In case you hadn't heard, we will be upgrading our platform (Centrify Identity Service and Centrify Privilege Service) to version 17.6 this weekend (Saturday, July 8th). The complete list of new features is available in the release notes, but as always I will tell you about my favorites here:
MFA Policies for User Account Settings
We have added security improvements to enable policies to require users to provide additional authentication factors when doing the following:
- changing passwords,
- configuring OATH OTP clients,
- setting security questions, or
- modifying their profile.
All of these policies now appear under a new heading called "User Account Settings" (you will also note that we moved a few policies from other areas to make use of these policies more convenient). For each of these policies, the Admin can choose which Authentication Profile should be called when the user makes these changes.
Admin Control over Signing Certificates
With this release we have also given control to Administrators to better manage the signing certificates used by our service. As you probably already know, Google recently cracked SHA1 certificates and as a result many service providers have announced that they will deprecate support for SHA1 certificates. If you have a Centrify tenant that was created before July 2016, then the default certificate used by your tenant is SHA1. As you probably know, when using a signing certificate for SAML, you can upload your own certificate so you can use one with a stronger algorithm; however, we wanted to address this problem in a more turnkey manner and wanted to give you more control over your options. In 17.6 you will see that we have a new Signing Certificates feature that works exactly as our Authentication Profiles feature works. We now have a "Signing Certificates" page in our "Settings" menu for managing certificates, and we leverage that page directly in the App configuration UI (Admins can choose a certificate from a drop-down menu, or create a new one).
If you want to change a certificate for an application, don't forget, you will need to go into the administrative console for that application and upload the new signing certificate in order to make sure your SSO still works. For Office 365, we have automated that step through a new "Re-Federate" option.
In addition to the above, this release includes two performance improvements that I wanted to call out:
- Addition of "Sets" in Users, Apps and Endpoints. Why is this a performance improvement? The Sets UI enables the Admin to set a default view for each of those pages based on the filter selected. More importantly, Admins can set their default view to have nothing selected so that pages with long lists (e.g. the Users page) loads immediately, as the default view is simply the search bar!
- Intelligent selection of Connectors for IWA and RADIUS. With 17.6, we have improved our connector selection logic to first look for a matching IP address, then a matching sub-net and if neither are found then to randomly select a connector.
We hope you like these new features and look forward to hearing your feedback!