Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Centrify 18.3 Release Notes

11 April,19 at 11:51 AM

New Features - Centrify Application Services

 

Significant Behavior Changes

 

Centrify Connector

From the next release, Connectors earlier than 17.7-108 will lose service if not upgraded. As a reminder, Centrify support policy provides support for the Connectors running the current release and two prior releases, and running a connector from a prior release may limit the use of newer functionality. For more information, please see this Tech Alert article.

 

Open ID Connect App
The OpenID Connect app has been enhanced to allow refresh tokens to be refreshed as specified by the OAuth 2 spec. The app configuration page for OpenID Connect has also been modified to be more consistent with other apps. Some fields have been moved around into more logical groupings.

 

As part of these changes, all existing OpenID Connect apps will continue to work as-is. However, if you wish to make use of refresh tokens or if you wish to make any other changes to the app, you will need to make other changes outside the OpenID Connect app in order for this to work. You will be notified of any changes you to need to make when you attempt to edit the OpenID Connect app.

 

End-of-life Notification

 

 

Android versions earlier than 4.3 will not be supported by the Centrify mobile app for Android from the next release (18.4).

 

Zero Trust: Block or Force Challenge for WS-Trust Authentication

 

  • Enable or Disable WS-Trust

  • Enforce challenges with WS-Trust

  • If enabled, WS-Trust connections that do not support MFA challenges will be blocked

 zero.gif

 

 

App Gateway: Improved Reverse Proxy / Firewall Integration

 

  • Allow firewall to filter inbound app gateway traffic using the X-Forwarded-For and/or RFC-7239 headers

  • Allow use of the REMOTE_USER header to indicate the incoming users as asserted by Centrify IDP

  • Enabled on a per app basis in App Gateway

  • Allows use of the X-Forwarded-For header as either the Username or the Client IP Address

app gateway.png

 

 

Localization of App Names and Description

 

  • Allows customers to customize the name and description of applications for supported languages

  • Enabled on a per app basis
  • Set the default language
  • Provide a custom app name and description for each supported language

local.gif 

 

 

The following apps have been updated:

 

  • Frevvo Live Forms In-house (SAML)
  • Lucidchart (SAML)
  • Box (SAML + Provisioning)
  • Centrify Online Training (User name / Password)

 

 

 

New Features - Centrify Infrastructure Services 

  

 

Test Connection /Verify Password

 

  • Starting in 18.3, Infrastructure Services will introduce manual system ping and account health check options
  • This functionality will supersede the global/system/domain/database setting that enabled automatic health checks
  • Ping & health check functionality can be initiated by any IS (CPS) user and will be tracked in the object’s attributes
  • The AllowHealthCheck,HealthCheckInterval JSON are deprecated

 test-check.png

 

 

Palo Alto Firewall (PANOS) SAPM/PSM

 

  • Adds SAPM and PSM to the existing SAML application included with Application Services
  • 18.3 adds the following features:
    • Password Management via API (requires PKI setup) for Administrative users without Authentication Profiles
    • Privilege Session
    • Local Administrative account (required for SAPM)
    • Vault-based policy and MFA
  • Versions 7.1 and 8.0
     

pan2.png 

 

 

Use My Account (LMIv1) for UNIX

 

  • Provides the capability be “logged in” automatically as a vault user in an IS system that uses adclient or cclient with OpenSSH 7.4 and above, configured with a specific SSH CA master key
  • Uses the web session (not the local client)
  • Bypasses MFA: ideally an authentication assurance level is achieved at the vault level (e.g. smart card)
  • Version 1 does not support multiple Smart Card identities
  • Federated identity is not supported by LMI

use my account.png 

 

 

Centrify Agent for Linux – Secondary UNIX Group Visibility

 

  • Version 18.3 of the Centrify Agent for Linux (cclient) starts the initial phase to support secondary UNIX groups
  • CIP groups containing supported identity sources can be used as UNIX secondary groups using the Group Visibility feature
  • Name is same as CIP name and GID is automatically-generated
  • Future improvements: performance and group enumeration for NSS-like applications

linux.gif 

 

 

 

AD Domain Administrative Account Issue Detection

 

  • 18.3 features mechanisms to notify the end user if something is wrong with the AD domain’s administrative account:
    • Insufficient rights (group membership or rights modification)
    • Bad credentials (password change directly in Active Directory)

ad domain.png

 

 

Centrify Analytics Services - Private Beta

 

Please contact Centrify Support to inquire about participation in the beta program.

 

 

Ingest Centrify Infrastructure Services – Audit Events

 

Forward Audit Events into the Analytics Portal leveraging Centrify Sensor.

  • Flexible Deployment - Centrify Sensor can be flexibly deployed:
    • Deployed with DA collector
    • Deployed with Centrify Agent
  • Enterprise Control on Events Ingested: Filter / Mask what you don’t want to move to the cloud

as audit.png 

 

 

Ingest Centrify Infrastructure Services – Zone Data

 

Forward ”Who has access to which Infrastructure Server, i.e., Policy Data” Zone data into Centrify Analytics Portal.

  • Easy Enablement: Leverage Centrify Sensor to forward both Events and Policy Data
  • Flexible Reporting: Admins can now query Events & Policy via one console easily

as zone.png

 

 

 

Ingest Centrify Infrastructure Services – DA Session Data

 

Adaptively record session videos for Infrastructure activity anomalies .

