Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Centrify 17.10 Release Notes

11 April,19 at 11:50 AM

New Features - Centrify Application Services (formerly known as Identity Services)


Parameterized Reports


Reporting engine now supports modifying reports by changing parameters:

  • Date
  • Role
  • User
  • Application, etc.


Reports updated as follows

  • Built-in Reports modified to include parameters (date, application, etc.)
  • Custom Reports can be built with parameters

 parameterize b.gif



Pin for Phone MFA


PIN is now required when using phone call for MFA.

  • Admin specifies number of required characters (4-8)
  • User can then create PIN (up to 8 characters)
  • Phone Call will not show up in list for user if PIN has not been set

NOTE: in 17.10 this feature is only available for new tenants



Pin Phone.gif 



OpenID Connect Ability to Pass Login URL for Authentication 


Use case is as follows:

  • OpenID Connect App has a session timeout
  • App is made available to users federated by another IDP (i.e. B2B)
  • This specifies where to send the user to re-authenticate




Office 365 Linked Apps Support for Multiple SharePoint Sites


Deep link support now available for multiple SharePoint Sites.

  • Linked Applications Wizard now provides ability for admin to specify URL of each SharePoint site

office 365.gif 



Form-Filling Support on Safari


Form-Filling (ability to go to a username / password app and login by clicking on the Centrify logo) is now available on Safari.


form fill.gif



Active Users Report


This feature allows Admins to find out how many user licenses they are using.

  • Built-in Report for “Active Users”

Active Users = users who have authenticated through the service in the last 30 days.


 active users reports.gif



Workflow Options for No Manager


Admins can now determine what action to take for requests that require manager approval when there is no manager:

  • Automatically Approve
  • Automatically Deny
  • Route to Role / User

no manager.gif



Improved Multi-Language Email Customization


Email template customization now provides ability to customize the template without changing the browser language.

  • Template selections allows Admin to choose which language to update
  • UI now shows which languages have been updated

multi lang.gif



OAuth 2.0 (Preview)


This feature enables customers to better interact with Centrify's platform for app development and integration.


  • OAuth 2.0 is the industry-standard protocol for authorization
    Screen Shot 2017-11-10 at 2.00.53 PM.png
  • Focuses on simplicity and enables:
    • Customers to build their own apps using our APIs
    • Better security when using our APIs
    • Better support for app to app authorization



New Features - Centrify Endpoint Services


Endpoint Password Generation Profiles


Password generation profiles for Endpoints (Local Account Password Management) are now in a separate location under Settings.

  • Settings > Endpoints > Endpoint Password Profiles
  • Built-in “Mac Profile”
  • New profiles can be created in-line in Policies, or from this page

endpoint password.gif 



The following apps have been updated:

  • Elastica CloudSOC (SAML)
  • ElasticaForCisco (SAML)
  • Confluence On-prem (SAML)
  • BackBlaze (User/Password)
  • SonicWall (User/Password)
  • JIRA Cloud (SAML)
  • Paylocity Web Pay (User/Password)
  • Inacct (SAML) – logo icon only


 The following apps have been renamed:

  • Elastica  -->  Elastica CloudSOC
  • Stash  -->  Bitbucket Server
  • Windows Intune  -->  Microsoft Intune



New Features - Centrify Infrastructure Services (formerly known as  Privilege Service)


IIS Application Pool Identity - Password Management


  • 17.10 adds support for IIS Application Pool Identity Password Management
  • Versions: 7.5 (2008R2), IIS 8 (2012) and IIS 10 (2016)
  • It uses CPS-managed Active Directory accounts with Multiplex accounts
  • In this release, IIS Application Pool services can be onboarded manually
  • In the next release, we are tracking the addition of discovery of IIS Application pool identities

 IIS App.pngIIS.gif



Effective Rights Reports


  • Infrastructure Services now offers the ability to produce effective rights reports for users and roles related to all objects (systems, accounts, databases, services and secrets)
  • Reports leverage the “Parameterized Reports” feature of the platform
  • Reports can be generated interactively or sent to the report requester via email in different formats
  • Note:  for on-premises deployments, this feature requires PostgreSQL engine

 effective rights 1.png


effective rights 2.png

 Effective Rights Report - Sample CSV Export (all objects)



Support for future date/time (login, checkout)


  • Enhances workflow request to support future date/time login and password checkouts (like zone role workflow)
  • Now assignment types can be permanent and windowed (instead of just permanent and time-bound)
  • The requester can specify the assignment type and the first approver has the final say on what type will be granted
  • This use case is consistent with change control requests approved for a maintenance window in the future

