SafeNet Authentication Service

CUSTOMER RELEASE NOTES

Version: 3.14 GA PCE/SPE
Build: 3.14.8557.8557
Issue Date: November 2021
Document Part Number: 007-000046-004 Rev. G

Contents
Product Description 2
Release Information - SafeNet Authentication Service 3.14 PCE/SPE 2
General Availability Release – November, 2021 2
Known Issues 3
Announcement: EOS and EOL of Shibboleth Agent for SAS PCE 7
Affected Customers 7
Replacement Agent 7
Key Dates 7
How to move from Shibboleth Agent for SAS PCE to Keycloak Agent 7
Advisory Notes 8
Setting up MS SQL with Windows Domain User 8
Enhanced Approval Workflow for MobilePass+ Push OTP 8
Migrating to MS SQL Database Server 8
Database Backup 8
MobilePASS+ Software Authenticator 8
Configuration on FIPS Mode Enabled Machines 8
Compatibility and Component Information 9
Supported Tokens 9
Supported Browsers 9
Supported Directories 9
Support Contacts 11

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 1
Product Description
SafeNet Authentication Service (SAS) delivers fully automated, highly secure authentication-as-a-service, with
flexible token options tailored to the unique needs of your organization, substantially reducing the total cost of
operation.
Strong authentication is made easy through the flexibility and scalability of SAS automated workflows, vendor-
agnostic token integrations, and broad APIs. In addition, management capabilities and processes are fully
automated and customizable—providing a seamless and enhanced user experience.
SAS enables a quick migration to a multi-tier, multi-tenant cloud environment, protecting everything, from cloud-
based and on-premises applications to networks, users, and devices.

Release Information - SafeNet Authentication Service 3.14

PCE/SPE
The following release has been issued for SafeNet Authentication Service 3.14 PCE/SPE:

General Availability Release – November, 2021

This general availability release introduces the following features and resolves the issues listed below:

Support for MySQL .Net Connector 8.0.27

This release onwards, SAS PCE/SPE now supports MySQL .Net Connector 8.0.27 (latest version). All the
supported deployments are expected to work, this connector version is compatible with MySQL 8.0.25 database
version. The connector can be downloaded based on supported version of MySQL database.

Keycloak Agent 1.0.1 is added to the SAS PCE 3.14

SafeNet Keycloak Agent is used for integration of a Keycloak Identity provider function (IDP) with SAS PCE/SPE.
With this integration, SAS PCE/SPE provides multi-factor authentication in context of authentication requests
received by the Keycloak IDP from SAML or OIDC integrated applications.

NOTE The latest versions of other agents are also included in this package.

Chrome OS support added to the MobilePASS+ application

This feature lets you to use MobilePASS+ for Android on Chrome OS with user experience adaptation for the
laptop form factor. This requires Chrome OS devices capable of running Android apps.

NOTE Chrome OS support is available from MobilePASS+ v2.2 onwards for Android.

Documentation Improvements
> Previous Customer Release Notes are removed from the current release onwards and uploaded online.

NOTE Click here to access Customer Release Notes of previous releases.

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 2
> High availability MySQL scenario is updated in SAS 3.14 Upgrade guide.
> ICE functionality is depreciated in SAS 3.14 Service Provider Administrator guide.
> Hardware and software prerequisites are updated in SAS 3.14 System Requirements guide and Installation
guide.
> Connection between MobilePASS+ user enrollment and self-enrollment service using Reverse proxy is
specified in SAS 3.14 Installation guide.

Resolved Issues

Issue Synopsis

SAS-42454 Limit of transaction ID increased from 8 digits to 9 digits.

SAS-46166 Import bulk RADIUS token successfully.

SAS-47208 Now every token locks after multiple failed authentication attempts.

SAS-45914 Modify query parameter of SMS Gateway settings.

SAS-41261 Administration Console page title is editable now.

SAS-46201 Create groups through SOAP API successfully.

SAS-46450 The edit mode of provisioning task accurately shows the number of users.

SAS-47119 updateUserMap API fetching Restricted Days list correctly.

SAS-45445 You can now add RADIUS attribute to groups using AddRADIUSAttributeToGroup API
service.

SAS-42762 Issue with diacritical marks on MobilePass+ resolved.

SAS-45542 Sync agent is generating logs as expected.

