CyberArk Identity Release Notes

Release 23.9 (available September 8, 2023) introduces the following changes.

See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.


We made the following updates to the release notes after the release, based on new information.

Change Date
Fixed cross reference link for enabling passphrases. September 11, 2023

What's new

The following new features are now available.

Workforce Password Management

Feature Description

Password Generator supports passphrase generation

In Workforce Password Management, users can use the Password Generator to generate strong, random passphrases. A passphrase is a sequence of words that is typically more complex and harder for attackers to guess than a traditional password. The Password Generator is available from the CyberArk Identity Browser Extension and from the context menus of users’ business applications. Users can also define their own easy-to-remember passphrases without using the Password Generator. Administrators can enable this feature according to policy. For details, see Enable passphrases for the Password Generator.

Import Secured Notes from additional third-party password managers

Users can export notes from the Dashlane, Keepass, and Google Password Manager applications and import them into Workforce Password Manager as Secured Notes. The notes are in the .csv files used for the import. For details, see Import accounts.

Credentials now autofilled for non-catalog applications

If an imported application is not in the CyberArk Identity Application Catalog, credentials are autofilled and the application icon in the User Portal is updated the first time a user signs in. Subsequently, after the user has completed the first sign-in, credentials for non-catalog applications are autofilled each time the user signs in from the User Portal.

Secure Web Sessions

See What's New for details on upgrade notes specific to SWS.

Identity Compliance

See CyberArk Identity Compliance Release Notes for details on upgrade notes specific to Identity Compliance.

Improvements and behavior changes

This release includes the following product improvements.


Improvements to authentication features



Changed the default behavior for continuing with authentication challenges and notifying users after a failed challenge.

Previously, by default we allowed users to proceed with authentication challenges even if they failed an authentication challenge. After the last relevant MFA challenge, we notified users of their failed authentication without identifying the failed challenge. This made it more difficult for bad actors to gain access; however, it also made it more difficult for users to sign in.

CyberArk Identity security is robust, so hiding the failed challenge is not necessary. Starting with release 23.9, the default behavior changes to immediately notify users when they fail an authentication challenge. This improves the user experience without compromising security.

The following policy settings control this behavior. The default values for both settings are false starting with 23.9.

  • Authentication Policies > CyberArk Identity > Continue with additional challenges after failed challenge

  • Authentication Policies > CyberArk Identity > Do not send challenge request when previous challenge response failed

Values in your saved policy sets remain unchanged. This change only impacts the default policy set and any new policy sets.

See Notify users of a failed MFA challenge for more information.

Fixed issues

This section lists the issues fixed in this release.

Core Services

Issue Resolution

Retrieval of groups using the group email Id was not supported for Google directories.

This is fixed.

The Identity browser extension did not automatically sign in if you have a custom domain that includes the country code in the top-level domain (for example,

This is fixed.

Early access features

Early access features are made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

Feature Description

Initial release version

Windows Cloud Agent


Support for QR code as a single authentication mechanism

Users can identify themselves and sign in by scanning a QR code with their enrolled mobile device, without entering a username. This feature streamlines the user sign-in experience while maintaining a strong security posture.


Lifecycle Management


Inbound provisioning using CyberArk Identity Flows

You can add Identity Flows to inbound provisioning rules to automate the workflow during synchronization between the source and target. For instructions, see Inbound Provisioning with CyberArk Identity Identity Flows.


Developer experience

OIDC federation

You can now configure external identity providers (IdPs) that use OpenID Connect (OIDC) to enable federated access into your CyberArk Identity tenant. OpenID Connect is an industry-standard identity protocol that offers an alternative to SAML-based solutions. As of this update, CyberArk Identity supports both SAML and OIDC federation.



Map a federated user to an AD or CyberArk Cloud Directory user

This feature enables any federated user attribute to be mapped with any AD user or CyberArk Cloud Directory user attribute. This enables more flexibility in linking the federated user account to an existing AD or CyberArk Cloud Directory policy service user account.


Map federated user attributes

This feature lets you map federated user attributes from the SAML assertion to the target CyberArk Cloud Directory standard or additional attributes. The attribute mapping is applicable only to create and update cloud users.

See Federate with an external IdP using SAML for more information.


APIs now support multiple identifiers

CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number.

If an email address or phone number is used in multiple user accounts, sign-in will fail.


Secure Web Sessions

New SWS Protection layer - Session Control

The Session Control security layer enables you to define specific actions considered risky and implement restrictions or notifications based on rules, controlling any text or number field in any application. Control over additional page elements such as buttons, drop-down menus, and more are expected in a future release.


Workforce Password Management

TOTP available for authentication to applications

Users can now use TOTP, a time-based one-time password that can be used only once and within a limited timeframe. TOTP is used to access both user-added and admin-added applications that require their own two-factor authentication. Admins and users can share an application’s TOTP along with the application credentials with other users. See Enable time-based one-time passwords (TOTP) for two-factor authentication for more information.


Import credentials directly from LastPass

Users can import credentials directly from LastPass to CyberArk Identity without using a .csv file. Direct import is more secure than other methods because users don’t have to save the exported data and credentials on their devices. After a successful import, users can access their applications and Secured Items in the CyberArk Identity User Portal. See Import accounts for more information.


The CyberArk Identity mobile app supports TOTP

The CyberArk Identity mobile app supports TOTP for two-factor authentication to access applications. A TOTP is a time-based one-time password. To set up TOTP, see Enable time-based one-time passwords (TOTP) for two-factor authentication. For end user instructions, see Use time-based passwords (TOTPs) for sites with two-factor authentication.


New single sign-on templates

New single sign-on (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

See Recent SSO application templates for a list of recently added templates.

Component versions

The following table lists the latest component versions.



CyberArk Identity


User Behavior Analytics


Windows Cloud Agent


Windows Device Trust


Mac Cloud Agent


Mac Device Trust


Android CyberArk Identity mobile app


iOS CyberArk Identity mobile app


Windows CyberArk Authenticator


Mac CyberArk Authenticator


Browser Extension - Chrome


Browser Extension - Edge Chromium


Browser Extension - Firefox




Known issues

Workforce Password Management

Known issues for WPM



In the User Portal (new user interface), the functionality to sort items according to what has been recently added or frequently used is not working as expected.


When you import a .csv file that includes a record with &# or characters after <, you will get an error message stating, "Error while processing the file, please try after some time."

Remove the record from the .csv file containing &# or any characters after < and try importing again.

The Identity Browser Extension auto-fills credentials on the sign-in page for imported applications that are not available in the CyberArk App Catalog, except for applications with wizard-based login forms or applications with login pop-up forms.

Launch the application from the User Portal and fill in the credentials manually for wizard-based and login pop-up forms.

Mac Cloud Agent

Known issues for the MCA



The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

  1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

  2. Click Open on the warning screen that appears.

    After you make these changes, the Gatekeeper warning does not display again for the Mac Cloud Agent on that device for the logged in user.

The self-service account unlock is not currently supported.


The user may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The CyberArk Menu Item is not removed from the UI after you unenroll until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Contact support if you plan to use DEP.


CyberArk Identity mobile app

Known issue for the mobile app



For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated.

Use only the Standard display mode.

System requirements

See System requirements and supported browsers for more information about browser and device support.