What's New

Note: For the latest technical information about the product, refer to the Release Notes available in the product deliveries.

ActivID Authentication Server v8.5

Update Enhancement/Fix

Environment updates
  • Database - support for Oracle® 19c
  • EMV - support of the Entrust® nCipher® payShield module. (IAAS-6735)
  • Entrust HSM driver v12.60.11
  • IBM® WebSphere® deployments:
    • Important: The JDBC configuration should be updated to use "ojdbc8.jar" instead of "ojdbc7jar".
  • Bouncy Castle JCE provider v1.67:
    • Important: Update the Bouncy Castle JCE provider installed in the JRE used by your application Server:
    1. Get the Bouncy Castle JCE provider jar file v1.67 (bcprov-jdk15on-167.jar) - you can get it from https://www.bouncycastle.org/ or from the Third-Party-Software/Bouncy-Castle folder on the ActivID AS 8.5 Service Pack delivery disk.
    2. Copy this jar file in your <JAVA_HOME>/jre/lib/ext folder and set correct permissions (chmod 644).
    3. Delete the previous version of the .jar file.

Security updates

General Java third-party component updates

PII tokenization improvement
  • Request on FTRESSPIITOKEN table for direct user now only returns the relevant data. (IAAS-7894)
  • All rows of FTRESSPIITOKEN table have OWNEREXTID properly set to non-NULL value. (IAAS-7872)
  • Entries on PIITOKEN are now fixed to set indirectuser for APIs audit events updatedevice, deleteUser and createDeviceIssuanceRequestExt. (IAAS-7914)

Authenticators management
  • For new security domains only, the default validity period for an authenticator (of type "device") is set to 50 years. (IAAS-7597)
  • Maximum default password length for HID Approve is set to 50 (instead of 8). (IAAS-7597)
  • When using the REST API, resetting the failure counter for Mobile Push authenticators now resets both the failure counter and challenge counter.
  • AT_CUSTOTP authentication record is no longer deleted when the HID Approve service is deleted from the mobile device. (IAAS-7464)

HID RMS integration
  • Added support for fail-open behavior when the HID RMS server is unreachable. By default, the fail-open behavior is enabled and it can be configured using the ActivID Management Console.
  • The RMS Dashboard correctly displays user details. (IAAS-6914)

OpenID Connect enhancements
  • The calling application must generate a unique Session ID (app_session_id) that is persistent throughout a user session and pass it to all OpenID calls. (IAAS-7019)
  • Refresh Token now provides an updated score. (IAAS-6853)

SCIM and RESTful configuration API enhancements
  • New API for user attributes management. (IAAS-6841)
  • New API for bulk import of new users. (IAAS-6815)
  • Improvement in Role management REST API. (IAAS-6790, IAAS-6784, IAAS-6768)
  • Improvement in Authentication Policy configuration REST API. (IAAS-9790, IAAS-6802)

HID Approve™ and Push notification enhancements
  • Support for Notifications Time to Live setting on Azure Push Notification aggregator for native Push Notification Services (that is, APNS (Apple® iOS®), GMC (Google® Android®) and WNS (Microsoft® Windows®)). This new "Notifications time to live (seconds)" setting can be configured for Azure delivery gateways using the ActivID Management Console. The default value is 0 (corresponding to the previous behavior). (IAAS-6968)
  • HID Approve registration supported on mobiles without access to "Google Play Service". (IAAS-7818)

Other improvements
  • The ActivID Authentication Portal has a new look and feel. (IAAS-7924)

  • ID Token signature and/or encryption in the CIBA response. (IAAS-7202)

    • A new parameter has been added to the OpenID client /authn/register endpoint and adapter to support the signature or signature/encryption of the ID Token claim in the CIBA response, and update its format to comply with the latest CIBA specifications.

      When creating a new OpenID client using the:

      • OpenID dynamic client registration (/authn/register endpoint) - the hid_ciba_callback_format_plain parameter is set to false (by default or if the parameter is not present). Therefore, the ID Token will be signed (or signed/encrypted) in the CIBA response.

        • To disable the signature or signature/encryption of the ID Token (and retain the legacy plain format), set the parameter to true.

      • OpenID client adapter configuration in the ActivID Management Console - the Use legacy plain format in CIBA callback messages parameter is set to true (by default). Therefore, the ID Token will NOT be signed (or signed/encrypted) in the CIBA response.

        • To enable the signature or signature/encryption of the ID Token, set the parameter to false.

        To revert to the previous behavior, set the parameter to true.

      Optionally, you can also configure the OpenID client for ID Token encryption using the:

      • OpenID dynamic client registration (/authn/register endpoint) - set the values for the id_token_encrypted_response_alg and jwks parameters (where the currently supported algorithm is RSA-OAEP-256).

      • OpenID client adapter configuration in the ActivID Management Console - set the values for the Client's encryption certificate and Id token encrypted response algorithm parameters.

    • Note: Existing OpenID clients are not affected by this update.

    However, it is recommended that you update your integration to use the new format with signature - this requires updating your CIBA callback implementation to validate the ID Token (signature and content), and your application OpenID client definition with the hid_ciba_callback_format_plain=false parameter. The CIBA demo sample on the companion disk has been updated with the code for ID Token signature and encryption verification.

  • EULA update

Impact on database
  • Schema : no change
  • Volume : no change
  • SQL request : performance improvement (FTRESSPIITOKEN table)