SAS-46831 SAS license expiry email template is updated as per Thales branding.

SAS-49417 Software Token Push OTP Settings working as expected.

SAS-34928 Generate fake grid when GridSure Token gets locked.

Known Issues
This table provides a list of known issues as of the latest release.

Issue Synopsis

SAS-49454 Google chrome with incognito mode cannot enroll MobilePASS+ token.

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 3
 Issue Synopsis

SAS-42473 Summary: LDAP integrator: some of the AD users are not synchronized to SAS.
Workaround: Map UPN to either custom2 or custom3 fields.

SAS-43228 On installation, an exception displays in PostgresSqlPrep.exe log about unable to connect to

DAL.

SAS-38845 Summary: Authentication Reports generation with more than 2000 entries fails.
Workaround: Perform the following steps:
1. Go to Database > Properties > Advanced
2. Set the Max Text Replication Size to -1
By default, its value is 65536. A configured value of -1 indicates no limit, other than the limit
imposed by the data type.

SAS-40669 An empty sasLog folder gets created under the BlackshieldID Folder in case of Installation or
Upgrade on SAS PCE 3.11 GA.

SAS-31277 PCE build installer needs to be clicked twice to complete the installation.

SAS-31176 Under Request a Token, all tokens are not displayed.

SAS-28666 Summary: The upgrade to SAS PCE/SPE 3.9.1 from SAS PCE/SPE 3.8 may not complete
successfully, if the database in use is PostgreSQL v9.6.
Workaround: Do not select Yes on upgrade prompt for PostgreSQL v9.6.

SAS-28664 Summary: The Self Enrollment email of MobilePASS directs to MobilePASS+ application
download and install links on Windows Server 2016.
Workaround: At Policy > Token Policies > Software Token & Push OTP Settings >
MobilePASS, the default value for Windows 10 is MobilePASS+. Change the value to
MobilePASS.

SAS-28663 Summary: The Google Authenticator token type option is missing for Request a Token
functionality.
Workaround: None, will be resolved in a future release.

SAS-26024 Summary: Upgrade from SAS 3.3.2 to SAS 3.8.1 may not complete successfully.
Workaround: The administrators can upgrade following the path:
1. Upgrade from version SAS 3.3.2 to version SAS 3.4.
2. Upgrade from version SAS 3.4 to version SAS 3.8.1.

SAS-23374 Summary: The SAS PCE/SPE 3.7 SP2 may not work properly while creating users or
configuring policies with MySQL v8.0.
Workaround: Switch to MySQL v5.7.11.

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 4
 Issue Synopsis

SAS-22421 Summary: Upgrade from SAS 3.3.2/ 3.4 (with PostgreSQL data store) to SAS 3.5 may not
complete.
Workaround: Perform the following steps:
1. Stop all SAS services and the IIS.
2. Execute the file: ..\CRYPTOCard\BlackShield ID\Upgrader\DBUpgrader.exe
3. Start all SAS services and the IIS.

SAS-16175 Summary: Failed authentication count, in case multiple OTP 110 tokens are assigned to a
user, shows an incorrect number.
Workaround: None, will be resolved in a future release.

SAS-16174 Summary: A few inconsistencies in Token Status (Next PIN Change) dates for OTP 110
tokens.
Workaround: None, will be resolved in a future release.

SAS-16173 Summary: OTP 110 tokens store historical information, auth history and tracking details even
after re-import of fresh seed files.
Workaround: None, will be resolved in a future release.

SAS-16154 Summary: Inventory reports show values of the Token Type field as numbers, instead of
names (like GrIDsure or MobilePASS).
Workaround: None, will be resolved in a future release.

SAS-15213 Summary: The following error is encountered intermittently at System > Database > HA
Management:
"Could not execute Write_rows event on table"
In addition, status of the server changes inadvertently.
Workaround: Perform the following steps:
1. Export data from the Primary machine.
2. Remove existing schema from the Secondary machines.
3. Import SQL file (exported from the Primary) in the Secondary machines.
4. Configure the database.
If you face the issue again, repeat the above steps.

SAS-15205 Summary: When using LDAP Integrator with failover hosts, in some cases the Failover
Management section may not function. Workaround: Use Synchronization Agent instead of
the LDAP Integrator.

SAS-15130 Summary: The administrators may not be able to add a new root account to the database.
Workaround: None, will be resolved in a future release.

