New Features - Centrify Application Services
Significant Behavior Changes
From the next release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.
Open ID Connect App
The OpenID Connect app has been enhanced to allow refresh tokens to be refreshed as specified by the OAuth 2 spec. The app configuration page for OpenID Connect has also been modified to be more consistent with other apps. Some fields have been moved around into more logical groupings.
As part of these changes, all existing OpenID Connect apps will continue to work as-is. However, if you wish to make use of refresh tokens or if you wish to make any other changes to the app, you will need to make other changes outside the OpenID Connect app in order for this to work. You will be notified of any changes you to need to make when you attempt to edit the OpenID Connect app.
Android versions earlier than 4.3 will not be supported by the Centrify mobile app for Android from the next release (18.4).
Zero Trust: Block or Force Challenge for WS-Trust Authentication
Enable or Disable WS-Trust
Enforce challenges with WS-Trust
If enabled, WS-Trust connections that do not support MFA challenges will be blocked
App Gateway: Improved Reverse Proxy / Firewall Integration
Allow firewall to filter inbound app gateway traffic using the X-Forwarded-For and/or RFC-7239 headers
Allow use of the REMOTE_USER header to indicate the incoming users as asserted by Centrify IDP
Enabled on a per app basis in App Gateway
Allows use of the X-Forwarded-For header as either the Username or the Client IP Address
Localization of App Names and Description
The following apps have been updated:
- Frevvo Live Forms In-house (SAML)
- Lucidchart (SAML)
- Box (SAML + Provisioning)
- Centrify Online Training (User name / Password)
New Features - Centrify Infrastructure Services
Test Connection /Verify Password
- Starting in 18.3, Infrastructure Services will introduce manual system ping and account health check options
- This functionality will supersede the global/system/domain/database setting that enabled automatic health checks
- Ping & health check functionality can be initiated by any IS (CPS) user and will be tracked in the object’s attributes
- The AllowHealthCheck,HealthCheckInterval JSON are deprecated
Palo Alto Firewall (PANOS) SAPM/PSM
- Adds SAPM and PSM to the existing SAML application included with Application Services
- 18.3 adds the following features:
- Password Management via API (requires PKI setup) for Administrative users without Authentication Profiles
- Privilege Session
- Local Administrative account (required for SAPM)
- Vault-based policy and MFA
- Versions 7.1 and 8.0
Use My Account (LMIv1) for UNIX
- Provides the capability be “logged in” automatically as a vault user in an IS system that uses adclient or cclient with OpenSSH 7.4 and above, configured with a specific SSH CA master key
- Uses the web session (not the local client)
- Bypasses MFA: ideally an authentication assurance level is achieved at the vault level (e.g. smart card)
- Version 1 does not support multiple Smart Card identities
- Federated identity is not supported by LMI
Centrify Agent for Linux – Secondary UNIX Group Visibility
- Version 18.3 of the Centrify Agent for Linux (cclient) starts the initial phase to support secondary UNIX groups
- CIP groups containing supported identity sources can be used as UNIX secondary groups using the Group Visibility feature
- Name is same as CIP name and GID is automatically-generated
- Future improvements: performance and group enumeration for NSS-like applications
AD Domain Administrative Account Issue Detection
- 18.3 features mechanisms to notify the end user if something is wrong with the AD domain’s administrative account:
- Insufficient rights (group membership or rights modification)
- Bad credentials (password change directly in Active Directory)
Centrify Analytics Services - Private Beta
Please contact Centrify Support to inquire about participation in the beta program.
Ingest Centrify Infrastructure Services – Audit Events
Forward Audit Events into the Analytics Portal leveraging Centrify Sensor.
- Flexible Deployment - Centrify Sensor can be flexibly deployed:
- Deployed with DA collector
- Deployed with Centrify Agent
- Enterprise Control on Events Ingested: Filter / Mask what you don’t want to move to the cloud
Ingest Centrify Infrastructure Services – Zone Data
Forward ”Who has access to which Infrastructure Server, i.e., Policy Data” Zone data into Centrify Analytics Portal.
- Easy Enablement: Leverage Centrify Sensor to forward both Events and Policy Data
- Flexible Reporting: Admins can now query Events & Policy via one console easily
Ingest Centrify Infrastructure Services – DA Session Data
Adaptively record session videos for Infrastructure activity anomalies .
- Adaptive Session Recording: 15-30 second session recording of anomalies leveraging Real-time Threat Analytics
- Session Timeline: Events are all co-related to a sessions on a timeline
Additional Access Insights for Centrify Infrastructure Services
New dashboards around Infrastructure Risk Assessment and Infrastructure Access Overview.
