auto-trigger no longer triggers sending a new SMS for tokens that are in QuickLog mode. A successful authentication will trigger sending the next OTP via SMS. |
04/15/2019
This service pack release of STA resolves the issues listed below:
Issue | Synopsis |
---|---|
SAS-29070 | Users who have both a user ID and a synced alias can use both for IDP-based logins at all times. |
SAS-28761 | Access logs include the user name that was attempted for invalid user requests. |
SAS-28291 | The STA console is successfully initialized on first login. |
SAS-26080 | An IDP auto-trigger no longer triggers sending a new SMS for tokens that are in QuickLog mode. A successful authentication will trigger sending the next OTP via SMS. |
03/20/2019
This service pack release of SAS introduces the following changes and resolves the issues listed below:
- Configurable Auto-Revoke: With this feature you can add and remove Auto-Revoke on a provisioning rule such that tokens provisioned by this rule are not revoked if other parameters of the rule, such as groups, are changed.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-28455 | Removed Last Year column from Snapshot > Authentication Metrics table. |
SAS-26834 | Modified text for AD password sync status in Assignment > Authentication Methods. |
SAS-26701 | Bulk provisioning tasks can be correctly managed from the SAS Console. |
SAS-25671 | The Token Change log is reset for each provisioning attempt. |
SAS-24722 | The Tokens - Expiring report generates correctly. |
SAS-21458 | The Self-service: Approval Level 2 Email is sent correctly. |
03/06/2019
This service pack release of STA introduces the following features:
-
List authenticators on the user portal: This features allows your end users to a view a list of their authenticators, on the user portal. The list indicates the status of each token and whether push is enabled.
-
Customization of Application Icons: Customers are now able to customize the icons that represent applications in the STA User Portal and the STA console. This can be done for each application individually by uploading an image file.
02/19/2019
This service pack release of STA introduces support for the following feature:
- Adds support for nested groups to Policies, Applications, and Users on the STA console. With this feature, STA configuration options that are based on group membership can take into account nested group membership, in addition to direct group membership.
02/08/2019
This service pack release of SAS removes the ability to enroll additional MP-1 software tokens in the system. The following menus are removed from the console:
-
Assignment and provisioning of MP-1 tokens
-
Customization of email messages, self-enrollment, and self-service for MP-1 tokens
-
Creation of MP-1 specific auto-provisioning rules
01/23/2019
This service pack release of SAS and STA introduces the following feature:
-
Integration of Applications with Open ID Connect: This feature allows customers to integrate web applications using the Open ID Connect (OIDC) protocol. It is primarily focused at the integration of customer in-house applications that do not have built-in SAML capabilities.
The solution is delivered together with sample OIDC Relying Party software. It is also designed for compatibility with certified OIDC Relying Party software. It thereby allows for the use of readily available OIDC software packages for integration in the applications.
01/07/2019
This service pack release of SAS and STA introduces the following feature:
- Token restrictions: You can restrict the availability of tokens within a virtual server, regardless of the account inventory, so that operators cannot erroneously assign a token type that is incompatible with the security policies. Token restrictions are set in Policy > Token Policies > Token Restrictions.
With this upgrade, Google Authenticator will be disabled by default, affecting new token enrollments. If you are using Google Authenticator, enable it in the token restriction settings. Existing tokens continue to work as expected.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-27165 | When a user attempts to enroll an eToken that is out of sync, the PIN is displayed again along with instructions to enter the PIN and the next token code in the OTP field. |
SAS-26086 | Improvements made for multiple requests to provision tokens at the same time. |
SAS-24932 | You can now successfully request a MobilePASS token from the self-service URL when you use the Firefox browser on an Android device. |
12/11/2018
This service pack release of SAS introduces the following features and resolves the issues listed below:
-
Change the colors of module headers: The color of the module headers, such as Alerts and Subscriber Metrics, can be customized in Comms > Custom Branding > Custom Colors.
-
Customized branding displayed at first login: Any branding customizations that are made in Comms > Custom Branding are displayed the first time that an operator accesses their SAS login page through their tenant-specific URL with all supported login methods.
-
Customize the subject for SMS email messages: To customize the subject line for SMS messages that are sent over email, select Comms > Communications > SMS Messages, and in the SMS Message Type list, select Email Subject. This allows you to provide a meaningful description of what the email is used for.
