23.10

Release 23.10 (available October 20, 2023) introduces the following changes.

See CyberArk Identity Release Notes - Previous Versions for changes in previous releases.

Changelog

We made the following updates to the release notes after the release, based on new information.

Change Date

Removed Custom domains and vanity URLs now work on ISPSS tenants: You can now customize your tenant URL on ISPSS tenants. See Customize tenant URLs for more information.

2023-11-17

Added Importing credentials directly from LastPass fails if there are no shared items. to Known issues.

2023-10-23

Added a fix for SAML federation with subdomains.

2023-10-31

What's new

The following new features are now available.

Workforce Password Management

Feature Description

TOTP available for authentication to applications

Users can now use TOTP, a time-based one-time password that can be used only once and within a limited timeframe. TOTP is used to access both user-added and admin-added applications that require their own two-factor authentication. Admins and users can share an application’s TOTP along with the application credentials with other users. See Enable time-based one-time passwords (TOTP) for two-factor authentication for more information.

This feature was previously an early access feature. It is now generally available.

Share folders imported from LastPass

 

Users can now import folders that were shared in LastPass by user or group if CyberArk Identity can find a matching email address or group name. for details, see Import credentials directly from LastPass for more information.

Users can share folders in the User Portal

Users can share folders containing applications and Secured Items with roles, groups, and individual users. Sharing a folder containing multiple items is easier than sharing each item separately. Users can specify a date range for sharing and give the recipient View or Edit permission. After the folder is shared, it is available in the recipient's User Portal.

For details, see Organize applications and Secured Items in folders.

Attach files to Secured Items

Users can attached a file to any type of Secured Item (password or note). This feature enables users to keep files containing sensitive information, such as receipts, software licenses, passport images, employee ID cards, client lists, and videos, together with a related Secured Item. Users can attach up to 10 files to each Secured Item, with a maximum size of 10 MB per file. Users can share these files with other users. The files are stored in the CyberArk Identity cloud.

For details, see Manage Secured Items.

Authentication

New features for authentication

Feature

Description

RADIUS support for YubiKey OTP

YubiKey one-time password (OTP) factor can now be leveraged for authentication for RADIUS clients. With CyberArk Identity Connectors configured for RADIUS, you can select Enter Code to enable users to insert the code on the RADIUS client's user interface. See Configure the CyberArk Identity Connector for use as a RADIUS server for more information.

Developer experience

New features for the developer experience

Feature

Description

OIDC federation

You can now configure external identity providers (IdPs) that use OpenID Connect (OIDC) to enable federated access into your CyberArk Identity tenant. OpenID Connect is an industry-standard identity protocol that offers an alternative to SAML-based solutions. As of this update, CyberArk Identity supports both SAML and OIDC federation.

This feature was previously an early access feature. It is now generally available.

Route users to an external IdP based on the user agent header

Previously, external IdP authentication relied on the SAML and OIDC protocols, requiring users to initiate authentication through web browsers.

With the routing rules, authentication requests originating from non-browser clients, such as RDP terminals, can now be seamlessly processed using the RADIUS protocol. This simplifies the authentication process, eliminating the requirement for the users to engage with web browsers when signing in via non-browser channels.

To configure the routing rules using SAML, see Configure routing rules.

To configure the routing rules using OIDC, see Configure routing rules.

Secure Web Sessions

See What's New for details on upgrade notes specific to SWS.

Identity Compliance

See CyberArk Identity Compliance Release Notes for details on upgrade notes specific to Identity Compliance.

Improvements and behavior changes

This release includes the following product improvements.

Authentication

Improvements to authentication features

Improvement

Description

New recaptcha domain available for recaptcha APIs.

The CyberArk Identity integration with reCAPTCHA uses the www.google.com domain by default. If you are in a region where www.google.com is unavailable, you can contact CyberArk support to change the reCAPTCHA domain to www.recaptcha.net.

CyberArk Identity Add-on for Splunk v3 update

The CyberArk Identity Splunk Add-on v3 now works with the current version of Splunk Enterprise. This add-on allows real-time analysis and risk mitigation to identify a potential breach in progress. You may download it from the Identity Administration portal or navigate to Splunk's splunkbase.

See Splunk Add-on for more information.

Platform

Improvements to the platform

Improvement

Description

Added support for https://azure.portal.us.

CyberArk now supports Azure Active Directory for .gov.

Enhanced role creation flow

Previously, after creating a new role, users needed to search for newly created roles from the role list for role definition. This improvement allows users to create and save the role then directs them to the Role page with the completed fields. See Create roles for more information.

Sign in to different workspaces

You can find a workspace from the root sign-in page to support switching between tenants and searching the desired tenant from the root sign-in page. A workspace is another name for a tenant in CyberArk Identity. See Sign in to different workspaces for more information.

Workspace will be renamed to tenant in an upcoming release.

Early access features

Early access features are made available on a case-by-case basis by request. Early access features might see more frequent updates compared to GA features.

Contact your account representative to enable early access features.

The following tables describe features that are currently in an early access state.

Workforce Password Management

WPM early access features

Feature

Description

Initial release version

Import credentials directly from LastPass

Users can import credentials directly from LastPass to CyberArk Identity without using a .csv file. Direct import is more secure than other methods because users don’t have to save the exported data and credentials on their devices. After a successful import, users can access their applications and Secured Items in the CyberArk IdentityUser Portal.

See Import accounts for more information.

