New Features - Centrify Identity Service
RADIUS Support for Multiple Challenges
RADIUS support has been improved to allow for multiple challenges.
- Admin no longer needs to select one mechanism for all users
- Admin can now use an existing auth profile, and user will be prompted to pick an auth mechanism
SMTP Server Configuration
Admins can now configure product to use their own SMTP server for outbound mail.
- Using corporate SMTP server improves message delivery
- Go to: Settings > Customization > Account > System Configuration
Cross-Origins Resource Sharing (CORS) Support
Admins can now enable API calls from foreign domains by enabling CORS.
- Go to: Settings > Authentication > Security Settings
Minor updates to UI:
- New image for Quick Start Wizard
- “Power” button on the upper right hand corner has been replaced with “Sign Out” link
UI for Enabling Smart Card Support
Smart Card support is now available via the Cloud Manager UI. Administrators no longer need to contact Centrify Support to configure the back-end.
- UI is available under Settings > Authentication > Certificate Authorities
- Available as a premium feature for App+ and Privilege Service
Smart Card users can now provision a Derived Credential to their enrolled mobile devices.
- Allows Web-App access to PIV/CAC sites through mobile
- NOTE: Derived Credentials support is currently limited to Microsoft CA. Support for additional Certificate Authorities is coming soon
Mobile Feature – Device Enrollment Notifications
New device enrollments cause notification to be sent to all other currently enrolled devices:
- User can force unenroll the new device
Introducing the new Centrify Identity Service Mac Cloud Agent
- Improved Mac Cloud enrollment
- Location Reporting and True SSO for Macs
App documentation has been added for the following SAML apps:
- CrashPlan PROe
- Facebook at Work
- IBM Emptoris
- The Network Integrated GRC Suite
The following apps have been updated:
- Citrix ShareFile
- Vocality Networks
- IBM PartnerWorld
In addition, the following apps have been removed from the app catalog: Barnes & Noble, iCloud, ThoughtWorks Support, SideTour.
New Features - Centrify Privilege Service
Database Application Account Password Management
Centrify Privilege Service can now manage passwords for database accounts held internally by various DBMS applications. Password checkout is supported, including the option for automatic password rotation after the checkout period expires (or the password is checked in).
In this release, the following DBMS applications are supported.
- Microsoft SQL Server
- Oracle Database
Additional DBMS applications will be supported in future releases. Single database instances are supported in this release; support for accounts across database clusters is under development.
Security Settings and Account Types
There are three major types of accounts in this update of Centrify Privilege Service.
- Resource accounts held locally by the host operating system
- Domain accounts held by Active Directory
- Database accounts held internally by the DBMS application
Account Security Settings, available as policy, have been rationalized across these account types at the resource, domain, and database levels, as well as globally. Time periods can be defined where applicable, e.g. maximum number of days before a password must be rotated.
- Allow multiple password checkouts
- Enable periodic password history cleanup
- Enable periodic password rotation
- Enable periodic health check
Centrify Privilege Service
The following platforms are supported by the Centrify Privilege Service CLI toolkit:
Red Hat 6.7, 7.2
CentOS 6.7, 7.2
Oracle 6.7, 7.2
SLES 11 SP3, 12
Ubuntu 12.04LTS, 14.04LTS, 15.10
- Unless otherwise stated, always use latest available patch level.
- Only 64-bit variants supported.
- For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
- Where applicable, desktop/workstation variants are both supported.
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Fixed an issue with the Salesforce provisioning app where an error “Value cannot be null” could be reported (CC-38361).
- Implemented group membership state tracking for provisioning apps, such as Box, Google and DropBox, to resolve issues with role un-assignment. This does not cover AD groups, they will be added in a later release (CC-35742).
- Updated ServiceNow app help doc to cover the installation and configuration of the Centrify Identity Service app (CC-38427).
- JIRA JIT provisioning now updates synched users’ email and display names (CC-37948).
- Read-only administrators can now view the Box provisioning tab (CC-37743).
- Role mapping or role membership membership changes now cause Box and Google apps to re-sync affected users (CC-38020).
- Users with the Application Management right but who are not a system administrator can now start provisioning syncs (CC-37190).
- The error message shown in the sync report when trying to sync a user with an invalid email address has been improved to make the error more clear (CC-37626).
- The NetSuite app no longer shows excessive numbers of connection timeout errors in the sync report (CC-37298).
- Attempts to clone a SAML app no longer fail because of a duplicate Application ID. The Application ID is now set to NULL during the cloning operation (CC-38169).
- ServiceNow, Samanage, EchoSign, Yammer and Qmarkets provisioning apps have been updated to correctly clear fields in the target app if they are cleared in the source user record (CC-37241).
- The default region for the Samanage provisioning app is now set to non-European and the drop down has been replaced by two radio buttons (CC-37895).
- Resolved a race condition with incremental synching that would cause the job to fail as Process Failed (NotFoundCreated) (CC-38470).
- Resolved issue with synching that caused the job to fail with Failed System.NullReferenceException: Object reference not set to an instance of an object (CC-38385).
- App gateway URLs can now be entered with a trailing period (“.”) (CC-38206).
- The width of the About dialog has been increased as user names were frequently being truncated (CC-38460).
- Service users are now displayed in the users list in the Cloud Manager when the All Users filter is applied. Previously service users were only shown with the All Service Users filter. To show all users except service users, use ten new All users except service users filter (CC-38298).
- Administrators are now prompted to set their password after clicking the one-time link in the account activation email. Previously only non-admin users were prompted to set their password and could result in administrators being locked out if they did not remember to reset their passwords (CC-38220).
- The power button on the User Portal and Cloud Manager has been replaced with a more standard “Sign Out” option in the drop down menu under the user’s name (CC-38213).
- System administrators can now wipe a mobile device from the Cloud Manager even if the policy is set to disable users from wiping their devices (CC-38157).
- The password complexity shown in the Add Users dialog now matches the effective policy complexity settings, rather than the default complexity settings (CC-38109).
- The MFA Events – Last 7 days report has been replaced by MFA Events – Last 30 days (CC-38058).
- The quick start Wizard start screen in the Cloud Manager has been refreshed, the functionality is unchanged (CC-38023).
- Users can now paste their user name into the login dialog, previously only the keyboard ctrl-v shortcut would successfully paste a user’s name into the dialog (CC-37723).
- iOS built-in apps (such as Safari and Mail) can now be configured as the kiosk mode app (CC-37635).
- Administrators can now force a mobile device to update itself to use the latest Centrify mobile app version (CC-37517).
- Policies are now provided for iOS 9.3 app whitelisting and blacklisting (CC-37434).
- “Find Now” is now supported for iOS devices (CC-37433).
- The Accounts tab in the User Portal has been reworked to make the third party One Time Password UI more clear (CC-36114).
- CPS database account names are now case sensitive; a name conflict warning is shown if an account is already configured with a name that differs only in case if one of the resources is case insensitive (CC-38630).
16.6 Hot Fix 1 - June 28, 2016
- Added improved support for applications using WS-Trust (CC-38693).
- Fixed a bug with missing scroll bars in online help when using Firefox browser (CC-39393).
- Fixed a bug with intermittent ZSO login for Mac computers (CC-39218).
- Improved logic for the Centrify Cloud Connector during group lookups to prevent return of "null" value (CC-39454).
For security advisories and known issues, please see attached file.