-
Length of the shared secret value increased: The length of the shared secret value has been increased to 127 characters (254 bytes) for RADIUS auth nodes.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-26190 | The Operator Activity - Logons report includes logins to the OIDC console. |
SAS-26141 | When auto-provisioning SMS tokens, the correct alert is displayed when a user doesn't have a mobile number assigned. |
SAS-25785 | The drop-down list in the Search Token Type section of the Tokens module includes the All (token types) option. |
SAS-25695 | SAS sends an SMS or email notification to the user when an SMS token is suspended using the API. |
SAS-24707 | In cases where the user name is resolved using realming, error logs display both the resolved name and the name that was provided at login. |
11/05/2018
This service pack release in the EU service zone introduces the following features:
-
Status of AD password in STA: This feature displays the status of the AD password in the STA console. This includes the expiry date, whether it is locked, and whether it is synchronized with the AD password.
-
Epic Hyperspace Agent in STA and SAS: This feature allows integration with the Epic Hyperspace application through the use of an agent available from the Applications tab in the STA and SAS consoles.
10/30/2018
This service pack release of SAS in the EU service zone introduces the following features and resolves the issues listed below:
-
Status of AD password: This feature displays the status of the user's password, including: expiry date; whether it is locked; and whether it is synchronized with the AD domain password.
To display the expiry date, SAS Synchronization Agent version 3.7.0 (released separately) is required.
-
SAS console login with Push OTP: The administrator console login includes Push OTP as an authentication option.
With this release, customers whom have previously branded their administrator console will need to reapply the branding. Branding on the administrator console does not support inheritance and must be individually applied to each virtual server using COMMS > Custom Branding > IDP Login & Operator Login.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-25785 | The drop-down list in the Search Token Type section of the Tokens module includes the All (token types) option. |
SAS-25695 | SAS sends an SMS/email notification to the user when an SMS token is suspended using the API. |
SAS-25576 | The Authentication Activity table displays correctly. |
SAS-24707 | In cases where the User Name is resolved using realming, error logs display both the resolved name and the name that was provided at login. |
10/25/2018
This service pack release of STA in the EU service zone introduces the following feature:
- Certificate-based authentication: STA now supports PKI credentials, enabling organizations to enforce the use of certificate-based authentication when defined in a STA access policy. This allows organizations to take advantage of their existing PKI implementations to protect access to their cloud applications and assets.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-25036 | The user portal for newly created virtual server accounts now displays as active on the console. |
10/16/2018
This service pack release of STA and SAS in the EU service zone introduces the following feature:
- The visual organization and presentation of the Authentication tab in the STA console is updated in preparation for the introduction of Certificate Based Authentication in the future. There is no functional impact with this change.
10/16/2018
This service pack release of SAS in the EU service zone resolves the issue listed below:
Resolved Issue
Issue | Synopsis |
---|---|
SAS-25936 |
You can change the settings for a Subscriber account whether or not you have permissions for the Service Provider account. For example, you can change the following settings:
|
10/05/2018
This service pack release of SAS in the EU service zone introduces the following features:
-
Splash screen for application management: A splash screen displays when no applications have been configured or when the application management feature is unavailable. The splash screen briefly describes the application management feature, and informs users that enabling the feature uses system resources.
-
Support for Google Authenticator software tokens: Google Authenticator is an open-source software token framework that supports time- and event-based OTP with various hashing algorithms.
Operators can now use the Google Authenticator mobile app (with SafeNet Authentication Service as the back end) to generate and validate OTP authentication requests. This enables them to leverage the use of existing Google Authenticator apps on users' smartphones for company credentials.
Google Authenticator also supports an offline enrollment method, where the tokens are created by scanning a QR code with a mobile device or by clicking an enrollment link. Because it supports offline enrollment, it can be used as a viable alternative to MobilePASS+, if a secure seeding process or push notification capabilities are not required.
MobilePASS+ tokens use a secure key generation protocol and should be used if you are looking for enterprise-level security, in addition to OTP push functionality.
