Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Centrify Cloud 16.7 Release Notes

11 April,19 at 11:50 AM

New Features - Centrify Identity Service


Improved Settings Pages


Settings pages have been updated to include a text description of what can be done on each page.


1 Improved Settings Page.png


Additional Attributes for MFA


Administrators can now setup their tenants to support the use of additional attributes for MFA challenges.

  • Settings > Authentication > Security Settings
  • Select attribute and define the type
    • Choose from commonly used attributes, or
    • Specify custom attributes



Google Apps Support for Multiple Domains


Identity Service now supports provisioning of Google Apps for customers with multiple domains.

  • Roles can be mapped to destination domains



Changes to IWA


Changes to protect against a MitM vulnerability:

 4 iwa.png



Mobile Notifications on Multiple Devices


  • Users can now specify what device(s) get notifications from Centrify
  • Admin can disable this by policy

5 mobile notification.png


App documentation has been added for the following SAML apps:

  • Image Relay
  • Veracode
  • Aha!


The following apps have been updated:

  • OfficeSpace Software
  • Lyndacom
  • MediaWiki
  • SkyDrive
  • DocuSign
  • Spotify
  • Microsoft Premier Online
  • Microsoft Developer Network
  • Microsoft Volume Licensing
  • ADP Workforce Now
  • ProfilePond has been renamed to Cranberry


In addition, the following apps have been removed from the app catalog: BusinessITOnline, Dropcam.


New Features - Centrify Privilege Service


Rotate Password Now


Admin option to rotate a managed password immediately:

  • New “Rotate Password” action for managed accounts
  • Requires user permission for “Rotate”
    • Under Settings > Account Permissions

cps 1.png



Improved Cloud Connector Selection for Databases


Cloud Connector selection for databases now shows unavailable Cloud Connectors with status indicator.

  • Using CPS for a Database requires a Cloud Connector plugin
  • Admin can now see unavailable Cloud Connectors, along with the reasons why they are unavailable

cps 2.png


Supported Platforms


Centrify Privilege Service

The following platforms are supported by the Centrify Privilege Service CLI toolkit:


     Red Hat   6.7, 7.1, 7.2

     CentOS    6.7, 7.2

     Oracle    6.7, 7.2

     Fedora    24

     SLES      11 SP3, 12

     Ubuntu    12.04LTS, 14.04LTS, 16.04LTS



  1. Unless otherwise stated, always use latest available patch level.
  2. Only 64-bit variants supported.
  3. For Red Hat/CentOS/Oracle 7.2, use 7.2 where a GA version is available, otherwise use 7.1.
  4. Where applicable, desktop/workstation variants are both supported.


Resolved Issues and Behavior Changes

The following list records issues resolved in this release and behavior changes.


  • Role memberships can no longer be defined by Active Directory Distribution Groups or Domain Local groups. Please use security groups to define role memberships. See KB-6906 on how to convert a distribution group to a security group. Existing role definitions using Distribution or Domain Local groups will continue to work in 16.7 but will cease to function in 16.9.
  • In the Box provisioning app, skipped users are now merged when the overwrite option is chosen (CC-37130).
  • In the Box provisioning app, the role-based access level now displays correctly when syncing users with the union scheme (CC-38834).
  • The Google provisioning app now supports multiple domains (CC-36879 / CISSUP-1910).
  • The Cloud Connector / Manage setting “Use HTTPS Port for IWA Negotiations” is now defaulted to on. New connector registrations and re-registrations of a connector will use this setting, any existing connectors will be unaffected. Note that IWA will not function unless a Corporate IP range has been set and the IWA user is within that range (CC-39303).
  • Changing IWA from https to http now shows a warning / confirmation dialog as this potentially makes IWA vulnerable to man in the middle attacks (CC-39299).
  • IWA is now only attempted if a corporate IP range is configured, scoping the possibility of a man in the middle attack at IWA to on-premise DNS (CC-39302).
  • The deprecated CDirectoryService/DeleteUser API now cleans up the user table after deleting a cloud user (CC-39197).
  • Multiple domain support has been added for Google apps and this requires a higher permission level for the admin. As a result, it will require re-authentication for the admin (CC-39169).
  • The user name can now be pasted into the login dialog (CC-37723).
  • The Slack SAML app now has a Role Mappings section to map user accounts to Slack based on group membership (CC-37707).
  • Fixed an issue where an app that required a browser extension would launch to a blank page if no browser extension was installed (CC-39325).
  • The “Retain user account in target application if role membership changes” option for provisioning-capable apps now functions correctly (CC-38971).
  • Detailed information is now logged when a user denies an MFA request (CC-634).
  • Group View is now supported in MyWebApps on an Android device and for Mobile Web Apps on an iOS or Android device (CC-38991, CC-36702, CC-36543).
  • An option has been added to SAML apps’ enhanced scripts to use a custom Relay State (CC-28025).
  • Android devices can now still be managed even if firewall deny rules are set to block everything (CC-39183 / CISSUP-2215)
  • In the Webex provisioning app, setting the meetingtypes parameter to an array of one element no longer causes sync jobs to fail (CC-38724).
  • Search is now supported on the My Authenticator page on iOS devices (CC-36263).
  • In the Dropbox provisioning app, synched users now show in the correct (new) group after the destination group is updated in role mappings (CC-38927).
  • The login authentication profile is now shown in the policy summary on the users’ details page (CC-38036).
  • In the Salesforce provisioning app,
  • The amount of installed memory is now reported for enrolled Mac computers (CC-37021).
  • On a Mac, true SSO (zero sign-on) is now attempted before IWA as it should always work for Macs (CC-39485).


For security advisories and known issues, please see attached file.