CyberArk Identity Release Notes

Release 23.5 (available May 12, 2023) introduces the following changes.

See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

What's new

The following new features are now available.

Core services

New features for core services



Enable SHA256 for signing certificate

You can select SHA256 as the signing certificate for an external IdP. You will need to confirm the configured IdP supports SHA256 before selecting this option. See Federate with an external IdP using SAML for more information.

SSO and Workforce Password Management

New features for SSO and Workforce Password Management



Additional attribute support for applications

You can now create additional attributes and specify corresponding values for each administrator-added application.

In the Identity Administration portal, open any application from Web Apps and go to the newly added Additional Attributes section or navigate to Settings > Customization > Additional Attributes > Applications tab to add custom attributes for applications.

You can add a maximum of 10 additional attributes for applications.

You can assign text, number, date and time, or true/false values to each attribute. These attributes can be used for application governance. For instance, you can identify applications that require specific MFA factors, have license expiry dates approaching, find the number of licenses procured for an application, or mark an application as financially sensitive.

See Add additional attributes for applications for more information.

Add notes with your secured passwords

You can now add a note along with the secured password that you are storing with Workforce Password Management.

Secure Web Sessions

See What's New for details on upgrade notes specific to SWS.

Identity Compliance

See CyberArk Identity Compliance Release Notes for details on upgrade notes specific to Identity Compliance.

Improvements and behavior changes

This release includes the following product improvements.

Workforce Password Management

Improvement Description

New application indicator on the user portal

The web portal now indicates when you have new user-shared applications or applications transferred to you from another user. The new indicator comes in the form of a green dot on your application tile.

Fixed issues

Core Services

Issue Description

User login suffixes were not unique and creation of duplicate login suffixes could not be mapped.

Suffixes are now validated to ensure it is not duplicated for federated or Active Directory users.


Fixed issues for authentication



RADIUS logins with a security question as a second factor did not generate an abandoned authentication event.

This is fixed.

The Remember Me checkbox was not remembering the username for federated users with Azure Active Directory.

This is fixed.

Early access features

Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following table describes features that are currently in an early access state.

Feature Description

Initial release version

Windows Cloud Agent


Support for QR code as a single authentication mechanism

Users can identify themselves and sign in by scanning a QR code with their enrolled mobile device, without entering a username. This feature streamlines the user sign-in experience while maintaining a strong security posture.


Lifecycle Management


Inbound provisioning using CyberArk Identity Flows

You can add Identity Flows to inbound provisioning rules to automate the workflow during synchronization between the source and target. For instructions, see Inbound Provisioning with CyberArk Identity Identity Flows.


Developer experience

OIDC federation

You can now configure external identity providers (IdPs) that use OpenID Connect (OIDC) to enable federated access into your CyberArk Identity tenant. OpenID Connect is an industry-standard identity protocol that offers an alternative to SAML-based solutions. As of this update, CyberArk Identity supports both SAML and OIDC federation.



Mapping a federated user to an AD or CyberArk Cloud Directory user

This feature enables any federated user attribute to be mapped with any AD user or CyberArk Cloud Directory user attribute. This enables more flexibility in linking the federated user account to an existing AD or CyberArk Cloud Directory policy service user account.


Map federated user attributes

This feature lets you map federated user attributes from the SAML assertion to the target CyberArk Cloud Directory standard or additional attributes. The attribute mapping is applicable only to create and update cloud users.

See Federate with an external IdP using SAML for more information.


Signin APIs now support multiple identifiers

CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number.

If an email address or phone number is used in multiple user accounts, signin will fail.


Secure Web Sessions

New SWS Protection layer - Session Control

The Session Control security layer enables you to define specific actions considered risky and implement restrictions or notifications based on rules, controlling any text or number field in any application. Control over additional page elements such as buttons, drop-down menus, and more are expected in a future release.


New single sign-on templates

New single sign-on (SSO) application templates are added to CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

See Recent SSO application templates for a list of recently added templates.

Component versions

The following table lists the latest component versions.



CyberArk Identity


User Behavior Analytics


Windows Cloud Agent


Windows Device Trust


Mac Cloud Agent


Mac Device Trust


Android CyberArk Identity mobile app


iOS CyberArk Identity mobile app


Windows CyberArk Authenticator


Mac CyberArk Authenticator


Browser Extension - Chrome


Browser Extension - Edge Chromium


Browser Extension - Firefox




Known issues

Workforce Password Management

Known issue for WPM



You might see the message "Open the user portal to view the password for the MFA-enabled application" on the Browser Extension while trying to copy the password of an application, even when no application challenge rules (MFA or conditional access) are set. This is due to an issue with the Application Restrictions policy setting. This issue will be fixed in the upcoming releases.

Go to Core Services -> Policies -> <policy name> -> Application Policies -> Application Restrictions and change the value of the default authentication profile from -- to Always Allowed.

Windows Cloud Agent

Known issue for the WCA
Issue Workaround

With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directory user. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection.

Mac Cloud Agent

Known issues for the MCA



The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

  1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

  2. Click Open on the warning screen that appears.

    After you make these changes, the Gatekeeper warning will not display again for the Mac Cloud Agent on that device for the logged in user.

The self-service account unlock is not currently supported.


The user may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The CyberArk Menu Item is not removed from the UI after you unenroll until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Contact support if you plan to use DEP.


CyberArk Identity mobile app

Known issues for the mobile app



For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated.

Use only the Standard display mode.

System requirements

See System requirements and supported browsers for more information about browser and device support.