09/19/2018
This service pack release of STA and SAS in the EU service zone introduces the following feature and resolves the issues listed below:
- Continue service with SAS after disabling STA: This feature enables customers to seamlessly switch from STA to SAS without reconfiguring the Service Providers. Access policies will be reconfigured to OTP only. For details, refer to the documentation.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-25045 | Self-Enrollment of a token succeeds when the AD password is assigned as a temporary password. |
SAS-24877 | Authentication logs display the Virtual Server time zone offset. |
SAS-23116 | Logins with time-based tokens in an IdP-initiated SAML workflow are supported if push capability is disabled for a specific OS, or if using tokens that are not push-capable. |
09/05/2018
This service pack release of STA and SAS in the EU service zone introduces the following features and resolves the issues listed below:
-
Rename an application: This feature enables customers to change the display name for an application, which appears on the user portal and in the STA and SAS consoles.
-
Additional Languages for SAS or STA Login and User Portal: Users can now select Simplified Chinese, Traditional Chinese, and Korean, in addition to the languages that were already available.
-
Enables customers to use API calls to confirm the OTP length for most tokens (except GrID).
Resolved Issues
Issue | Synopsis |
---|---|
SAS-24934 | The Authentication Activity snapshot displays correctly. |
SAS-24002 | The check box label in Reports > Available Reports > Customize Report clarifies that small reports (those with fewer than a configurable number of rows) can be emailed to authorized personnel. |
SAS-23416 | The SAS console correctly updates existing Roles. |
SAS-22082 | In Self-Service > Request and Approval Queue Processing > Configure Queue Processing, the check box for Approval Level 1 and Approval Level 2 is labeled "Enable Approval Authorities". |
SAS-12035 | The SAS console displays the push settings for both token and system. The "Users-All-with Tokens and Tasks" report displays the token and system push capability at the time the report was generated. |
08/20/2018
This service pack release of STA and SAS in the EU service zone introduces the following feature and resolves the issues listed below:
- Customization of the SAS console Login UI: Customers can now customize visual attributes of the login interface presented to their users and operators when they log in to the SAS console. This includes customization of the company logo, background image, and colors; all managed through a user-friendly interactive user interface.
Resolved Issues
Issue | Synopsis |
---|---|
SAS-24724 / SAS-24710 | Tokens can be provisioned and enrolled. |
SAS-24716 | SAS console timestamps correctly reflect the time zone settings. |
SAS-24678 | During self-enrollment the grid correctly displays when users are prompted for a PIP and refresh the page. |
SAS-24346 | Virtual server names can be directly changed, in whole or in part, from upper- to lower- case and vise versa. |
Product Launch Release - 07/23/2018
This is the first release of STA and SAS in the EU service zone.
Known Issues
This table provides a list of the known issues as of the latest release.
Issue | Synopsis |
---|---|
SAS-69511 | Summary: An incorrect message "This feature is not available on your current plan" is displayed on the Windows Logon application for the STA Basic customers. However, the users can continue to use SafeNet Agent for Windows Logon, without the passwordless feature. Workaround: None. This message will be corrected in the upcoming STA release. |
SAS-67222 | Summary: During Out-of-Band enrollment, using the activation code method via either the email or SMS, the enrollment process enters an infinite loop, preventing users from successfully enrolling the token. Workaround: The Self-service only option works accurately for self-enrollment. |
SAS-54028 | Summary: The first time you configure delegated password, it doesn't save the first time you click Save. Workaround: Click Save again and it will save. |
SAS-51244 | Summary: Creating a group can fail if the API is under high load. Workaround: Retry group creation |
SAS-48471 | Summary: FIDO does not work with Touch ID on Apple Safari for Mac. Workaround: None |
SAS-46238 | Summary: The Voice OTP setting incorrectly displays Default when set to Custom. Workaround: None |
SAS-45981 | Summary: The Voice OTP settings incorrectly display as Voice Settings and the French text variant is missing. Workaround: None |
SAS-45865 | Summary: The request to send an OTP on the STA login screen does not include voice as a delivery option. Workaround: None |
SAS-45807 | Summary: Voice calls do not distinguish between uppercase and lowercase characters while delivering an OTP. Workaround: None |
SAS-45806 | Summary: The delivery method of the operator making changes in a parent organization is used to send notifications about changes to a user in a child organization. Workaround: None |
SAS-39671 | Summary: Authentication logs generated in the EU zone between June 8 and June 29, 2020 which contain special characters are missing from the STA Access console (Access Logs page) and STA Token Management console (Snapshot page). (EU zone) Workaround: Affected logs are still available and can be viewed through the Authentication History Report. This report can be generated from the Reports tab of the STA Token Management console. |
SAS-38988 | Summary: When adding a new account in Microsoft Outlook, the STA login window might be hidden behind the Outlook registration dialog box. Workaround: Click the STA login window to bring it to the foreground. |
