CyberArk Identity Release Notes
Release 23.5 (available May 12, 2023) introduces the following changes.
See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.
What's new
The following new features are now available.
Core services
Feature |
Description |
---|---|
Enable SHA256 for signing certificate |
You can select SHA256 as the signing certificate for an external IdP. You will need to confirm the configured IdP supports SHA256 before selecting this option. See Federate with an external IdP using SAML for more information. |
SSO and Workforce Password Management
Feature |
Description |
---|---|
Additional attribute support for applications |
You can now create additional attributes and specify corresponding values for each administrator-added application. In the Identity Administration portal, open any application from Web Apps and go to the newly added Additional Attributes section or navigate to Settings > Customization > Additional Attributes > Applications tab to add custom attributes for applications. You can add a maximum of 10 additional attributes for applications. You can assign text, number, date and time, or true/false values to each attribute. These attributes can be used for application governance. For instance, you can identify applications that require specific MFA factors, have license expiry dates approaching, find the number of licenses procured for an application, or mark an application as financially sensitive. See Add additional attributes for applications for more information. |
Add notes with your secured passwords |
You can now add a note along with the secured password that you are storing with Workforce Password Management. |
Secure Web Sessions
See What's New for details on upgrade notes specific to SWS.
Identity Compliance
See CyberArk Identity Compliance Release Notes for details on upgrade notes specific to Identity Compliance.
Improvements and behavior changes
This release includes the following product improvements.
Workforce Password Management
Improvement | Description |
---|---|
New application indicator on the user portal |
The web portal now indicates when you have new user-shared applications or applications transferred to you from another user. The new indicator comes in the form of a green dot on your application tile. |
Fixed issues
Core Services
Issue | Description |
---|---|
User login suffixes were not unique and creation of duplicate login suffixes could not be mapped. |
Suffixes are now validated to ensure it is not duplicated for federated or Active Directory users. |
Authentication
Issue |
Description |
---|---|
RADIUS logins with a security question as a second factor did not generate an abandoned authentication event. |
This is fixed. |
The Remember Me checkbox was not remembering the username for federated users with Azure Active Directory. |
This is fixed. |
Early access features
Early access features are fully-supported features made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.
Contact your account representative to enable early access features.
The following table describes features that are currently in an early access state.
Feature | Description |
Initial release version |
---|---|---|
Windows Cloud Agent |
|
|
Support for QR code as a single authentication mechanism |
Users can identify themselves and sign in by scanning a QR code with their enrolled mobile device, without entering a username. This feature streamlines the user sign-in experience while maintaining a strong security posture. |
23.4 |
Lifecycle Management |
|
|
Inbound provisioning using CyberArk Identity Flows |
You can add Identity Flows to inbound provisioning rules to automate the workflow during synchronization between the source and target. For instructions, see Inbound Provisioning with CyberArk Identity Identity Flows. |
23.1 |
Developer experience |
||
OIDC federation |
You can now configure external identity providers (IdPs) that use OpenID Connect (OIDC) to enable federated access into your CyberArk Identity tenant. OpenID Connect is an industry-standard identity protocol that offers an alternative to SAML-based solutions. As of this update, CyberArk Identity supports both SAML and OIDC federation. |
23.3 |
Authentication |
||
Mapping a federated user to an AD or CyberArk Cloud Directory user |
This feature enables any federated user attribute to be mapped with any AD user or CyberArk Cloud Directory user attribute. This enables more flexibility in linking the federated user account to an existing AD or CyberArk Cloud Directory policy service user account. |
22.11 |
Map federated user attributes |
This feature lets you map federated user attributes from the SAML assertion to the target CyberArk Cloud Directory standard or additional attributes. The attribute mapping is applicable only to create and update cloud users. See Federate with an external IdP using SAML for more information. |
22.3 |
Signin APIs now support multiple identifiers |
CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number. If an email address or phone number is used in multiple user accounts, signin will fail.
|
22.3 |
Secure Web Sessions |
||
New SWS Protection layer - Session Control |
The Session Control security layer enables you to define specific actions considered risky and implement restrictions or notifications based on rules, controlling any text or number field in any application. Control over additional page elements such as buttons, drop-down menus, and more are expected in a future release. |
|
New single sign-on templates
New single sign-on (SSO) application templates are added to CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.
See Recent SSO application templates for a list of recently added templates.
Component versions
The following table lists the latest component versions.
Component |
Version |
---|---|
CyberArk Identity |
23.5.208 |
User Behavior Analytics |
23.5.201 |
Windows Cloud Agent |
23.5.208 |
Windows Device Trust |
23.5.208 |
Mac Cloud Agent |
23.5.208 |
Mac Device Trust |
23.5.208 |
Android CyberArk Identity mobile app |
23.4.102 |
iOS CyberArk Identity mobile app |
23.4.105 |
Windows CyberArk Authenticator |
23.5.208 |
Mac CyberArk Authenticator |
23.5.208 |
Browser Extension - Chrome |
23.5.3 |
Browser Extension - Edge Chromium |
23.5.3 |
Browser Extension - Firefox |
23.5.4 |
Connector |
23.5.208 |
Known issues
Workforce Password Management
Windows Cloud Agent
Issue | Workaround |
---|---|
With RDP (v 6.0+), a user cannot RDP to the endpoint/server with the Windows Cloud Agent using a CyberArk Cloud Directory user. This is because the network credential validation is done on the client side first, before establishing the remote desktop connection. |
Mac Cloud Agent
Issue |
Workaround |
---|---|
The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device. |
|
The self-service account unlock is not currently supported. |
None |
The user may not able to see the device location. |
Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again. |
Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported. |
Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user. |
The CyberArk Menu Item is not removed from the UI after you unenroll until the next login or restart. You might receive a certificate error during munkiimport after tenant migration. |
Workaround: Re-enroll the Mac |
The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Contact support if you plan to use DEP. |
None |
CyberArk Identity mobile app
Issue |
Workaround |
---|---|
For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated. |
Use only the Standard display mode. |
System requirements
See System requirements and supported browsers for more information about browser and device support.