  • Adaptive Session Recording: 15-30 second session recording of anomalies leveraging Real-time Threat Analytics
  • Session Timeline: Events are all co-related to a sessions on a timeline

as da session.png

 

as da session2.png

 

 

Additional Access Insights for Centrify Infrastructure Services

 

New dashboards around Infrastructure Risk Assessment and Infrastructure Access Overview.

  • Easily Customize Dashboards: Comes with pre-configured datasets around Events / Zone data to help on-board
  • Comes with 12+ pre-configured widgets to help create a new dashboard
  • Easily Share / Export Dashboards

 access.gif

 

 

Enhanced Anomaly Detection based on Behavior

 

Multiple new factors added to evaluate infrastructure access risk.
New factors include:

  • Unusual Recent Privilege Change
  • Unusual Command Run
  • Unusual Target Accessed
  • Unusual Account Used
  • Unusual Privilege Elevation

anon detect.png 

 

Behavior based access control for Infrastructure Access

 

 behav.gif

 

Investigate Access Anomalies 

 

Investigate a Privilege Anomaly easily via drilldown to explorer:

  • Session timeline view from the event
  • Targeted session replay for the Infrastructure access anomaly
  • Easily identity what factors contributed to the anomaly

investigate.png 

 

 

Adaptive Session Recording and Replay for Anomalies 

 

Replay session for any anomalies based on machine learning models:

  • Click-through from Session timeline
  • Enterprise control on storage of session recordings
  • Control the trigger for session recordings

adaptive session.png 

 

 

Alerting and Notifications

 

Remediate anomalies via integration with any Webhook enabled endpoint:

  • Supports anomaly alerting via Slack, Pager Duty, etc.
  • integrates with any Webhook enabled endpoint
  • Easily customize what’s included in the Alert 

 alert notification.png

 

New Features - SIEM and ServiceNow Integrations

 

Centrify ServiceNow Apps – Certified for latest ServiceNow Release

 

 4 Apps Certified for Jakarta, Istanbul, Helsinki & Geneva.

 

service now.png

 

 

Centrify Identity Services SIEM Integration – GA

 

Forward all Centrify Identity Services events into Syslog

 

  • Enhanced Splunk support to include Splunk Add-On for CIP in Splunkbase
    • Supports Splunk Cloud and Splunk Enterprise
  • Centrify Syslog Writer is GA and is available via Centrify's Download Center – extents Centrify's events into other SIEM tools
  • Integration guide available on docs.centrify.com

SIEM.png

 

 

Resolved Issues and Behavior Changes

 

The following list records issues resolved in this release and behavior changes.

 

  • The Walk-Me help feature has been removed from the Admin Portal in this release (CC-55314). 
  • Maximum password history has been increased from 10 to 20 (CC-55558). 
  • Modifying LDAP server configuration is now correctly supported on LDAP servers that have required custom unique identifiers, such as the MS-LDAP and Tivoli LDAP servers (CC-52777).
  • Zero Sign-On (ZSO) support has been added for Firefox v58+ (CC-54822).
  • Support has been added for storing very large SP Metadata (CC-54812).
  • The status for suspended Google Directory users is now shown correctly. Previously they were always shown as active (CC-55371).
  • The Test Advanced Script function has been modified in this release to enhance security. The SAML response preview now has the response certificate, signature and digest values obfuscated, however the real values will be used for SSO.
  • QRadar application now correctly works through the App Gateway (CC-56215).
  • The Box provisioning app no longer returns 404 errors if content ownership changes (CC-55527).
  • The Dropbox provisioning app has been enhanced to support role mapping for Support Admin and User Management Admin (CC-48357).
  • Dropbox SSO configuration documentation has been updated for Chrome and Firefox browsers (CC-40211).
  • Administrators can now choose between Enterprise and Standard accounts in the Slack app (CC-52691).
  • MFA can now be required for portal access for federated (B2B) users (CC-53237).
  • Active Directory group sync is now supported in SCIM (CC-53930).
  • The Webapp shortcut can now be opened on Android N devices and later (CC-54736).
  • Where certificates have been uploaded for policies, it is now possible to remove the uploaded cert (using “Remove”) without affecting the other policy settings (CC-55054).
  • The order of SAML elements can now be dynamic for WS-Fed applications (CC-54456).
  • It is now possible to prevent collection of installed applications on enrolled devices – the default is to collect the information (CC-53775).
  • An option has been added to show / not show a custom welcome screen for iOS devices during enrollment (CC-53676).
  • When managed apps are installed on a device for an enrolled user, only those managed apps are shown on the application tab (CC-54946).
  • The Company Apps store for iOS devices now only shows apps that are compatible or the type of device being used. For example, iPad-only apps are not shown for iPhones (CC-39129).
  • The Download Apple Configurator link in the Admin Portal has been updated with the revised link from Apple (CC-55194).
  • Location is now optionally tracked after enrollment on Windows 10 devices (CC-48372).
  • The System Administrator role can now be made available for use in a UNIX group by the Cloud Linux Agent (CC-53943).
  • In this release, the “AllowHealthCheck”:true,”HealthCheckInterval”:2 request JSON are deprecated. They will have no functional impact (CC-54832).

 

For security advisories and known issues, please see attached file.

For Maintenance Release 2 security advisories and known issues , please see attached file. 

 

 

 

Note: To receive release notes prior to the monthly product update, subscribe to the Centrify Cloud Highlights and Release Notes Tech Blog. This release information is posted in advance of the release date. Please check back at release time for updates.

Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.