SAS-14333 Summary: Users are able to generate the same report, multiple times. Also, the SAS error
message while trying to add the same report is not clear.
Workaround: None, will be resolved in a future release.

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 5
 Issue Synopsis

SAS-12128 Summary: The SMS-Telnet Modem Plugin option is sometimes not displayed.
Workaround: Logout and login to the SAS console again.

SAS-6786/ Summary: The SAS 3.5.4 PCE/ SPE with PostgreSQL on Linux does not connect with custom
SAS-8345 PostgreSQL username.
Workaround: None, will be resolved in a future release.

SAS-5017 Summary: When adding multiple logging agents in the SAS Console, only the first agent
added receives logging events, even after it is removed.
Workaround: Remove all logging agents, and then re-add only one.

SAS-4766 Summary: Allowing one logging agent host for a Virtual Server allows all logging agent hosts.
Workaround: None, will be resolved in a future release.

SAS-3624 Summary: Customizations to email enrollment messages are not saved after being modified,
reverting to the default values.
Workaround: This issue results from how certain options are enabled in the SAS Management
Console:
> To customize email messages, you must first set the Customize Email Messages option
to Custom under COMMS > Communications > Email Messages.
> To customize the MobilePASS page for self-enrollment, you must clear the Use Inherit
Customizations option under VIRTUAL SERVERS > SELF-SERVICE > Set
Customization Inherit.
> To enable both the custom Self-Enrollment email page (VIRTUAL SERVERS > COMMS
> Communications > Email Messages > Email Message Type: Self-Enrollment) and
the customized MobilePASS page (VIRTUAL SERVERS > SELF-SERVICE > Configure
Self-Enrollment Pages), you must disable the Set Customization Inherit option under
VIRTUAL SERVERS > COMMS > Custom Branding.

SAS-1152 Summary: When editing a Provisioning Task under Virtual Servers > Assignment >
Provisioning Task Management, and setting the Stop Date to the current date, no error
message displays and the Edit window closes normally, with the previous Stop Date
remaining unchanged.
Workaround: Select the day after today’s date. This sets the end date to 12:00:01 a.m. on the
next day (midnight of “today”).

SAS-49894 Summary: Unexpected application log out when external operator with just Self-Service
module tries to open the delegated account.
Workaround: Self-Service module is working as expected when assigned with some other
modules. For example, Snapshot module.

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 6
Announcement: EOS and EOL of Shibboleth Agent for SAS PCE
As part of our ongoing investment in improving the user experience and capabilities of our solutions we are
announcing End of Life for the Shibboleth Agent for SAS PCE, which is being replaced by a new SAML and OIDC
federation agent – the SafeNet Agent for Keycloak.

Affected Customers
This EOL announcement is relevant for SAS PCE clients who have federated applications using Shibboleth Agent
for SAS PCE.

Replacement Agent
The Shibboleth Agent for SAS PCE is being replaced by SafeNet Agent for Keycloak that is now available to all
SAS PCE clients on the Thales Support Portal.
The new Keycloak Agent offers the following benefits:
> Supports basic SSO for SAML and OIDC applications integrated through Keycloak IDP.
> User federation in SAS PCE.

Key Dates
The following are key dates in the End of Sale process:

Milestone Date Comment

END-OF-SALES May 31, 2022 Agent will no longer be available for download from the support portal, and
(EOS) from the SAS PCE package.

END-OF-LIFE November 30,

(EOL) 2022

END-OF- November 30, Support expires at this date

SUPPORT 2022

How to move from Shibboleth Agent for SAS PCE to Keycloak Agent
> Deploy Keycloak server version 12.0.1 (or above) on the system with administrator user setup. For installation
and configuration, refer to the Keycloak Server Installation and Configuration in the Keycloak Server
Installation Guide.
> Install SafeNet Agent for Keycloak, which is available download from the SAS PCE 3.14 installed package or
Customer Support Portal.
> Change the application and users configuration to use SafeNet Agent for Keycloak. Please refer to the SafeNet
Agent for Keycloak documentation for detailed information for installation, realm settings, user federation,
rebranding and more (This document is part of the installation package).
> Once transition is complete, uninstall Shibboleth Agent.

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 7
 NOTE This transition can be done in a phased manner, as long as all applications are
eventually federated via the SafeNet Agent for Keycloak before May 2022.