23.6

The CyberArk Identity mobile app supports TOTP

The CyberArk Identity mobile app supports TOTP for two-factor authentication to access applications. A TOTP is a time-based one-time password. To set up TOTP, see Enable time-based one-time passwords (TOTP) for two-factor authentication. For end user instructions, see Use time-based passwords (TOTPs) for sites with two-factor authentication.

This feature was previously an early access feature. It is now generally available.

23.8

Windows Cloud Agent

Windows Cloud Agent early access features

Feature

Description

Initial release version

Support for QR code as a single authentication mechanism

Users can identify themselves and sign in by scanning a QR code with their enrolled mobile device, without entering a username. This feature streamlines the user sign-in experience while maintaining a strong security posture.

23.4

Lifecycle Management

Customer Identity early access features

Feature

Description

Initial release version

Inbound provisioning using CyberArk Identity Flows

You can add Identity Flows to inbound provisioning rules to automate the workflow during synchronization between the source and target. For instructions, see Inbound Provisioning with CyberArk Identity Identity Flows.

23.1

Authentication

Customer Identity early access features

Feature

Description

Initial release version

Passkeys as an authentication factor

You can enable users to enroll and leverage their passkeys for authentication into the CyberArk portals. As a passwordless option, passkeys can be used as a unique factor in the Authentication Profile which provides higher security assurance with Authenticator Assurance Level (AAL3) based on NIST 800-63B. Passkey enablement is added to the policies and managed in the Identity Administration portal. See Enable passkeys for more information.

23.10

Map a federated user to an AD or CyberArk Cloud Directory user

This feature enables any federated user attribute to be mapped with any AD user or CyberArk Cloud Directory user attribute. This enables more flexibility in linking the federated user account to an existing AD or CyberArk Cloud Directory policy service user account.

22.11

Map federated user attributes

This feature lets you map federated user attributes from the SAML assertion to the target CyberArk Cloud Directory standard or additional attributes. The attribute mapping is applicable only to create and update cloud users.

See Federate with an external IdP using SAML for more information.

22.3

Sign-in APIs now support multiple identifiers

CyberArk Cloud Directory users can now sign in to CyberArk Identity with their email address or phone number.

If an email address or phone number is used in multiple user accounts, sign-in will fail.

22.3

Secure Web Sessions

See What's New for details on upgrade notes specific to SWS.

New single sign-on templates

New single sign-on (SSO) application templates are added to the CyberArk Identity Web App Catalog on a regular basis, independent of the product release schedule.

See Recent SSO application templates for a list of recently added templates.

Component versions

The following table lists the latest component versions.

Component

Version

CyberArk Identity

23.10.218

User Behavior Analytics

23.9.206

Windows Cloud Agent

23.10.218

Windows Device Trust

23.5.208

Mac Cloud Agent

23.10.218

Mac Device Trust

23.8.219

Android CyberArk Identity mobile app

23.10.105

iOS CyberArk Identity mobile app

23.10.100

Windows CyberArk Authenticator

23.5.208

Mac CyberArk Authenticator

23.8.219

Browser Extension - Chrome

23.10.3

Browser Extension - Edge Chromium

23.10.3

Browser Extension - Firefox

23.10.4

Connector

23.10.218

Known issues

Workforce Password Management

Known issues for WPM

Issue

Workaround

Importing credentials directly from LastPass fails if there are no shared items.

Share a dummy item with any other user on Lastpass before you import.

In the User Portal (new user interface), the functionality to sort items according to what has been recently added or frequently used is not working as expected.

None.

When you import a .csv file that includes a record with &# or characters after <, you will get an error message stating, "Error while processing the file, please try after some time."

Remove the record from the .csv file containing &# or any characters after < and try importing again.

The Identity Browser Extension auto-fills credentials on the sign-in page for imported applications that are not available in the CyberArk App Catalog, except for applications with wizard-based login forms or applications with login pop-up forms.

Launch the application from the User Portal and fill in the credentials manually for wizard-based and login pop-up forms.

Mac Cloud Agent

Known issues for the MCA

Issue

Workaround

The Mac Cloud Agent installer shows the Gatekeeper warning the first time it is installed on a device.

  1. Go to System Preferences > Security & Privacy > General, then click Open Anyway.

  2. Click Open on the warning screen that appears.

    After you make these changes, the Gatekeeper warning does not display again for the Mac Cloud Agent on that device for the logged in user.

The self-service account unlock is not currently supported.

None

The user may not able to see the device location.

Go to user policy Endpoint Policies > Common Settings > Mobile Settings > Restriction Settings, then under Report mobile device location, select Force for Permit administrator to see device location. Then unenroll the user and enroll again.

Mac login MFA options show FIDO2 and Radius if they were configured in the authentication profile; however, these MFA challenges are currently not supported.

Always make sure authentication challenges configured in the authentication profile are available to your users and configured for each user.

The CyberArk Menu Item is not removed from the UI after you unenroll until the next login or restart.

You might receive a certificate error during munkiimport after tenant migration.

Workaround: Re-enroll the Mac

The Apple Device Enrollment Program (DEP) needs to be configured explicitly to work with the 19.6 Mac Cloud Agent. Contact support if you plan to use DEP.

None

CyberArk Identity mobile app

Known issue for the mobile app

Issue

Workaround

For iOS devices running in the Zoom display mode (Settings > Display & Brightness > Display Zoom: 'Zoom'), the Mobile Authenticator code gets truncated.

Use only the Standard display mode.

System requirements

See System requirements and supported browsers for more information about browser and device support.