Known Issues & Limitations
This section describes known issues and limitations of Entrust Identity as a Service.
Known Issues
Push Authentication Notification for Custom Mobile Apps may not work (31020)
If push authentication notification for a custom mobile application does not work delete the mobile app credentials from settings and reapply. If the settings are defined as a per group setting, delete the per group setting and recreate it.
NetMotion - User is prompted for password when password is saved
When using the NetMotion VPN client with the "Allow saved password" option enabled, users may still be prompted for their password on subsequent logins when authenticating to Identity as a Service.
In order to prevent this, in the Identity as a Service RADIUS application settings enable the "When authenticating the user will be asked to select their second-factor authenticator" option.
IE11 - Unable to download Swagger API (20500)
It is not possible to download the Swagger API files from the Administration and Authentication API documentation using Internet Explorer 11. Please use a modern browser such as Microsoft Edge, Google Chrome or Mozilla FireFox.
Exporting Grid Cards with Sort Options (21566)
Exporting grid cards using a sort option such as sort by date added can lead to long-running exports. To avoid this, export grid cards without a sort option. Doing so will use serial number as the default sort order. Once exported, additional sorting can then be done using external tools such as Microsoft Excel.
Sorting Grid Cards (20975)
The Admin API for obtaining a list of paged grid cards does not return the expected list of cards when sorting by grid state. Therefore, sorting by grid state should not be used in this case.
Identity Proofing: Invalid response code with PUT request (19770)
If the authentication token has expired and the image uploaded in a PUT request is very large, the response code sometimes can be a generic Internal Error (500) instead of UNAUTHORIZED (401). To prevent this, it's recommended to submit an OPTIONS request before submitting the PUT request with the image. The OPTIONS request will always return UNAUTHORIZED (401) if the authentication token is expired.
Microsoft CA Cert Template updates (19430)
Any update to the certificate template configuration in the Microsoft CA requires the Microsoft CA to be refreshed in the Identity as a Service Administration Portal. Microsoft CA certificate template information is cached in the Microsoft CA Gateway for 30 minutes. A refresh is required to reset the cache.
Identity as a Service Gateway Proxy username / password character restrictions (17930)
The proxy username and password for the Identity as a Service Enterprise Gateway can contain special characters, but not spaces.
On demand sync with previously synced users (17514)
When running the Synchronize a new user or an existing user Admin API, users that have been previously synchronized using an AD Sync crawl can be synchronized without respect to the target directories searchbase configuration. These users will no longer be managed by AD Sync crawl until their searchbase is added to the target directory configuration.
Expired users recorded on a corporate directory are still imported into Identity as a Service using AD Sync with active status (2098)
If users expire in Active Directory, they are still given an ACTIVE status if added by the Active Directory synchronization to Identity as a Service.
No First Factor RADIUS authentication attempt from locked user causes RADIUS client to timeout (7620)
This issue occurs when the authentication type for the RADIUS application is set to No First Factor. If a locked user attempts to authenticate to a RADIUS client, the client times out waiting for a response from the gateway instead of replying with a login failure message.
KBA word mapping does not recognize special characters (9008)
Word mapping entries with values containing identical alphanumeric characters but different special characters (such as !"#$%&+-()) cannot be added. Identity as a Service treats these entries as identical; the system prevents adding the duplicate entry. For example, Identity as a Service would block adding "test" as a word map entry if "test-" was already on the word map list.
Unable to fully logout of Office 365 desktop and mobile applications
If a user recently logged in to an Office 365 desktop or mobile application, signing out of the account and attempting to log in again may not require authentication. This occurs because the authentication token for the Identity as a Service portal is not removed by the Office 365 applications during sign out. This token will automatically expire after a short period of time.
Directory and Directory Synchronization Add, Edit, and Delete actions are not included in the Identity as a Service account audit logs.
Entrust Desktop IdentityGuard for Microsoft Windows resource rules configured for Offline KBA have been modified by layout update (10807)
Entrust Desktop IdentityGuard for Microsoft Windows resource rules set up for offline knowledge-based authentication (KBA) have been modified by the layout update. Each resource rule's preferred list of second factor authenticators must be updated manually to restore offline KBA. The resource rule's prior Strongest Authenticator (either SMS / Email OTP, Entrust Soft Token Push, or Software / Hardware Token) must now be placed at the top of the preferred list of second factor authenticators. That authenticator and Knowledge-based Authenticator, must also be the only second factor authenticators selected.
Fallback token push authentication to Palo Alto VPN does not work (11317)
Identity as a Service supports configuring Palo Alto and other applications for FallBack authentication. FallBack authentication allows users to complete a different authentication challenge if the time limit for completing a push authentication challenge expires. Users should be able to FallBack when a Token Push challenge to Palo Alto expires. However, they cannot log in once it expires.
Password authentication for AD users created in Radiant Logic LDAP directory (24348)
Users created in Radiant Logic as "AD Users" may not be able to perform password authentication after syncing with Identity as a Service.
LDAP users without a password show a password authenticator in IDaaS after syncing (24346)
The Identity as a Service User Portal shows a password authenticator for LDAP directory users that were synced without a password attribute in the configured directory.