SAS-37728 | Summary: When an auto-provisioning rule is associated with a group that is subsequently removed, and a new group is created or renamed with the same name, the existing auto-provisioning rule will trigger. Workaround: Delete the auto-provisioning rule or use a different group name. |
SAS-37023 | Summary: In the user management API, the pagination links (first, prev, self, last, and next) contain the wrong port, and therefore return a 404 response on the next get API call. (EU and US zones) Workaround: Remove the port in the link or change it to 443. |
SAS-36946 | Summary: SAS IDP returns OIDC claim groups in a comma-separated string. Workaround: A future release will provide an option to return groups as either a comma-separated string or a JSON array. |
SAS-35952 | Summary: When using Internet Explorer to view multiple scenarios under a policy, the list of scenarios displays incorrectly. Workaround: Use a different browser. |
SAS-35716 | Summary: The scroll bar for the STA application policy list is missing. Workaround: None. |
SAS-32974 | Summary: If the SafeNet Synchronization Agent is not configured for a virtual server and the Comms > Authentication Processing > LDAP Sync Agent Settings> Use Delayed Sync Removal check box is selected, when you use the Delete User API on a synced user, the user is scheduled for removal but is never removed (even after the 24-hour period has passed). Workaround: Clear the Use Delayed Sync Removal check box and delete the user again. |
SAS-30420 | Summary: Kerberos authentication fails with IE11. The user is denied access, the related access event on the STA consoles shows "Failed to collect context data". Workaround: Add the service provider you're trying to access as a trusted site in IE11. |
SAS-26837 | Summary: Email addresses support only ASCII characters. Workaround: None. A future release will support UTF-8 encoding in email addresses. |
SAS-26833 | Summary: Policy cannot be saved if description includes "," or ";" characters. Workaround: None. |
SAS-25595 |
Summary: When you select the Virtual Servers tab, then select the On-Boarding tab, and then select the Back button to return to the Virtual Servers tab, an error page is displayed. Workaround: None. |
SAS-25526 | Summary: The Firefox and Safari browsers do not prompt the user to insert a smart card during certificate-based authentication. Workaround: Use a different browser or train users to insert a smart card when it is required for login. |
SAS-25524 | Summary: With the Internet Explorer browser, the certificate-based authentication smart card insertion prompt can sometimes be hidden behind the browser window. Workaround: Use a different browser or train the user to look for the smart card dialog window when using the Internet Explorer browser. |
SAS-25456 | Summary: When using the Chrome browser for certificate-based authentication, the user is required to enter a valid PIN within one minute or they will time-out. Workaround: None. |
SAS-24733 | Summary: Accounts with password set to never expire will show the expiry date as unavailable. Workaround: None, will be changed to "Never expire" in a future release. |
SAS-22160 | Summary: AddUser does not support defining the user's groups during user creation. Workaround: Add the user to groups after creating the user using the AddUserToGroup() function. |
SAS-21928 | Summary: When uploading application metadata using the generic template, the value of the Signature Key Name is not set correctly. Workaround: Update the Signature Key Name to the required value and save. |
SAS-21246 | Summary: Signing and Encryption certificates are not loading into STA when the application is configured with the application-provided metadata file and when the “use” attribute is missing in the “KeyDescriptor” element of the cryptographic key (or certificate). Workaround: If a Signing or Encryption certificate is required for the configuration, verify that the application-provided metadata file includes the “use” attribute for the provided certificate. If the “use” attribute is missing, edit the metadata file to include it prior to uploading in STA: <md:KeyDescriptor use="signing"> or <md:KeyDescriptor use="encryption">. |
SAS-20542 |
Summary: The following messages that result in denied access for the end user are not logged in SAS: SASIDP_RISK_MANAGER_IS_DOWN; SASIDP_FAILED_TO_COLLECT_CONTEXT_DATA; SASIDP_NOT_AUTHORIZED_TO_ACCESS_APPLICATION; and SASIDP_INVALID_USER. Workaround: None. |
SAS-20087 | Summary: The error message displayed when configuring a duplicate EntityID is too generic. Workaround: Ensure that the EntityID being configured is not a duplicate. |
SAS-19505 | Summary: Special characters are not accepted in the SAML Return Attributes field name: Failed to update Application Settings. Workaround: Do not use special characters in the SAML Return Attributes field name. |
SAS-18653 | Summary: In Internet Explorer, help text is not displayed in input boxes on the Users, Add Application, and Create Policy pages. Workaround: Click outside the input box to display the help text. |
SAS-17067 | Summary: Upon uploading an invalid Service Provider certificate, the error message provided by STA is too generic for the operator to know that the certificate could not be processed. Workaround: If upon saving an Application in the STA console, the “Failed to update Application Settings” message is presented, then verify that you are using a recent Service Provider certificate (as granted by the SAML Application or Service Provider). |
SAS-16998 | Summary: STA operator welcome email can take several hours to arrive. (Previously listed as ASCO-1910.) Workaround: None. |
SAS-16702 | Summary: SAML return attribute groups do not contain parents of nested groups.
