New Features - Centrify Application Services (formerly known as Identity Services)

CBE Pinning

New policy to set Browser Extension Version:

• Set by latest version or specific version number
• When version is set to a specific number, User Portal will prompt for upgrade based on policy version rather than cloud release version
• Centrify will not force upgrade when policy is set 
  • Only latest version and 2 versions prior are supported
• Downloads shows all pinned versions (not available for Chrome) 

OpenID Connect and SCIM GA

OpenID Connect custom template is now GA (no longer appears as “Preview”).

SCIM provisioning support is now GA

• Custom template no longer displayed as “Preview”
• Provisioning tab added to all SSO catalog apps
  • SAML
  • OpenID Connect

Support for RSA SecurID's Next Token Mode

Periodically, users will be asked by RSA to provide the next token code

• E.g. after entering too many incorrect passcodes

Centrify's RADIUS implementation and UI have been updated to support this use case.

Enhancements to Inbound Provisioning

Admins now have the following options on where to email generated credentials:

• Specific email address
• User’s manager
• User’s personal email

Admins can now choose an option to assign users to an OU upon termination.

Bulk Upload Support for Extensible Directory Attributes

Admins can now add values for extensible directory attributes through a bulk upload

• CSV file is now generated on the fly to include columns for each extensible directory attribute

Additional User Portal Settings for UI

The Settings menu in the User Portal now gives users two additional options

• Change the size of the app icons
• Remove / Display app Titles

Enroll mobile device with QR code

Similar to invite-based enrollment, but with QR code from User Portal

• User scans QR code with Centrify app, and enrollment begins
• No Username / Password required
• Allow invite-based enrollment policy must be set to Yes

Android Managed Accounts

No more detailed setup with Google for Android Management

• Google accounts are created dynamically and without setup for GSuite
• Simplified Android Management
• See Android Management under Settings->Mobile to toggle modes
• Existing Android for Work users will need to re-enroll to switch modes

The following apps have been updated:

• Microsoft Partner Network (user / password)
• GSuite
• CloudLock (SAML)
• CloudAMQP (user / password)
• FastHosts (user / password)
• Kayak (user / password)
• Kroger (user / password)
• My Adobe (user / password)
• Sonicwall (user / password)
• Symantec PartnerNet (user / password)
• W3Schools Forum (user / password)
• Fortigate Firewall (user / password)
• Mimecast (SAML)
• Qmarkets (SAML + provisioning)
• Salesforce (SAML + provisioning)
• AbsorbLMS (SAML + provisioning)
• Wordpress (SAML)
• Liquidfiles (SAML)
• Frevvo Live Forms In-house (SAML)
• Docusign (SAML)
• AirWatch (SAML)
• Tableau (user / password)

The following apps have been renamed:

• Timeoffmanager   -->      PurelyHR

New Features - Centrify Infrastructure Services (formerly known as  Privilege Service)

Secure Shell Gateway – File Transfer

• Adds to the Secure Shell Gateway capability implemented in 17.7
• Users can establish file transfer sessions using shared accounts directly, and use their favorite client (e.g. WinSCP) without visiting the portal and leveraging the Centrify connector(s) as the gateway
• Maintains platform features:
  • Authentication Profiles (MFA)
  • Administrative SCP session termination
  • Access Request (Workflow)

Password Complexity Profiles

• Allows the ability to set up password complexity rules at the global or system level
• Centrify provides a set of built-in rules that are QA-validated to work on supported classes of systems
• Granularity to define password length, additional requirements, special characters, leading or trailing characters
• Built-in profiles are tied to corresponding system classes
• This is a foundational capability to support systems such as IBM i and other upcoming capabilities

IBM System i

• The IBM System i (formerly AS/400) platform enjoys large penetration in highly-regulated enterprises (mostly seen in banking)
• The underlying OS (OS/400) relies heavily on shared accounts (profiles), therefore Shared Account Password Management is a must
• Versions supported (6.1 and above) using the SSH Server daemon
• The Password Profile feature can be leverage to onboard IBM i systems with different password rules

Session Size Preferences

• This highly-requested feature allows end-users to set their preferred privilege session window size for SSH (web client) and RDP (local & web client)
• The preference is set per browser

PowerShell samples support for AD and Database Accounts

• 17.8 updates the sample PowerShell scripts
• Add / Moves / Changes (Get, Set & Remove) of local, AD or database accounts
• Get-CIPAccount can be used to retrieve passwords. Make sure the system service account has the view+checkout permissions in the target account
• Use the  domainname or databasename parameters to specify the account type

Resolved Issues and Behavior Changes

The following list records issues resolved in this release and behavior changes.

• RADIUS challenges are now supported for RADIUS authentication, however RADIUS accounting is not currently supported. Note that if you are using external RADIUS (such as RSA SecurID) you must upgrade Connectors to 17.8 for full functionality (CC-46766).
• After enrollment, the default on Android devices for the Settings -> Show All Applications option is now checked (CC-49463).
• Room objects are no longer mistaken as users during Office 365 provisioning (CC-47843)
• MS-LDAP users can now log in and be invited to the User Portal. Microsoft LDAP uses a slightly different dialect to other LDAP servers and this is now supported (CC-50060).
• The forgot user name self-service feature now accepts user email addresses regardless of entered case (CC-49486).
• Errors no longer generated when provisioning GSuite users (CC-50156, CISSUP-3254).
• In the Box and GSuite provisioning apps, Active Directory users are no longer removed from AD groups when a user’s attributes are updated (CC-47102).
• With the Wordpress SAML app, Active Directory users’ Active Directory groups are now updated to Wordpress (CC-46252).
• The Wordpress SAML app now honors the “Allow unlisted users” checkbox (CC-46251).
• Active Directory computer users are now tagged as service users automatically. Note that existing AD computer users will not be tagged until they log in again (CC-50059).

• The SSH gateway feature no longer reports authentication failed when the authentication profile that applied to the user had two consecutive password options (CC-48695).

For security advisories and known issues, please see attached file.

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.