Importing Contact Values from Identity Enterprise may not map to the expected user attribute (26122)
When a user is imported from Identity Enterprise (formerly IdentityGuard) the user's contact values are mapped to IDaaS user attributes. Currently one of the contact values is always mapped to the default system user attributes (mobile or mail) even if its name matches an existing custom attribute.
Limitations
Passwordless authentication does not support device certificates
The use of device certificates with passwordless (passkey, smart login, and IDP) authentication requires the user to authenticate a second time in order to successfully complete authentication.
Tenant Management Identity Provider Authentication does not support multiple tiers
When configuring tenants at a service provider to use identity provider authentication, authentication is only supported to the child tenant. Identity provider authentication to a child service provider's tenant is not supported.
OAuth Resource Server API Protection
When using OAuth to protect resource server APIs, the following limitations exist.
- When using refresh tokens, the contents of the re-issued access token is based on the original authorization request. Note that refreshing an ID token is not supported.
- When using the token endpoint, the scope and resource parameters are ignored. The scope and resource parameter values used with authorization request is used instead.
User Last Authentication Time
Searching for users who have never logged in may not return the correct results if the user was created before 5.11, and they were not explicitly assigned an authenticator.
This issue has been addressed for users created in release 5.11 or later.
Using email addresses as Identity as a Service User IDs with ActiveSync authentication (22536)
When using ActiveSync clients, if user email addresses are used as the Identity as a Service User ID, ActiveSync authentication fails. There are two workarounds as follows:
- Create an alias for each user with the user alias value set to the username portion of their email address.
For example, if the user's email address is john.doe@xyz.com, the Identity as a Service account should be created using john.doe. - Synchronize the user's Active Directory sAMAccountName value as the Identity as a Service User ID. When creating an ActiveSync account on their mobile device, the user value supplied should be their sAMAccountName @ their email address domain. For example, if the user's sAMAccountName is jdoe and their email address is john.doe@xyz.com, the ActiveSync account should be created using jdoe@xyz.com.
(Preview Feature) Identity as a Service cannot perform password authentication for Azure AD Cloud-to-Cloud synchronized users
Users synchronized from Azure Active Directory using the preview cloud-to-cloud capability to are unable to perform password authentication when Azure AD users are federated or protected with conditional access. This affects use cases in which Identity as a Service performs the authentication of an Azure AD user password including authenticating to the Identity as a Service user portal, SAML applications, OpenID Connect applications and RADIUS applications.
This does not affect customers using the existing user synchronization capabilities with Azure AD Directory Services through the Identity as a Service Gateway.
Security ID attribute not set for existing Active Directory or Azure Directory
The Security ID attribute is not set for an existing Active Directory or Azure Directory. If you wish to synchronize the Security ID value from your directory, set this value to ObjectSID for Active Directory or securityIdentifier for Azure Directory. If you create a new directory this attribute will correctly default to the expected value.
AD Connector does not support Security ID attribute
AD Connector does not support synchronizing the Security ID attribute. Do not set a value for this attribute when configuring AD Connector.
Microsoft CA Gateway configuration changes require a CA Gateway restart
Updates or a refresh of the Microsoft CA configuration in the Identity as a Service Admin Portal are propagated to the CA Gateway automatically. Currently, this requires a restart of the CA Gateway. Current requests, for example, authentication or enrollment to the CA Gateway will fail and need to be re-executed. Similarly, if the Password Agent or CA Gateway is restarted manually, the latest Microsoft CA configuration will also be propagated.
Microsoft CA Certificate revocation checks
Certificate revocation checks are supported using CRLs and AIA data that is acquired using either LDAP, HTTP, or both. Both protocols need to be accessible by the Identity as a Service Gateway. This requires configuring anonymous access to the LDAP CRL. Additionally, when updating Microsoft CA Enrollment Agents and Key Recovery Agents, CRLs should be re-published.
Search Users by Password Expiry feature only for Microsoft Active Directory
Search Users by Password Expiry feature is only available for Microsoft Active Directory.
Voice OTP limitations
When using Voice OTP, the Thai and Turkish languages are not supported. The voice message will be in English.
FIDO2 limitations
RADIUS does not support FIDO2 authentication.
Gateway required to add RADIUS application (1881)
A RADIUS application cannot be added to Identity as a Service unless a gateway has already been configured. It is not possible to complete the configuration of the RADIUS agent because there is no gateway to select for the required gateway instance field.
Updating Smart Credential after changing variable value on Identity as a Service not supported
Identity as a Service does not support updating a mobile smart credential after changing the FirstName, LastName or any other value included in the smart credential Digital ID distinguished name. Doing so causes an error when updating the smart credential.
Unable to change Directory sync settings to recognize settings directly (2922)
Once an Identity as a Service directory is created, the Directory Sync Agent selected cannot be modified without deleting the gateway containing the synchronization agent. The administrator must delete the gateway containing the sync agent selected to clear the Select Directory Sync Agent field. Once that field has no value selected, the administrator can select the agent of the new gateway for their directory.