Advisory Notes

Setting up MS SQL with Windows Domain User

NOTE In case of Site Import, if the SAS servers are in different domains, all SAS servers must
be in the trusted domain. For more details, refer to the Installation Guide.

Enhanced Approval Workflow for MobilePass+ Push OTP

NOTE Enhanced Workflow UI will only get enabled when PUSH is enabled at the System
Administrator level. Please refer Chapter 16: Software Token PUSH OTP Setting for more
details.

Migrating to MS SQL Database Server

NOTE If migrating to MS SQL database (from any database server) with the SAS Database
Migrator utility, please select the checkbox if using the Windows domain user account.

Database Backup

CAUTION! It is strongly recommended to back up the database before upgrading to the latest
version of the SAS. Failure to do so could result in serious data loss.

MobilePASS+ Software Authenticator

The SAS 3.5 (and later) PCE/ SPE supports Thales next-generation software authenticator, MobilePASS+, in
addition to MobilePASS v8. Both applications use the same MobilePASS token allocation, and a new Allowed
Targets policy allows to select either application for new enrollments. By default, enrollments on iOS and Android
are with MobilePASS+, and with MobilePASS v8 for all other supported device platforms.

Upgrading Synchronization Agent

Synchronization Agent 3.3.2 (and earlier) will continue to work but the scan interval is limited to once every 60
minutes (instead of every 20 minutes), even if the agent is manually stopped and restarted.
It is recommended to upgrade the Synchronization Agent to version 3.4 (or later) to obtain the benefits of
differential synchronization and a scan interval of every 20 minutes. Restarting the synchronization service in the
agent initiates scanning and synchronization.

Configuration on FIPS Mode Enabled Machines

The SafeNet Authentication Service does not work correctly on FIPS mode enabled machines.

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 8
Disable System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing on the
SAS server.

Compatibility and Component Information

Supported Tokens

Hardware Tokens
> KT-4, KT-5, RB, eToken PASS time-based, eToken PASS event-based, SafeNet GOLD, eToken 3410,
eToken 3400, CD-1, SafeNet OTP 110, IDProve 100, SafeNet OTP Display Cards.

Software Tokens
> MobilePASS+: Supported for Android, iOS, Windows Mobile, and Windows Desktop.
> MobilePASS v8.4.6: Supported for Android, iOS, Windows Mobile, Windows Desktop, and Mac OS X.

NOTE Refer MobilePASS+ and MobilePASS documentation for supported Operating System
versions.

> MP-1: SafeNet Authentication Service support for MP-1 tokens software has been phased out and is no longer
supported.

Supported Devices
> Android devices running OS 2.2 or later
> Devices running iOS 5.0 or later
> Devices running on Windows mobile and desktop OS

Supported Browsers
> Microsoft Edge
> Chrome 33 and later
> Firefox 3.5 and later
> Internet Explorer 8 and later

NOTE For hardware token initialization, Internet Explorer versions 10 and below may result in a
lesser user experience. It is recommended to use the latest versions of the supported browsers
for token initialization.

Supported Directories

LDAP
> Active Directory

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 9
> Novell eDirectory 8.x
> SunOne 5.x
> OpenLDAP

SQL
> MS SQL
> MySQL
> Oracle

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 10
Support Contacts
If you encounter a problem while installing, registering, or operating this product, please refer to the documentation
before contacting support. If you cannot resolve the issue, contact your supplier or Thales Customer Support.
Thales Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed
by the support plan arrangements made between Thales and your organization. Please consult this support plan
for further information about your entitlements, including the hours when telephone support is available to you.

Customer Support Portal

The Customer Support Portal, at https://supportportal.thalesgroup.com, is where you can find solutions for most
common problems. The Customer Support Portal is a comprehensive, fully searchable database of support
resources, including software and firmware downloads, release notes listing known problems and workarounds, a
knowledge base, FAQs, product documentation, technical notes, and more. You can also use the portal to create
and manage support cases.

NOTE You require an account to access the Customer Support Portal. To create a new
account, go to the portal and click on the REGISTER link.

Telephone
The support portal also lists telephone numbers for voice contact (Contact Us).

SafeNet Authentication Service 3.14 GA PCE/SPE CUSTOMER RELEASE NOTES

007-000046-004 Rev. G November, 2021 "Copyright" 2021 Thales Group 11