Release 5.45

February 2026

New in this release

Support Multiple Passwords

IDaaS users can now have multiple passwords associated with their account. This allows users to have different passwords for different authentication flows or applications. Administrators can configure multiple passwords for users and assign each with a unique password policy.

SCIM Enhancements

The following enhancements have been made to SCIM support in this release:

• Support for custom schemas.
• Mapping additional IDaaS attributes to SCIM attributes, including RegistrationStatus to indicate whether the user is registered.
• Support for setting values into multivalued complex type SCIM attributes like email.
• Improved logging.

UI Improvements

In the IDaaS Administration portal, all the "Policy" pages and bulk operation pages have been redesigned to improve usability.

OAuth Improvements

A new document "OAuth and OIDC Basics" has been added to the IDaaS Developer Hub. This document provides an overview of OAuth 2.0 and OpenID Connect (OIDC) concepts.

A new OIDC application template, “Generic Embedded Application,” is now available in IDaaS. This template enables administrators to implement a custom, self‑hosted login experience that keeps users within your application during authentication, while still relying on an OpenID Connect provider to issue standards‑compliant tokens.

CORS Changes

For new IDaaS accounts, CORS is now enabled by default. Existing accounts are not affected by this change but Entrust recommends that customers enable CORS for their existing accounts.

Fixed or changed in this release

1. Generic Native application client ID copy to clipboard fails - The copy to clipboard function for client ID was not working for Generic Native applications, though it worked for other OIDC apps. (41215)
2. Authentication API calls for OIDC IDaaS JWT grant type need to be added to CORS Allow list - Authentication API calls for IDaaS JWT grant types are now automatically allowed for CORS.(41203)
3. Group policy Face Biometric Mutual Challenge alphabet error handling - Setting Face Biometric mutual challenge alphabet to a single character and saving resulted in an error without an error message. (41316)
4. IDaaS Doc ER: SAML SLO configuration and expected behavior - Documentation needs to specify the resulting behaviors expected from IDP or SP initiated logout and whether it results in global logout. (39797)
5. Magic link auth email changing to blank when the defined custom email contact changed to SMS - When adding a custom email contact, changing group policy magic link default email to the custom contact, then changing the custom email contact type to SMS, the default email becomes blank. (40636)
6. SCIM Provisioner User Attribute Mappings filter for the Required field is a text field - The filter field should be restricted to yes/no options rather than free text. (40462)
7. Test Directory Configurations result dialog contains a typo - "All group filter" should be "All group filters". (40827)
8. Unsaved changes warning does not retain user on the same Authenticator edit page when "Cancel" is clicked - When navigating to Policy → Authenticators, editing an Authenticator without saving, then clicking another Authenticator, an unsaved changes pop-up appears. However, clicking "Cancel" navigates to the previously selected Authenticator instead of staying on the current page with unsaved changes. (41281)
9. OIDC Authentication Unexpected server error, authentication request invalid - After redirecting to IDaaS from the customer service provider using an OIDC integration, allowing five minutes to elapse before proceeding results in "server error: Unexpected server error, authentication request invalid" error. (40883)
10. IDaaS SAML user creation not recognizing role - When a user is created after IDP authentication, role assignment during user creation is not working. Role claims that include underscores and role claims returned as lists are not properly processed. (41319)

Changes to Identity as a Service (IDaaS) APIs

Authentication API

New models

PasswordChallenge

New model introduced to support password challenge scenarios.

• name (string) - The name of the password challenge
• namedPasswordId (string) - The Named Password Id associated with the challenge

Changed models

AuthenticatedResponse

• Added: passwordChallenge (PasswordChallenge) - Password challenge information returned when password authentication requires additional challenge

UserAuthenticateQueryResponse

• Added: passwordChallenge (PasswordChallenge) - Password challenge information for user authentication queries

UserAuthenticatorLockoutStatus

• Added: name (string) - The users named password authentication that is locked out.

Notes & migration guidance

• Password Challenge Support: A new PasswordChallenge model has been introduced to support scenarios where password authentication requires additional challenge information. This is part of the named password feature that allows users to have multiple distinct password authenticators.
• Enhanced Authentication Responses: Both AuthenticatedResponse and UserAuthenticateQueryResponse now include an optional passwordChallenge field. Clients should handle this field to support multi-password authentication flows where a specific named password may be required.
• Lockout Status Enhancement: The UserAuthenticatorLockoutStatus model now includes a name field to identify which specific named password authenticator is locked out, providing better visibility for troubleshooting and user support.
• Non-Breaking Changes: All changes are additive (new optional fields and a new model). Existing client implementations will continue to work without modification, though they won't benefit from the enhanced password challenge capabilities until updated.