- Easily Customize Dashboards: Comes with pre-configured datasets around Events / Zone data to help on-board
- Comes with 12+ pre-configured widgets to help create a new dashboard
- Easily Share / Export Dashboards
Enhanced Anomaly Detection based on Behavior
Multiple new factors added to evaluate infrastructure access risk.
New factors include:
- Unusual Recent Privilege Change
- Unusual Command Run
- Unusual Target Accessed
- Unusual Account Used
- Unusual Privilege Elevation
Behavior based access control for Infrastructure Access
Investigate Access Anomalies
Investigate a Privilege Anomaly easily via drilldown to explorer:
- Session timeline view from the event
- Targeted session replay for the Infrastructure access anomaly
- Easily identity what factors contributed to the anomaly
Adaptive Session Recording and Replay for Anomalies
Replay session for any anomalies based on machine learning models:
- Click-through from Session timeline
- Enterprise control on storage of session recordings
- Control the trigger for session recordings
Alerting and Notifications
Remediate anomalies via integration with any Webhook enabled endpoint:
- Supports anomaly alerting via Slack, Pager Duty, etc.
- integrates with any Webhook enabled endpoint
- Easily customize what’s included in the Alert
New Features - SIEM and ServiceNow Integrations
Centrify ServiceNow Apps – Certified for latest ServiceNow Release
4 Apps Certified for Jakarta, Istanbul, Helsinki & Geneva.
Centrify Identity Services SIEM Integration – GA
Forward all Centrify Identity Services events into Syslog
- Enhanced Splunk support to include Splunk Add-On for CIP in Splunkbase
- Supports Splunk Cloud and Splunk Enterprise
- Centrify Syslog Writer is GA and is available via Centrify's Download Center – extents Centrify's events into other SIEM tools
- Integration guide available on docs.centrify.com
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- The Walk-Me help feature has been removed from the Admin Portal in this release (CC-55314).
- Maximum password history has been increased from 10 to 20 (CC-55558).
- Modifying LDAP server configuration is now correctly supported on LDAP servers that have required custom unique identifiers, such as the MS-LDAP and Tivoli LDAP servers (CC-52777).
- Zero Sign-On (ZSO) support has been added for Firefox v58+ (CC-54822).
- Support has been added for storing very large SP Metadata (CC-54812).
- The status for suspended Google Directory users is now shown correctly. Previously they were always shown as active (CC-55371).
- The Test Advanced Script function has been modified in this release to enhance security. The SAML response preview now has the response certificate, signature and digest values obfuscated, however the real values will be used for SSO.
- QRadar application now correctly works through the App Gateway (CC-56215).
- The Box provisioning app no longer returns 404 errors if content ownership changes (CC-55527).
- The Dropbox provisioning app has been enhanced to support role mapping for Support Admin and User Management Admin (CC-48357).
- Dropbox SSO configuration documentation has been updated for Chrome and Firefox browsers (CC-40211).
- Administrators can now choose between Enterprise and Standard accounts in the Slack app (CC-52691).
- MFA can now be required for portal access for federated (B2B) users (CC-53237).
- Active Directory group sync is now supported in SCIM (CC-53930).
- The Webapp shortcut can now be opened on Android N devices and later (CC-54736).
- Where certificates have been uploaded for policies, it is now possible to remove the uploaded cert (using “Remove”) without affecting the other policy settings (CC-55054).
- The order of SAML elements can now be dynamic for WS-Fed applications (CC-54456).
- It is now possible to prevent collection of installed applications on enrolled devices – the default is to collect the information (CC-53775).
- An option has been added to show / not show a custom welcome screen for iOS devices during enrollment (CC-53676).
- When managed apps are installed on a device for an enrolled user, only those managed apps are shown on the application tab (CC-54946).
- The Company Apps store for iOS devices now only shows apps that are compatible or the type of device being used. For example, iPad-only apps are not shown for iPhones (CC-39129).
- The Download Apple Configurator link in the Admin Portal has been updated with the revised link from Apple (CC-55194).
- Location is now optionally tracked after enrollment on Windows 10 devices (CC-48372).
- The System Administrator role can now be made available for use in a UNIX group by the Cloud Linux Agent (CC-53943).
- In this release, the “AllowHealthCheck”:true,”HealthCheckInterval”:2 request JSON are deprecated. They will have no functional impact (CC-54832).
For security advisories and known issues, please see attached file.
For Maintenance Release 2 security advisories and known issues , please see attached file.
Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.