New Features - Centrify Application Services (formerly known as Identity Services)
Reporting engine now supports modifying reports by changing parameters:
- Application, etc.
Reports updated as follows
- Built-in Reports modified to include parameters (date, application, etc.)
- Custom Reports can be built with parameters
Pin for Phone MFA
PIN is now required when using phone call for MFA.
- Admin specifies number of required characters (4-8)
- User can then create PIN (up to 8 characters)
- Phone Call will not show up in list for user if PIN has not been set
NOTE: in 17.10 this feature is only available for new tenants
OpenID Connect Ability to Pass Login URL for Authentication
Use case is as follows:
- OpenID Connect App has a session timeout
- App is made available to users federated by another IDP (i.e. B2B)
- This specifies where to send the user to re-authenticate
Office 365 Linked Apps Support for Multiple SharePoint Sites
Deep link support now available for multiple SharePoint Sites.
- Linked Applications Wizard now provides ability for admin to specify URL of each SharePoint site
Form-Filling Support on Safari
Form-Filling (ability to go to a username / password app and login by clicking on the Centrify logo) is now available on Safari.
Active Users Report
This feature allows Admins to find out how many user licenses they are using.
- Built-in Report for “Active Users”
Active Users = users who have authenticated through the service in the last 30 days.
Workflow Options for No Manager
Admins can now determine what action to take for requests that require manager approval when there is no manager:
- Automatically Approve
- Automatically Deny
- Route to Role / User
Improved Multi-Language Email Customization
Email template customization now provides ability to customize the template without changing the browser language.
- Template selections allows Admin to choose which language to update
- UI now shows which languages have been updated
OAuth 2.0 (Preview)
This feature enables customers to better interact with Centrify's platform for app development and integration.
- OAuth 2.0 is the industry-standard protocol for authorization
- Focuses on simplicity and enables:
- Customers to build their own apps using our APIs
- Better security when using our APIs
- Better support for app to app authorization
New Features - Centrify Endpoint Services
Endpoint Password Generation Profiles
Password generation profiles for Endpoints (Local Account Password Management) are now in a separate location under Settings.
- Settings > Endpoints > Endpoint Password Profiles
- Built-in “Mac Profile”
- New profiles can be created in-line in Policies, or from this page
The following apps have been updated:
- Elastica CloudSOC (SAML)
- ElasticaForCisco (SAML)
- Confluence On-prem (SAML)
- BackBlaze (User/Password)
- SonicWall (User/Password)
- JIRA Cloud (SAML)
- Paylocity Web Pay (User/Password)
- Inacct (SAML) – logo icon only
The following apps have been renamed:
- Elastica --> Elastica CloudSOC
- Stash --> Bitbucket Server
- Windows Intune --> Microsoft Intune
New Features - Centrify Infrastructure Services (formerly known as Privilege Service)
IIS Application Pool Identity - Password Management
- 17.10 adds support for IIS Application Pool Identity Password Management
- Versions: 7.5 (2008R2), IIS 8 (2012) and IIS 10 (2016)
- It uses CPS-managed Active Directory accounts with Multiplex accounts
- In this release, IIS Application Pool services can be onboarded manually
- In the next release, we are tracking the addition of discovery of IIS Application pool identities
Effective Rights Reports
- Infrastructure Services now offers the ability to produce effective rights reports for users and roles related to all objects (systems, accounts, databases, services and secrets)
- Reports leverage the “Parameterized Reports” feature of the platform
- Reports can be generated interactively or sent to the report requester via email in different formats
- Note: for on-premises deployments, this feature requires PostgreSQL engine
Effective Rights Report - Sample CSV Export (all objects)
Support for future date/time (login, checkout)
- Enhances workflow request to support future date/time login and password checkouts (like zone role workflow)
- Now assignment types can be permanent and windowed (instead of just permanent and time-bound)
- The requester can specify the assignment type and the first approver has the final say on what type will be granted
- This use case is consistent with change control requests approved for a maintenance window in the future
SSH Gateway Enhancements
- Banner (Infrastructure > Security)
- To align with very common security guidelines
- Enable/disable (Connector)
- Turned off by default (decreases exposure footprint)
- Allows for segregation of duties (infrastructure components)
E.g. an “App Gateway” connector is quite busy, just like an SSH Gateway. If expecting heavy usage, you can segregate capabilities like AD/LDAP proxying, vs. dedicated gateways.