Administration API

New operations

• DELETE /api/web/v1/users/{userid}/passwords/{namedpasswordid} (deleteUserNamedPasswordUsingDELETE) — Delete a user password using the password ID
• GET /api/web/v1/users/{userid}/list/passwords (getUserNamedPasswordsUsingGET) — Gets a list of user passwords
• GET /api/web/v1/users/{userid}/settings/password/{namedpasswordid} (getUserNamedPasswordSettingsUsingGET) — Get user password authenticator settings by named password ID
• PUT /api/web/v1/users/{userid}/password/{namedpasswordid}/notify (sendUserNamedPasswordExpiryNotificationUsingPUT) — Update and send a password expiry notification using password ID

Removed operations

• DELETE /api/web/v1/users/{userid}/activesyncdevices/{deviceid} (removeActiveSyncDeviceUsingDELETE) — Delete ActiveSync device
• GET /api/web/v1/serviceipaddresses (getServiceIPAddressesUsingGET) — Get service IP addresses
• GET /api/web/v1/users/{userid}/activesyncdevices (getCachedActiveSyncDevicesUsingGET) — Get ActiveSync devices
• POST /api/web/v1/users/{userid}/activesyncdevices (getActiveSyncDevicesUsingPOST) — Manage ActiveSync device
• PUT /api/web/v1/users/{userid}/activesyncdevices (updateActiveSyncDevicesUsingPUT) — Update ActiveSync device

Changed models

AuthenticationFlow

• Added: namedPasswordId (string) - The Named Password Id used for password authentication.

AuthenticationFlowParms

• Added: namedPasswordId (string) - The Named Password Id used for password authentication.

CorsOrigin

• Required added: id
• Required added: origin

Entitlement

• Added: gracePeriodEndDate (string, date-time) - The USERS grace period end date of this entitlement in UTC time.

PasswordResetSettings

• Added: id (string) - ID of the password reset settings.
• Added: namedPasswordId (string) - The ID of the named password.

SmsVoice

• Added: gracePeriodEndDate (string, date-time) - The date when the grace period for the entitlement will end.

Tenant

• Added: otpProviderId (string) - The ID of the preferred OTP provider associated with this tenant, if any. Only visible to root tenant.

UserAuthenticatorLockoutStatus

• Added: name (string) - The users named password authentication that is locked out.

UserEntitlement

• Added: gracePeriodEndDate (string, date-time) - The date when the grace period for the entitlement will end.

UserPassword

• Added: id (string) - The ID of the user password.
• Added: namedPasswordId (string) - The named password associated to the user.

UserPasswordParms

• Added: namedPasswordId (string) - The ID of the named password.

UserPasswordSettings

• Added: namedPasswordEnabled (boolean) - Indicates whether the named password policy is enabled for the user.
• Added: namedPasswordId (string) - The ID of the named password.

UserPasswordValidationParms

• Added: namedPasswordId (string) - The ID of the named password.

Notes & migration guidance

• Named Password Support: The major theme of this release is support for named passwords. Multiple new properties (namedPasswordId) have been added across authentication flows, password settings, and user password models to enable multi-password scenarios per user. This allows users to have multiple distinct password authenticators with different policies.
• New Password Management APIs: Four new endpoints provide granular password management by password ID, including listing all passwords for a user, deleting specific passwords, managing password expiry notifications, and retrieving password settings per named password.
• ActiveSync Deprecation (Breaking): All ActiveSync device management endpoints have been removed. Clients using these endpoints must migrate to alternative device management solutions before upgrading.
• Service IP Addresses Removal (Breaking): The /api/web/v1/serviceipaddresses endpoint has been removed. Clients relying on this endpoint should contact support for alternative approaches to obtaining service IP information.
• Grace Period Tracking: Added gracePeriodEndDate to entitlement-related models (Entitlement, SmsVoice, UserEntitlement) to support grace period functionality for expired entitlements. This allows tenants to continue operating for a limited time after entitlement expiration.
• CORS Origin Validation (Breaking): The CorsOrigin model now requires both id and origin fields. Ensure all CORS origin configurations include these required fields when creating or updating CORS origins.
• OTP Provider Configuration: Tenants can now specify a preferred OTP provider via the otpProviderId property, providing flexibility in OTP delivery mechanisms.

Supported TLS Ciphers

IDaaS supports the following TLS Ciphers:

TLSv1.3:

• TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)

On March 15, 2026, support for the following ciphers will be removed.

TLSv1.2:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519)

Enterprise Service Gateway (ESG) Deprecation

Entrust will only support the last four releases of the Enterprise Service Gateway (the current version 5.45 and the three previous releases 5.42, 5.43, and 5.44). Entrust recommends that customers always upgrade their Enterprise Service Gateway to the latest release because each release contains security updates to the Enterprise Service Gateway Operating System.

NOTE: In an upcoming release, changes are planned that will break versions of ESG older than 5.33.

In-place upgrade of the ESG is only supported for versions 5.33 or later. Versions of ESG older than 5.33 are no longer supported. To upgrade versions of ESGs older than 5.33 to the new version, use the following procedure:

1. Download the latest Gateway OVA or Hyper-V file from IDaaS and install on a new VM instance.
2. Add a new Gateway instance to the existing Gateway in IDaaS.
3. Register the new Gateway instance with IDaaS.
4. Disable the old Gateway instance.
5. Repeat these steps to replace all the Gateway instances that use older versions of the ESG.

Once the upgrade is complete, the Gateway instances corresponding to the old ESGs can be deleted from IDaaS and the VMs for those ESG instances can also be deleted.

Browser Deprecation

Microsoft no longer supports the Internet Explorer 11 and Microsoft Edge Legacy browsers. Identity as a Service no longer supports these browsers.

Feature Deprecation

ActiveSync Device Management

IDaaS provided a feature that allowed IDaaS users to perform secure, multi-factor authentication and manage their Microsoft Office 365 ActiveSync devices. The Office 365 capabilities that IDaaS used to implement these capabilities are no longer supported by Microsoft. This feature was removed from IDaaS in the 5.45 release.