CyberArk Identity Release Notes
Release 23.9 (available September 8, 2023) introduces the following changes.
See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.
Changelog
We made the following updates to the release notes after the release, based on new information.
Change | Date |
---|---|
Fixed cross reference link for enabling passphrases. | September 11, 2023 |
What's new
The following new features are now available.
Workforce Password Management
Feature | Description |
---|---|
In Workforce Password Management, users can use the Password Generator to generate strong, random passphrases. A passphrase is a sequence of words that is typically more complex and harder for attackers to guess than a traditional password. The Password Generator is available from the CyberArk Identity Browser Extension and from the context menus of users’ business applications. Users can also define their own easy-to-remember passphrases without using the Password Generator. Administrators can enable this feature according to policy. For details, see Enable passphrases for the Password Generator. |
|
Import Secured Notes from additional third-party password managers |
Users can export notes from the Dashlane, Keepass, and Google Password Manager applications and import them into Workforce Password Manager as Secured Notes. The notes are in the .csv files used for the import. For details, see Import accounts. |
Credentials now autofilled for non-catalog applications |
If an imported application is not in the CyberArk Identity Application Catalog, credentials are autofilled and the application icon in the User Portal is updated the first time a user signs in. Subsequently, after the user has completed the first sign-in, credentials for non-catalog applications are autofilled each time the user signs in from the User Portal. |
Secure Web Sessions
See What's New for details on upgrade notes specific to SWS.
Identity Compliance
See CyberArk Identity Compliance Release Notes for details on upgrade notes specific to Identity Compliance.
Improvements and behavior changes
This release includes the following product improvements.
Authentication
Improvement |
Description |
---|---|
Changed the default behavior for continuing with authentication challenges and notifying users after a failed challenge. |
Previously, by default we allowed users to proceed with authentication challenges even if they failed an authentication challenge. After the last relevant MFA challenge, we notified users of their failed authentication without identifying the failed challenge. This made it more difficult for bad actors to gain access; however, it also made it more difficult for users to sign in. CyberArk Identity security is robust, so hiding the failed challenge is not necessary. Starting with release 23.9, the default behavior changes to immediately notify users when they fail an authentication challenge. This improves the user experience without compromising security. The following policy settings control this behavior. The default values for both settings are false starting with 23.9.
Values in your saved policy sets remain unchanged. This change only impacts the default policy set and any new policy sets. See Notify users of a failed MFA challenge for more information. |
Fixed issues
This section lists the issues fixed in this release.
Core Services
Issue | Resolution |
---|---|
Retrieval of groups using the group email Id was not supported for Google directories. |
This is fixed. |
The Identity browser extension did not automatically sign in if you have a custom domain that includes the country code in the top-level domain (for example, mycompany.my.idaptive.app.au). |
This is fixed. |
Early access features
Early access features are made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.
Contact your account representative to enable early access features.
The following table describes features that are currently in an early access state.
Feature | Description |
Initial release version |
---|---|---|
Windows Cloud Agent |
|
|
Support for QR code as a single authentication mechanism |
Users can identify themselves and sign in by scanning a QR code with their enrolled mobile device, without entering a username. This feature streamlines the user sign-in experience while maintaining a strong security posture. |
23.4 |
Lifecycle Management |
|
|
Inbound provisioning using CyberArk Identity Flows |
You can add Identity Flows to inbound provisioning rules to automate the workflow during synchronization between the source and target. For instructions, see Inbound Provisioning with CyberArk Identity Identity Flows. |
23.1 |
Developer experience |
||
OIDC federation |
You can now configure external identity providers (IdPs) that use OpenID Connect (OIDC) to enable federated access into your CyberArk Identity tenant. OpenID Connect is an industry-standard identity protocol that offers an alternative to SAML-based solutions. As of this update, CyberArk Identity supports both SAML and OIDC federation. |
23.3 |
Authentication |
||
Map a federated user to an AD or CyberArk Cloud Directory user |
This feature enables any federated user attribute to be mapped with any AD user or CyberArk Cloud Directory user attribute. This enables more flexibility in linking the federated user account to an existing AD or CyberArk Cloud Directory policy service user account. |
22.11 |
Map federated user attributes |
This feature lets you map federated user attributes from the SAML assertion to the target CyberArk Cloud Directory standard or additional attributes. The attribute mapping is applicable only to create and update cloud users. See Federate with an external IdP using SAML for more information. |
22.3 |
Sign-in APIs now support multiple identifiers |
CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number. If an email address or phone number is used in multiple user accounts, sign-in will fail.
|
22.3 |
Secure Web Sessions |
||
New SWS Protection layer - Session Control |
The Session Control security layer enables you to define specific actions considered risky and implement restrictions or notifications based on rules, controlling any text or number field in any application. Control over additional page elements such as buttons, drop-down menus, and more are expected in a future release. |
|
Workforce Password Management |
||
TOTP available for authentication to applications |
Users can now use TOTP, a time-based one-time password that can be used only once and within a limited timeframe. TOTP is used to access both user-added and admin-added applications that require their own two-factor authentication. Admins and users can share an application’s TOTP along with the application credentials with other users. See Enable time-based one-time passwords (TOTP) for two-factor authentication for more information. |
23.6 |
Import credentials directly from LastPass |
Users can import credentials directly from LastPass to CyberArk Identity without using a .csv file. Direct import is more secure than other methods because users don’t have to save the exported data and credentials on their devices. After a successful import, users can access their applications and Secured Items in the CyberArk Identity User Portal. See Import accounts for more information. |
23.6 |
The CyberArk Identity mobile app supports TOTP |
The CyberArk Identity mobile app supports TOTP for two-factor authentication to access applications. A TOTP is a time-based one-time password. To set up TOTP, see Enable time-based one-time passwords (TOTP) for two-factor authentication. For end user instructions, see Use time-based passwords (TOTPs) for sites with two-factor authentication. |
23.8 |
New single sign-on templates
New single sign-on (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.
See Recent SSO application templates for a list of recently added templates.
Component versions
The following table lists the latest component versions.
Component |
Version |
---|---|
CyberArk Identity |
23.9.203 |
User Behavior Analytics |
23.9.206 |
Windows Cloud Agent |
23.7.213 |
Windows Device Trust |
23.5.208 |
Mac Cloud Agent |
23.8.219 |
Mac Device Trust |
23.8.219 |
Android CyberArk Identity mobile app |
23.9.104 |
iOS CyberArk Identity mobile app |
23.9.103 |
Windows CyberArk Authenticator |
23.5.208 |
Mac CyberArk Authenticator |
23.8.219 |
Browser Extension - Chrome |
23.9.1 |
Browser Extension - Edge Chromium |
23.9.1 |
Browser Extension - Firefox |
23.9.2 |
Connector |
23.9.203 |
Known issues
Workforce Password Management
Mac Cloud Agent
Issue |
Workaround |
---|---|
The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device. |
|
The self-service account unlock is not currently supported. |
None |
The user may not able to see the device location. |
Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again. |
Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported. |
Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user. |
The CyberArk Menu Item is not removed from the UI after you unenroll until the next login or restart. You might receive a certificate error during munkiimport after tenant migration. |
Workaround: Re-enroll the Mac |
The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Contact support if you plan to use DEP. |
None |
CyberArk Identity mobile app
Issue |
Workaround |
---|---|
For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated. |
Use only the Standard display mode. |
System requirements
See System requirements and supported browsers for more information about browser and device support.