Workaround: None. |
SAS-8174 |
Summary: In the Token Details panel, the Push OTP state in the Mobile App section only displays the Push OTP state at the time of token enrollment. Workaround: None. |
SAS-7237 |
Summary: A group name gets synced to SAS, even if that group name is already present internally. Workaround: Avoid using same group name in SAS and LDAP. |
SAS-5017 |
Summary: When adding multiple logging agents in the SAS Console, only the first agent added receives logging events, even after it is removed. Workaround:Remove all logging agents, and then re-add only one. |
SAS-4827 |
Summary: User IDs with UTF-8 characters do not display properly. Workaround: This issue exists in certain versions of Internet Explorer only. Using another browser will avoid this display issue. |
SAS-4766 |
Summary: Allowing one logging agent host for a Virtual Server allows all logging agent hosts. Workaround: None. |
SAS-3624 | Summary: Customizations to email enrollment messages are not saved after being modified, reverting to the default values. Workaround: This issue stems from how certain options are enabled in the SAS Management Console:
|
Multiple Tickets | Summary: The help documentation of some of the application templates refer to an assignment procedure that does not apply to STA.
Workaround: Ignore the information in the application template help documents about “Enabling SAML Service in the Identity Provider”. |
Compatibility Information
Supported Tokens
Hardware Tokens
- KT-4, KT-5, RB, eToken PASS time-based, eToken PASS event-based, SafeNet GOLD, eToken 3410, eToken 3400, CD-1, IDProve 100, SafeNet OTP 110, SafeNet OTP Display Card
Software Tokens
-
MobilePASS+: Clients are available for Android, iOS, and Windows.
-
MobilePASS: Clients are available for Android, iOS, BlackBerry, Windows Desktop, Windows Phone, Windows RT, and Mac OS X.
Refer to the MobilePASS+ and MobilePASS documentation for supported operating system versions.
MP-1 tokens are not supported in this service zone.
-
MP-1: STA support for MP-1 tokens software will be phased out over the next few months, as described in the End-of-Support (EOS) schedule below. There will be no change in the SMS functionality of the MP-1 token.
After the EOS date, you will no longer be able to enroll software MP-1 tokens, and the application will no longer be available on the app stores. MP-1 tokens that are already active will continue to work based on the platform limitations. After the dates specified below, if any issues are encountered with the token, the end user will be required to enroll one of the replacement products.
MP-1 will continue to support SMS and should be used in all cases for which a user requires SMS.
EOS Platform EOS Date Replacement Product MP-1 for iOS September 30, 2017 MobilePASS+ MP-1 for Android December 31, 2017 MobilePASS+ MP-1 for Windows Desktops June 30, 2018 MobilePASS+ MP-1 for BlackBerry and Mac OS June 30, 2018 MobilePASS 8 For full details on replacement products and all key dates of the EOS process, please refer to the EOS product announcement here.
Supported Browsers
Safari support applies to only the STA Access Management Console.
-
Chrome™ 59 and later
-
Firefox® 53 and later
-
Microsoft Edge
-
Safari 5 and later on iOS
-
Safari 10.1 and later on Mac OS
Supported Directories
LDAP | SQL |
---|---|
Active Directory | MS-SQL |
Novell eDirectory 8.x | MySQL |
SunOne 5.x | Oracle |