Professional Documents
Culture Documents
Safenet Authentication Service: Customer Release Notes
Safenet Authentication Service: Customer Release Notes
Contents
Product Description 2
Release Information - SafeNet Authentication Service 3.14 PCE/SPE 2
General Availability Release – November, 2021 2
Known Issues 3
Announcement: EOS and EOL of Shibboleth Agent for SAS PCE 7
Affected Customers 7
Replacement Agent 7
Key Dates 7
How to move from Shibboleth Agent for SAS PCE to Keycloak Agent 7
Advisory Notes 8
Setting up MS SQL with Windows Domain User 8
Enhanced Approval Workflow for MobilePass+ Push OTP 8
Migrating to MS SQL Database Server 8
Database Backup 8
MobilePASS+ Software Authenticator 8
Configuration on FIPS Mode Enabled Machines 8
Compatibility and Component Information 9
Supported Tokens 9
Supported Browsers 9
Supported Directories 9
Support Contacts 11
NOTE The latest versions of other agents are also included in this package.
NOTE Chrome OS support is available from MobilePASS+ v2.2 onwards for Android.
Documentation Improvements
> Previous Customer Release Notes are removed from the current release onwards and uploaded online.
Resolved Issues
Issue Synopsis
SAS-47208 Now every token locks after multiple failed authentication attempts.
SAS-46450 The edit mode of provisioning task accurately shows the number of users.
SAS-45445 You can now add RADIUS attribute to groups using AddRADIUSAttributeToGroup API
service.
SAS-46831 SAS license expiry email template is updated as per Thales branding.
Known Issues
This table provides a list of known issues as of the latest release.
Issue Synopsis
SAS-49454 Google chrome with incognito mode cannot enroll MobilePASS+ token.
SAS-42473 Summary: LDAP integrator: some of the AD users are not synchronized to SAS.
Workaround: Map UPN to either custom2 or custom3 fields.
SAS-38845 Summary: Authentication Reports generation with more than 2000 entries fails.
Workaround: Perform the following steps:
1. Go to Database > Properties > Advanced
2. Set the Max Text Replication Size to -1
By default, its value is 65536. A configured value of -1 indicates no limit, other than the limit
imposed by the data type.
SAS-40669 An empty sasLog folder gets created under the BlackshieldID Folder in case of Installation or
Upgrade on SAS PCE 3.11 GA.
SAS-31277 PCE build installer needs to be clicked twice to complete the installation.
SAS-28666 Summary: The upgrade to SAS PCE/SPE 3.9.1 from SAS PCE/SPE 3.8 may not complete
successfully, if the database in use is PostgreSQL v9.6.
Workaround: Do not select Yes on upgrade prompt for PostgreSQL v9.6.
SAS-28664 Summary: The Self Enrollment email of MobilePASS directs to MobilePASS+ application
download and install links on Windows Server 2016.
Workaround: At Policy > Token Policies > Software Token & Push OTP Settings >
MobilePASS, the default value for Windows 10 is MobilePASS+. Change the value to
MobilePASS.
SAS-28663 Summary: The Google Authenticator token type option is missing for Request a Token
functionality.
Workaround: None, will be resolved in a future release.
SAS-26024 Summary: Upgrade from SAS 3.3.2 to SAS 3.8.1 may not complete successfully.
Workaround: The administrators can upgrade following the path:
1. Upgrade from version SAS 3.3.2 to version SAS 3.4.
2. Upgrade from version SAS 3.4 to version SAS 3.8.1.
SAS-23374 Summary: The SAS PCE/SPE 3.7 SP2 may not work properly while creating users or
configuring policies with MySQL v8.0.
Workaround: Switch to MySQL v5.7.11.
SAS-22421 Summary: Upgrade from SAS 3.3.2/ 3.4 (with PostgreSQL data store) to SAS 3.5 may not
complete.
Workaround: Perform the following steps:
1. Stop all SAS services and the IIS.
2. Execute the file: ..\CRYPTOCard\BlackShield ID\Upgrader\DBUpgrader.exe
3. Start all SAS services and the IIS.
SAS-16175 Summary: Failed authentication count, in case multiple OTP 110 tokens are assigned to a
user, shows an incorrect number.
Workaround: None, will be resolved in a future release.
SAS-16174 Summary: A few inconsistencies in Token Status (Next PIN Change) dates for OTP 110
tokens.
Workaround: None, will be resolved in a future release.
SAS-16173 Summary: OTP 110 tokens store historical information, auth history and tracking details even
after re-import of fresh seed files.
Workaround: None, will be resolved in a future release.
SAS-16154 Summary: Inventory reports show values of the Token Type field as numbers, instead of
names (like GrIDsure or MobilePASS).
Workaround: None, will be resolved in a future release.
SAS-15213 Summary: The following error is encountered intermittently at System > Database > HA
Management:
"Could not execute Write_rows event on table"
In addition, status of the server changes inadvertently.
Workaround: Perform the following steps:
1. Export data from the Primary machine.
2. Remove existing schema from the Secondary machines.
3. Import SQL file (exported from the Primary) in the Secondary machines.
4. Configure the database.
If you face the issue again, repeat the above steps.
SAS-15205 Summary: When using LDAP Integrator with failover hosts, in some cases the Failover
Management section may not function. Workaround: Use Synchronization Agent instead of
the LDAP Integrator.
SAS-15130 Summary: The administrators may not be able to add a new root account to the database.
Workaround: None, will be resolved in a future release.
SAS-14333 Summary: Users are able to generate the same report, multiple times. Also, the SAS error
message while trying to add the same report is not clear.
