CyberArk Identity Release Notes

Release 23.12 (available December 1, 2023) introduces the following changes.

See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

Related services

Workforce Password Management

See WPM Release Notes for update notes specific to Workforce Password Management.

Secure Web Sessions

See What's New for update notes specific to SWS.

Identity Compliance

See CyberArk Identity Compliance release notes for update notes specific to Identity Compliance.

Identity Flows

See What's new for update notes specific to Identity Flows.

What's new

The following new features are now available.

SSO

New features for SSO

Feature

Description

Secure Cloud Access supports authentication through third-party IdP

When you enable Secure Cloud Access for the AWS IAM Identity Center web app, you can now enable user authentication using a third-party identity provider instead of CyberArk Identity.

See AWS IAM Identity Center SAML Single Sign-On (SSO) for more information.

Authentication

New features for authentication

Feature

Description

Passkeys as an authentication factor

Passkeys support is now available. You can now enable users to create passkeys to authenticate when signing in to CyberArk Identity. Previously, users needed to enter their username and complete the passkey as a challenge. Now users click Sign in with your Passkey and authenticate quickly and seamlessly. As a passwordless option, passkeys can be used as a unique factor in the authentication profile, which provides higher security assurance with Authenticator Assurance Level (AAL3) based on NIST 800-63B. Passkeys enablement is added to the policies and managed in the Identity Administration portal.

See Enable passkeys for more information.

This feature was previously an early access feature. It is now generally available.

Customer identity

New features for customer identity use cases

Feature

Description

Map federated user attributes

This feature lets you map federated user attributes from the SAML assertion to the target CyberArk Cloud Directory standard or additional attributes. The attribute mapping functionality is only applicable to creating and updating cloud users.

See Federate with an external IdP using SAML for more information.

This feature was previously an early access feature. It is now generally available.

Map a federated user to an AD or CyberArk Cloud Directory user

This feature enables any federated user attribute to be mapped with any AD user or CyberArk Cloud Directory user attribute. This enables more flexibility in linking the federated user account to an existing AD or CyberArk Cloud Directory policy service user account.

This feature was previously an early access feature. It is now generally available.

New email verification API

You can now verify an external user’s email using the API signup/SendVerificationEmail.

Improvements and behavior changes

This release includes the following product improvements.

Core services

Improvements to the platform

Improvement

Description

Idle user session timeout is always enabled

Previously, there was no default for end-user idle session timeout when a new tenant was created. The default is now set to 240 minutes. You can now set a minimum and maximum for idle user session timeout of five minutes and 2880 minutes, respectively. You can also disable the idle user session timeout. See Configure idle session timeout for more information.

SSO

Improvements for SSO

Improvement

Description

Enhanced OIDC authorization requests

Client applications can now send additional parameters in OIDC authorization requests to execute further actions after the user logs in. For example, you can use these parameters to modify access and ID tokens or to call APIs to enrich user profiles or send notifications. You can access these parameters in the script and set the custom claims or call inline hooks for processing.

For details, seeAdd and configure the custom OpenID Connect application.

Early access features

Early access features are made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following tables describe features that are currently in an early access state.

Single sign-on

Single sign-on early access features

Improvement

Description

Initial release

Single logout (SLO) now includes external IdPs

With this release, federated users who log out of a SAML or OIDC web application are seamlessly logged out from the external IdP.

To configure SLO, see Configure Single Logout.

23.11

Windows Cloud Agent

Windows Cloud Agent early access features

Feature

Description

Initial release version

Support for QR code as a single authentication mechanism

Users can identify themselves and sign in by scanning a QR code with their enrolled mobile device, without entering a username. This feature streamlines the user sign-in experience while maintaining a strong security posture.

23.4

Lifecycle Management

Customer Identity early access features

Feature

Description

Initial release version

Inbound provisioning using CyberArk Identity Flows

You can add Identity Flows to inbound provisioning rules to automate the workflow during synchronization between the source and target. For instructions, see Inbound Provisioning with CyberArk Identity Identity Flows.

23.1

Authentication

Customer Identity early access features

Feature

Description

Initial release version

Sign-in APIs now support multiple identifiers

CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number.

If an email address or phone number is used in multiple user accounts, sign-in will fail.

22.3

New single sign-on templates

New single sign-on (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

See Recent SSO application templates for a list of recently added templates.

Component versions

The following table lists the latest component versions.

Component versions

Component

Version

CyberArk Identity

23.12.221

User Behavior Analytics

23.9.206

Windows Cloud Agent

23.12.221

Windows Device Trust

23.5.208

Mac Cloud Agent

23.12.221

Mac Device Trust

23.8.219

Android CyberArk Identity mobile app

23.12.101

iOS CyberArk Identity mobile app

23.12.101

Windows CyberArk Authenticator

23.5.208

Mac CyberArk Authenticator

23.8.219

Browser Extension - Chrome

23.12.1

Browser Extension - Edge Chromium

23.12.1

Browser Extension - Firefox

23.12.2

Connector

23.12.221

Known issues

Mac Cloud Agent

Known issues for the MCA

Issue

Workaround

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

  1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

  2. Click Open on the warning screen that appears.

    After you make these changes, the Gatekeeper warning does not display again for the Mac Cloud Agent on that device for the logged in user.

The self-service account unlock is not currently supported.

None

The user may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The CyberArk Menu Item is not removed from the UI after you unenroll until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Contact support if you plan to use DEP.

None

CyberArk Identity mobile app

Known issue for the mobile app

Issue

Workaround

For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated.

Use only the Standard display mode.

System requirements

See System requirements and supported browsers for more information about browser and device support.