CyberArk Identity Release Notes
Release 23.12 (available December 1, 2023) introduces the following changes.
See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.
Related services
Workforce Password Management
See WPM Release Notes for update notes specific to Workforce Password Management.
Secure Web Sessions
See What's New for update notes specific to SWS.
Identity Compliance
See CyberArk Identity Compliance release notes for update notes specific to Identity Compliance.
Identity Flows
See What's new for update notes specific to Identity Flows.
What's new
The following new features are now available.
SSO
Feature |
Description |
---|---|
Secure Cloud Access supports authentication through third-party IdP |
When you enable Secure Cloud Access for the AWS IAM Identity Center web app, you can now enable user authentication using a third-party identity provider instead of CyberArk Identity. See AWS IAM Identity Center SAML Single Sign-On (SSO) for more information. |
Authentication
Feature |
Description |
---|---|
Passkeys as an authentication factor |
Passkeys support is now available. You can now enable users to create passkeys to authenticate when signing in to CyberArk Identity. Previously, users needed to enter their username and complete the passkey as a challenge. Now users click Sign in with your Passkey and authenticate quickly and seamlessly. As a passwordless option, passkeys can be used as a unique factor in the authentication profile, which provides higher security assurance with Authenticator Assurance Level (AAL3) based on NIST 800-63B. Passkeys enablement is added to the policies and managed in the Identity Administration portal. See Enable passkeys for more information. This feature was previously an early access feature. It is now generally available. |
Customer identity
Feature |
Description |
---|---|
Map federated user attributes |
This feature lets you map federated user attributes from the SAML assertion to the target CyberArk Cloud Directory standard or additional attributes. The attribute mapping functionality is only applicable to creating and updating cloud users. See Federate with an external IdP using SAML for more information. This feature was previously an early access feature. It is now generally available. |
Map a federated user to an AD or CyberArk Cloud Directory user |
This feature enables any federated user attribute to be mapped with any AD user or CyberArk Cloud Directory user attribute. This enables more flexibility in linking the federated user account to an existing AD or CyberArk Cloud Directory policy service user account. This feature was previously an early access feature. It is now generally available. |
New email verification API |
You can now verify an external user’s email using the API signup/SendVerificationEmail. |
Improvements and behavior changes
This release includes the following product improvements.
Core services
Improvement |
Description |
---|---|
Idle user session timeout is always enabled |
Previously, there was no default for end-user idle session timeout when a new tenant was created. The default is now set to 240 minutes. You can now set a minimum and maximum for idle user session timeout of five minutes and 2880 minutes, respectively. You can also disable the idle user session timeout. See Configure idle session timeout for more information. |
SSO
Improvement |
Description |
---|---|
Enhanced OIDC authorization requests |
Client applications can now send additional parameters in OIDC authorization requests to execute further actions after the user logs in. For example, you can use these parameters to modify access and ID tokens or to call APIs to enrich user profiles or send notifications. You can access these parameters in the script and set the custom claims or call inline hooks for processing. For details, seeAdd and configure the custom OpenID Connect application. |
Early access features
Early access features are made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.
Contact your account representative to enable early access features.
The following tables describe features that are currently in an early access state.
Single sign-on
Improvement |
Description |
Initial release |
---|---|---|
Single logout (SLO) now includes external IdPs |
With this release, federated users who log out of a SAML or OIDC web application are seamlessly logged out from the external IdP. To configure SLO, see Configure Single Logout. |
23.11 |
Windows Cloud Agent
Feature |
Description |
Initial release version |
---|---|---|
Support for QR code as a single authentication mechanism |
Users can identify themselves and sign in by scanning a QR code with their enrolled mobile device, without entering a username. This feature streamlines the user sign-in experience while maintaining a strong security posture. |
23.4 |
Lifecycle Management
Feature |
Description |
Initial release version |
---|---|---|
Inbound provisioning using CyberArk Identity Flows |
You can add Identity Flows to inbound provisioning rules to automate the workflow during synchronization between the source and target. For instructions, see Inbound Provisioning with CyberArk Identity Identity Flows. |
23.1 |
Authentication
Feature |
Description |
Initial release version |
---|---|---|
Sign-in APIs now support multiple identifiers |
CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number. If an email address or phone number is used in multiple user accounts, sign-in will fail.
|
22.3 |
New single sign-on templates
New single sign-on (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.
See Recent SSO application templates for a list of recently added templates.
Component versions
The following table lists the latest component versions.
Component |
Version |
---|---|
CyberArk Identity |
23.12.221 |
User Behavior Analytics |
23.9.206 |
Windows Cloud Agent |
23.12.221 |
Windows Device Trust |
23.5.208 |
Mac Cloud Agent |
23.12.221 |
Mac Device Trust |
23.8.219 |
Android CyberArk Identity mobile app |
23.12.101 |
iOS CyberArk Identity mobile app |
23.12.101 |
Windows CyberArk Authenticator |
23.5.208 |
Mac CyberArk Authenticator |
23.8.219 |
Browser Extension - Chrome |
23.12.1 |
Browser Extension - Edge Chromium |
23.12.1 |
Browser Extension - Firefox |
23.12.2 |
Connector |
23.12.221 |
Known issues
Mac Cloud Agent
Issue |
Workaround |
---|---|
The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device. |
|
The self-service account unlock is not currently supported. |
None |
The user may not able to see the device location. |
Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again. |
Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported. |
Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user. |
The CyberArk Menu Item is not removed from the UI after you unenroll until the next login or restart. You might receive a certificate error during munkiimport after tenant migration. |
Workaround: Re-enroll the Mac |
The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Contact support if you plan to use DEP. |
None |
CyberArk Identity mobile app
Issue |
Workaround |
---|---|
For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated. |
Use only the Standard display mode. |
System requirements
See System requirements and supported browsers for more information about browser and device support.