Workaround: None, will be resolved in a future release.
SAS-12128 Summary: The SMS-Telnet Modem Plugin option is sometimes not displayed.
Workaround: Logout and login to the SAS console again.
SAS-6786/ Summary: The SAS 3.5.4 PCE/ SPE with PostgreSQL on Linux does not connect with custom
SAS-8345 PostgreSQL username.
Workaround: None, will be resolved in a future release.
SAS-5017 Summary: When adding multiple logging agents in the SAS Console, only the first agent
added receives logging events, even after it is removed.
Workaround: Remove all logging agents, and then re-add only one.
SAS-4766 Summary: Allowing one logging agent host for a Virtual Server allows all logging agent hosts.
Workaround: None, will be resolved in a future release.
SAS-3624 Summary: Customizations to email enrollment messages are not saved after being modified,
reverting to the default values.
Workaround: This issue results from how certain options are enabled in the SAS Management
Console:
> To customize email messages, you must first set the Customize Email Messages option
to Custom under COMMS > Communications > Email Messages.
> To customize the MobilePASS page for self-enrollment, you must clear the Use Inherit
Customizations option under VIRTUAL SERVERS > SELF-SERVICE > Set
Customization Inherit.
> To enable both the custom Self-Enrollment email page (VIRTUAL SERVERS > COMMS
> Communications > Email Messages > Email Message Type: Self-Enrollment) and
the customized MobilePASS page (VIRTUAL SERVERS > SELF-SERVICE > Configure
Self-Enrollment Pages), you must disable the Set Customization Inherit option under
VIRTUAL SERVERS > COMMS > Custom Branding.
SAS-1152 Summary: When editing a Provisioning Task under Virtual Servers > Assignment >
Provisioning Task Management, and setting the Stop Date to the current date, no error
message displays and the Edit window closes normally, with the previous Stop Date
remaining unchanged.
Workaround: Select the day after today’s date. This sets the end date to 12:00:01 a.m. on the
next day (midnight of “today”).
SAS-49894 Summary: Unexpected application log out when external operator with just Self-Service
module tries to open the delegated account.
Workaround: Self-Service module is working as expected when assigned with some other
modules. For example, Snapshot module.
Affected Customers
This EOL announcement is relevant for SAS PCE clients who have federated applications using Shibboleth Agent
for SAS PCE.
Replacement Agent
The Shibboleth Agent for SAS PCE is being replaced by SafeNet Agent for Keycloak that is now available to all
SAS PCE clients on the Thales Support Portal.
The new Keycloak Agent offers the following benefits:
> Supports basic SSO for SAML and OIDC applications integrated through Keycloak IDP.
> User federation in SAS PCE.
Key Dates
The following are key dates in the End of Sale process:
END-OF-SALES May 31, 2022 Agent will no longer be available for download from the support portal, and
(EOS) from the SAS PCE package.
How to move from Shibboleth Agent for SAS PCE to Keycloak Agent
> Deploy Keycloak server version 12.0.1 (or above) on the system with administrator user setup. For installation
and configuration, refer to the Keycloak Server Installation and Configuration in the Keycloak Server
Installation Guide.
> Install SafeNet Agent for Keycloak, which is available download from the SAS PCE 3.14 installed package or
Customer Support Portal.
> Change the application and users configuration to use SafeNet Agent for Keycloak. Please refer to the SafeNet
Agent for Keycloak documentation for detailed information for installation, realm settings, user federation,
rebranding and more (This document is part of the installation package).
> Once transition is complete, uninstall Shibboleth Agent.
Advisory Notes
NOTE In case of Site Import, if the SAS servers are in different domains, all SAS servers must
be in the trusted domain. For more details, refer to the Installation Guide.
NOTE Enhanced Workflow UI will only get enabled when PUSH is enabled at the System
Administrator level. Please refer Chapter 16: Software Token PUSH OTP Setting for more
details.
NOTE If migrating to MS SQL database (from any database server) with the SAS Database
Migrator utility, please select the checkbox if using the Windows domain user account.
Database Backup
CAUTION! It is strongly recommended to back up the database before upgrading to the latest
version of the SAS. Failure to do so could result in serious data loss.
Supported Tokens
Hardware Tokens
> KT-4, KT-5, RB, eToken PASS time-based, eToken PASS event-based, SafeNet GOLD, eToken 3410,
eToken 3400, CD-1, SafeNet OTP 110, IDProve 100, SafeNet OTP Display Cards.
Software Tokens
> MobilePASS+: Supported for Android, iOS, Windows Mobile, and Windows Desktop.
> MobilePASS v8.4.6: Supported for Android, iOS, Windows Mobile, Windows Desktop, and Mac OS X.
NOTE Refer MobilePASS+ and MobilePASS documentation for supported Operating System
versions.
> MP-1: SafeNet Authentication Service support for MP-1 tokens software has been phased out and is no longer
supported.
Supported Devices
> Android devices running OS 2.2 or later
> Devices running iOS 5.0 or later
> Devices running on Windows mobile and desktop OS
Supported Browsers
> Microsoft Edge
> Chrome 33 and later
> Firefox 3.5 and later
> Internet Explorer 8 and later
NOTE For hardware token initialization, Internet Explorer versions 10 and below may result in a
lesser user experience. It is recommended to use the latest versions of the supported browsers
for token initialization.
Supported Directories
LDAP
> Active Directory
SQL
> MS SQL
> MySQL
> Oracle
NOTE You require an account to access the Customer Support Portal. To create a new
account, go to the portal and click on the REGISTER link.
Telephone
The support portal also lists telephone numbers for voice contact (Contact Us).