SSL Handshake error for RADIUS EAP authentication when using SSL certificates issued from a CA (9255)
An SSL handshake error could occur when using a CA-issued SSL certificate with a certificate chain to the root CA that is too large. The error could be caused by the large number of certificates in the chain, or the size of the individual certificates. The error is caused by RADIUS message size limitations. If this issue occurs, use a self-signed SSL certificate instead.
Box user provisioning limitations (9460)
Users that existed on Identity as a Service prior to configuring an application for user provisioning are not automatically created on the SAML application account afterward. Those users can be automatically created on the application account by accessing and saving the user's profile information on Identity as a Service. Saving the user's profile information prompts the creation of a new user on the application account when none existed previously. If a user fails to be added to a Box account after being created on Identity as a Service, the Box and Identity as a Service user information cannot be re-synchronized to correct the issue.
Control number of KBA questions for ISAPI authentication from resource rule (9529)
ISAPI applications leveraging knowledge-based authentication cannot override the number of questions the user is prompted for. The number of questions presented to the user is controlled by the Identity as a Service Resource Rules KBA Challenge Size setting.
Single logout from Salesforce does not return users to the Salesforce Login page (10335)
Users who log out of Salesforce accounts configured for single logout with Identity as a Service are logged out of both Salesforce and Identity as a Service. However, if the Single Logout Service URL in Identity as a Service is configured, the logout response sent to Salesforce results in the user being left at a blank page instead of the Salesforce Login page.
Workaround: Leave the Single Logout Service URL field blank in Identity as a Service so that users are returned to the Identity as a Service login page instead of a blank page.
Limited authenticator functionality when accessing ADFS through Identity as a Service (10749) (10603) (10605)
Users with Entrust soft tokens (STs) that were registered online must use token push authentication to complete the challenge and access ADFS. Users authenticating using a mobile device without a mobile network can authenticate using a classic token response.
The Override KBA challenge setting for ADFS does not define the number of KBA questions available during authentication. The Q&A Challenge Size value within ADFS resource rules overrides Override KBA challenge . For example, four KBA questions are displayed during authentication if Override KBA challenge is set to 3 and Q&A Challenge Size is set to 4. Grid card authenticators are not supported for accessing ADFS through Identity as a Service. Temporary PIN (OTP) is not supported for ADFS authentication even though users can click on an OTP link during second factor authentication.
Imported NagraID 136TE and MiniAT hardware tokens may require synchronization or settings update before use (10915)
Identity as a Service supports importing several hardware tokens from Identity as a ServiceGuard. This includes NagraID 136TE and MiniAT hardware tokens. These imported tokens could have event counters that have drifted through being used multiple times. In that case, they must be synchronized with Identity as a Service before being used to authenticate. Triggering a synchronization is not required for tokens with event counters that have not drifted. Each token can be synchronized from each user's list of authenticators. Those struggling to achieve token synchronization should double their Max. Reset Event Window after each synchronization attempt until it is achieved. The default value Max. Reset Event Window value (100) should be restored once the tokens are synchronized. The Max. Reset Event Window setting is located within the Entrust Legacy Token settings of your Identity as a Service account.
Resource rule chosen alphabetically when two or more resource rules match (10971)
When two or more matching resource rules exist for the same application, Identity as a Service will abide by the one that appears first alphabetically in the account's resource rules.
Identity as a Service portal fails to load on IE when Protected Mode enabled (11892)
Using Internet Explorer (IE) with Protected Mode enabled to access Identity as a Service prevents your account from loading properly. A workaround for employees who must use Protected Mode due to corporate IT policy is adding https://*.trustedauth.com as a Trusted Site in their Internet Explorer settings. See the Identity as a Service Administrator Help for assistance adding the URL.
Custom view-only roles must be updated to include access to Password Reset Settings (11904)
Custom Identity as a Service roles with view-only access must be updated manually to include view-level access to the account Password Reset Settings. Adding View-level access for the Groups Management system entity allows view-level access to the settings.
(Preview Feature) AD Connector users cannot perform password authentication and password reset using Identity as a Service APIs
Users synchronized using the AD Connector preview feature are unable to perform password authentication through Identity as a Service, including authenticating to the Identity as a Service user portal (using password), SAML applications, OpenID Connect applications, and RADIUS applications. The password reset functionality is also not available for these users.
Password authentication is still supported in full using SMS PASSCODE authentication clients or by integrations using authentication APIs and external methods for validating passwords.
Issuance Limitations
Print Job Queuing and Printer Status
The print API does not manage print job queuing. It requires consumers to check the status of a printer, it must be IDLE before attempting a print job. Otherwise, the print job request will be rejected.
Japan Magstripe NTT or JIS-II
Encoding magstripes in the NTT format is not currently supported.
Multi-step Smartcard Personalization
Advanced smartcard workflows that require multiple batches of communication via basic print API with a smartcard coupler is not supported.
Limited Printer Preferences Support
Several printer preference options are not supported in the beta. This includes copies, blackPixelsMonochrome, and disablePrinting.