 Future date time.gif



SSH Gateway Enhancements


  • Banner (Infrastructure > Security)
    • To align with very common security guidelines
  • Enable/disable (Connector)
    • Turned off by default (decreases exposure footprint)
    • Allows for segregation of duties (infrastructure components)

      E.g. an “App Gateway” connector is quite busy, just like an SSH Gateway.  If expecting heavy usage, you can segregate capabilities like AD/LDAP proxying, vs. dedicated gateways.
  • Change port configuration
    • For customers wanting to run the SSH Gateway service in a non-standard port

 ssh gateway.png




Resolved Issues and Behavior Changes


The following list records issues resolved in this release and behavior changes.


  • Changes have been made in this release to harden the cloud service from Cross Origin Resource Sharing (CORS) exploits. As a result of these changes, for SP-initiated SSO to succeed with SAML apps, administrators should do one of two things:
    • The ACS URL must be supplied in the app template with a matching domain to the URL that the SP comes back to the cloud service on.
    • Add an exception to Settings > Authentication > Security Settings > Specify trusted DNS domains for API calls.
      (CC-47996, CC-52930).
  • Account unlock behavior has changed in this release. In previous releases, challenges could be removed if necessary to ensure that the user has the ability to pass through the unlock policy. In this release, the user must answer every challenge specified by the unlock policy. If a user cannot answer a challenge, the unlock attempt will fail. In most cases the system will recognize that the user cannot answer all challenges and will not even try to unlock, however in a few cases the user will still be presented with the first challenge (CC-51644).
  • The date range condition used by authentication policies has been overhauled in this release to be more intuitive. The new date rules are as follows:

    Rule: Today's date is greater than XX/XX/XXXX
    Handling: Today's calendar date must be greater than XX/XX/XXXX

    Rule: Today's date is less than XX/XX/XXXX
    Handling: Today's calendar date must be less than XX/XX/XXXX

    Rule: Today's date is between XX/XX/XXXX and YY/YY/YYYY
    Handling: Today's calendar date must be greater than or equal to XX/XX/XXXX and less than YY/YY/YYYY
  • In the Security Dashboard, logins that don’t contain an “@” symbol are masked to reduce the chance of showing a user’s password in the dashboard if it was accidentally entered in place of the user name (CC-52295).
  • msOrg-IsOrganizational for security groups now syncs correctly from Active Directory to Office 365 (CC-52764).
  • Password reset is now supported on IBM Security Directory Server version 6.4 (CC-51035).
  • It is now possible to set the maximum allowable clock drift for TOTP OATH tokens. Previously the value was set at 30 seconds, now it is possible to set the number of 30 second units (default 1) that the token clock may drift either side of the current time (CC-52769).
  • Mobile Authenticator no longer creates notifications for abandoned or expired sessions (CC-50168).
  • A new method has been added to SAML app script processing: createWebRequestWithBasicAuth (string applicationUrl, string username, string password) for http/https basic authentication (CC-52147).
  • “User skipped” is now always shown in the provisioning report for skipped users that had been removed from the mapped role (CC-46397).
  • A user’s Provisioned Applications page now shows the user having been provisioned for the application after the user was only partially updated during the sync (CC-44102).
  • User detail > Provisioned Applications > Provisioning history now correctly shows role names instead of role IDs (CC-50691).
  • When adding apps, apps in the Recommended tab are now alphanumerically sorted by default (CC-44708).
  • With SCIM provisioning, de-provision now disables a user by default rather than deleting them (CC-51858).
  • To prevent policies being created that are larger than devices can handle, a limit (default 5MB) is now enforced when saving the policy (CC-50671).
  • Managed apps are now correctly cleaned up from the installed app list when unassigned (CC-51859).
  • Device last location timestamp is now shown for administrator location tracking (CC-51704).
  • The LDAP connection test has been updated to only verify the existence of the base DN, rather than verifying that there are entities under it. This change avoids timeouts with large numbers of second level entities that would be treated as a connection test failure (CC-51651).
  • When an administrator sets an in-house SMTP server for email, email templates are now updated (CC-51585).
  • Enrollments of Windows machines are now marked as corporate owned (CC-51200).
  • With Android for Work, Gmail and Calendar apps are no longer uninstalled when assigned to the user (CC-50583).
  • An issue that prevented users with the Privilege Service entitlement from seeing the Settings menu when using the Safari Web browser has been resolved (CC-50351).




For security advisories and known issues, please see attached file.


Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.