New Features - Centrify Identity Service
Improved Settings Pages
Settings pages have been updated to include a text description of what can be done on each page.
Additional Attributes for MFA
Administrators can now setup their tenants to support the use of additional attributes for MFA challenges.
- Settings > Authentication > Security Settings
- Select attribute and define the type
- Choose from commonly used attributes, or
- Specify custom attributes
Google Apps Support for Multiple Domains
Identity Service now supports provisioning of Google Apps for customers with multiple domains.
- Roles can be mapped to destination domains
Changes to IWA
Changes to protect against a MitM vulnerability:
Mobile Notifications on Multiple Devices
- Users can now specify what device(s) get notifications from Centrify
- Admin can disable this by policy
App documentation has been added for the following SAML apps:
The following apps have been updated:
- OfficeSpace Software
- Microsoft Premier Online
- Microsoft Developer Network
- Microsoft Volume Licensing
- ADP Workforce Now
- ProfilePond has been renamed to Cranberry
In addition, the following apps have been removed from the app catalog: BusinessITOnline, Dropcam.
New Features - Centrify Privilege Service
Rotate Password Now
Admin option to rotate a managed password immediately:
- New “Rotate Password” action for managed accounts
- Requires user permission for “Rotate”
- Under Settings > Account Permissions
Improved Cloud Connector Selection for Databases
Cloud Connector selection for databases now shows unavailable Cloud Connectors with status indicator.
- Using CPS for a Database requires a Cloud Connector plugin
- Admin can now see unavailable Cloud Connectors, along with the reasons why they are unavailable
Centrify Privilege Service
The following platforms are supported by the Centrify Privilege Service CLI toolkit:
Red Hat 6.7, 7.1, 7.2
CentOS 6.7, 7.2
Oracle 6.7, 7.2
SLES 11 SP3, 12
Ubuntu 12.04LTS, 14.04LTS, 16.04LTS
- Unless otherwise stated, always use latest available patch level.
- Only 64-bit variants supported.
- For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
- Where applicable, desktop/workstation variants are both supported.
Resolved Issues and Behavior Changes
The following list records issues resolved in this release and behavior changes.
- Role memberships can no longer be defined by Active Directory Distribution Groups or Domain Local groups. Please use security groups to define role memberships. See KB-6906 on how to convert a distribution group to a security group. Existing role definitions using Distribution or Domain Local groups will continue to work in 16.7 but will cease to function in 16.9.
- In the Box provisioning app, skipped users are now merged when the overwrite option is chosen (CC-37130).
- In the Box provisioning app, the role-based access level now displays correctly when syncing users with the union scheme (CC-38834).
- The Google provisioning app now supports multiple domains (CC-36879 / CISSUP-1910).
- The Cloud Connector / Manage setting “Use HTTPS Port for IWA Negotiations” is now defaulted to on. New connector registrations and re-registrations of a connector will use this setting, any existing connectors will be unaffected. Note that IWA will not function unless a Corporate IP range has been set and the IWA user is within that range (CC-39303).
- Changing IWA from https to http now shows a warning / confirmation dialog as this potentially makes IWA vulnerable to man in the middle attacks (CC-39299).
- IWA is now only attempted if a corporate IP range is configured, scoping the possibility of a man in the middle attack at IWA to on-premise DNS (CC-39302).
- The deprecated CDirectoryService/DeleteUser API now cleans up the user table after deleting a cloud user (CC-39197).
- Multiple domain support has been added for Google apps and this requires a higher permission level for the admin. As a result, it will require re-authentication for the admin (CC-39169).
- The user name can now be pasted into the login dialog (CC-37723).
- The Slack SAML app now has a Role Mappings section to map user accounts to Slack based on group membership (CC-37707).
- Fixed an issue where an app that required a browser extension would launch to a blank page if no browser extension was installed (CC-39325).
- The “Retain user account in target application if role membership changes” option for provisioning-capable apps now functions correctly (CC-38971).
- Detailed information is now logged when a user denies an MFA request (CC-634).
- Group View is now supported in MyWebApps on an Android device and for Mobile Web Apps on an iOS or Android device (CC-38991, CC-36702, CC-36543).
- An option has been added to SAML apps’ enhanced scripts to use a custom Relay State (CC-28025).
- Android devices can now still be managed even if firewall deny rules are set to block everything (CC-39183 / CISSUP-2215)
- In the Webex provisioning app, setting the meetingtypes parameter to an array of one element no longer causes sync jobs to fail (CC-38724).
- Search is now supported on the My Authenticator page on iOS devices (CC-36263).
- In the Dropbox provisioning app, synched users now show in the correct (new) group after the destination group is updated in role mappings (CC-38927).
- The login authentication profile is now shown in the policy summary on the users’ details page (CC-38036).
- In the Salesforce provisioning app,
- The amount of installed memory is now reported for enrolled Mac computers (CC-37021).
- On a Mac, true SSO (zero sign-on) is now attempted before IWA as it should always work for Macs (CC-39485).
For security advisories and known issues, please see attached file.