- Change port configuration
- For customers wanting to run the SSH Gateway service in a non-standard port
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Changes have been made in this release to harden the cloud service from Cross Origin Resource Sharing (CORS) exploits. As a result of these changes, for SP-initiated SSO to succeed with SAML apps, administrators should do one of two things:
- The ACS URL must be supplied in the app template with a matching domain to the URL that the SP comes back to the cloud service on.
- Add an exception to Settings > Authentication > Security Settings > Specify trusted DNS domains for API calls.
- Account unlock behavior has changed in this release. In previous releases, challenges could be removed if necessary to ensure that the user has the ability to pass through the unlock policy. In this release, the user must answer every challenge specified by the unlock policy. If a user cannot answer a challenge, the unlock attempt will fail. In most cases the system will recognize that the user cannot answer all challenges and will not even try to unlock, however in a few cases the user will still be presented with the first challenge (CC-51644).
- The date range condition used by authentication policies has been overhauled in this release to be more intuitive. The new date rules are as follows:
Rule: Today's date is greater than XX/XX/XXXX
Handling: Today's calendar date must be greater than XX/XX/XXXX
Rule: Today's date is less than XX/XX/XXXX
Handling: Today's calendar date must be less than XX/XX/XXXX
Rule: Today's date is between XX/XX/XXXX and YY/YY/YYYY
Handling: Today's calendar date must be greater than or equal to XX/XX/XXXX and less than YY/YY/YYYY
- In the Security Dashboard, logins that don’t contain an “@” symbol are masked to reduce the chance of showing a user’s password in the dashboard if it was accidentally entered in place of the user name (CC-52295).
- msOrg-IsOrganizational for security groups now syncs correctly from Active Directory to Office 365 (CC-52764).
- Password reset is now supported on IBM Security Directory Server version 6.4 (CC-51035).
- It is now possible to set the maximum allowable clock drift for TOTP OATH tokens. Previously the value was set at 30 seconds, now it is possible to set the number of 30 second units (default 1) that the token clock may drift either side of the current time (CC-52769).
- Mobile Authenticator no longer creates notifications for abandoned or expired sessions (CC-50168).
- A new method has been added to SAML app script processing: createWebRequestWithBasicAuth (string applicationUrl, string username, string password) for http/https basic authentication (CC-52147).
- “User skipped” is now always shown in the provisioning report for skipped users that had been removed from the mapped role (CC-46397).
- A user’s Provisioned Applications page now shows the user having been provisioned for the application after the user was only partially updated during the sync (CC-44102).
- User detail > Provisioned Applications > Provisioning history now correctly shows role names instead of role IDs (CC-50691).
- When adding apps, apps in the Recommended tab are now alphanumerically sorted by default (CC-44708).
- With SCIM provisioning, de-provision now disables a user by default rather than deleting them (CC-51858).
- To prevent policies being created that are larger than devices can handle, a limit (default 5MB) is now enforced when saving the policy (CC-50671).
- Managed apps are now correctly cleaned up from the installed app list when unassigned (CC-51859).
- Device last location timestamp is now shown for administrator location tracking (CC-51704).
- The LDAP connection test has been updated to only verify the existence of the base DN, rather than verifying that there are entities under it. This change avoids timeouts with large numbers of second level entities that would be treated as a connection test failure (CC-51651).
- When an administrator sets an in-house SMTP server for email, email templates are now updated (CC-51585).
- Enrollments of Windows machines are now marked as corporate owned (CC-51200).
- With Android for Work, Gmail and Calendar apps are no longer uninstalled when assigned to the user (CC-50583).
- An issue that prevented users with the Privilege Service entitlement from seeing the Settings menu when using the Safari Web browser has been resolved (CC-50351).
For security advisories and known issues, please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.