Dell™ One Identity Cloud Access
Manager 8.1
Release Notes
October 2015
These release notes provide information about the Dell™ One Identity Cloud Access Manager 8.1 release.
About Dell™ One Identity Cloud Access Manager 8.1
New features Enhancements Resolved issues Known issues System requirements Browser support Product licensing
Getting started with One Identity Cloud Access Manager 8.1
Globalization
About Dell
Legal notices
About Dell™ One Identity Cloud Access
Manager 8.1
Cloud Access Manager delivers real productivity gains to your end users, while minimizing the effort needed to control access to your on-premise applications and cloud service accounts. Cloud Access Manager offers:
Password wallet and identity federation functions that provide your users with the convenience of single sign-on to all applications, whether they run on your private network or in the public cloud. Web access management functionality using its web proxy technology, allowing you to expose your
internal web applications securely to external users.
An easy-to-use customizable application portal that provides your users with a convenient launchpad, allowing them to see and navigate to the applications they have access to.
Identity federation with home realm discovery that allows you to grant access to users in other forests within your own organization and in other external organizations.
For extra security you can configure Cloud Access Manager to require two-factor authentication for external users, or to protect sensitive applications.
Dell™ vWorkspace™ integration to seamlessly bring application virtualization to the Cloud Access Manager environment, allowing vWorkspace application links to be displayed in the application portal, along with other web applications.
High availability deployment options for continuity of service and scalability to millions of users. Dell’s Security Analytics Engine enabling access control rules based on a risk score calculated using a
combination of different security information streams.
Cloud Access Manager 8.1 is a minor release, with enhanced features and functionality. See New features and Enhancements.
New features
The following is a list of new features implemented in Cloud Access Manager 8.1.
Two-factor authentication using one-time passwords generated by Dell’s Defender-as-a-Service. You can require your users to enter a Defender-as-a-Service one-time password as an additional method of authentication when accessing sensitive applications. Users can receive a one-time password using SMS text message, or by automated phone call, or by using a mobile app.
Support for Windows Azure™ Active Directory® as an Identity Provider.
Integration with Microsoft SharePoint®. Cloud Access Manager ships a module which integrates with the SharePoint People Picker, so that an administrator can easily manage authorization policy for federated users. Tools are provided to facilitate establishment of a federated trust between Cloud Access Manager and SharePoint.
Support for unauthenticated access to proxied applications. Some applications do not require user authentication, and for others, it is desirable for user authentication to be performed by the
application itself, rather than by Cloud Access Manager. For these applications, Cloud Access Manager now allows an application to be proxied, without requiring the user to authenticate in order to access it.
Customization.
o Application Portal. Cloud Access Manager now provides the ability to customize the styling of the app portal using CSS, and to upload a logo image to be displayed in the banner of the app portal. Optionally, the app portal can be styled differently, according to which Front-End Authenticator was used to log in.
o Home Realm Discovery and Login Pages. Cloud Access Manager now makes available the HTML and CSS for the home realm discovery page and the login page of the built-in authenticators for full customization. This allows for changes to styling, addition of images, messaging and controls, and JavaScript logic.
o Error Pages. Cloud Access Manager outputs error pages when the user is not authorized to access an application. It also shows an error page when a system error has occurred. This release introduces the ability to customize the text on both of these pages, as required. Federated logout. Cloud Access Manager now supports WS-Federation and SAML2 Logout Profiles for
federated applications. If this option is enabled, when a user logs out of a federated application, or when he logs out from the app portal, then Cloud Access Manager logs the user out of all other federated applications.
Internationalization support for app portal. Cloud Access Manager now provides the facility for customers to translate the app portal interface into other languages as required.
The following is a list of new features implemented in the Security Analytics Engine.
• New method for calculating risk scores - An enhanced calculation method is now used for determining the threat level of an access attempt. This calculation method takes into account the severity of each condition as well as the impact it has on all other conditions within a risk policy. As a result, the risk score will now be represented as a percentage from 0-100%.
• New configuration capabilities - Risk policies now allow modifiers to be applied to conditions in order to increase or lessen the affect a condition has on a risk score. When modifiers are triggered during an access attempt they only impact the condition they are associated with rather than the entire risk score.
• New condition types - The following types of conditions are available in the Security Analytics Engine: Abnormal Authentication, Abnormal Browser, Abnormal Location, Abnormal Time, Role List,
Associated w/ Application Category, Associated w/ Application Threat Level, Associated w/ Blacklist, Associated w/ Country, Associated w/ Malware, Dynamic Blacklist, Last Logon, LDAP Group, Country List, Authentication List, Network List.
• New LDAP plugin - The LdapPlugin is used for gathering and storing information from the LDAP server. • New shared risk policies - Create risk policies which can be used by multiple applications while
managed from a single place.
• Alerting - Email alerts can now be sent when a certain risk score or condition score is surpassed during an access attempt.
• Expanded reporting capabilities - Lists of audit events can now be downloaded directly from the Security Analytics Engine.
• New Botnet monitoring capabilities - The SonicWALLPlugin (previously called the
MalwareDetectionPlugin) can now monitor for connections with Botnet command and control servers.
See also:
Enhancements
Resolved issues
Enhancements
The following is a list of enhancements implemented in Cloud Access Manager 8.1.
Table 1. General enhancements
Enhancement Issue ID
Improve messaging from LDAP Front-End Authenticator when connected to Active Directory using Virtual Directory Services
STS2060
Audit login of fallback administrator 346359
Document OAuth single sign-on for native mobile phone apps 360433
Support multiple email suffixes in Subject Mapping 366197
Administration interface update 367427
Improve end user experience when the database connection is down 372351
Allow trust certificates to be replaced 379881
Application groups: rename and delete 382830
Sort the applications list alphabetically 393005
Configurable absolute session timeout 412403
Provide ability to customize session expired page 413179
Add "request an application" link on app portal 413996 Provide the option to redirect back to the last-accessed application on session expiry 415999 Reports are now only executed when requested explicitly 417436 User mapping and deprovisioning lists are now only built when requested explicitly 417438
Report date format localization 417439
Warn administrator that primary credentials not captured when using Kerberos 417991 Send username to password manager when user elects to change password after expiry 418833 Improvements to the handling of signing and encryption certificates for SAML
applications
424072
Support for multiple password manager instances 424465
Prompt administrator to upgrade remaining STS and proxy hosts following an upgrade 430116 Support form-fill single sign-on to single-page applications by using CSS selectors 431484 Use Dell standard licensing module for licensing functions 434054
Validate the domain name when entering proxy URLs 434310
Administration debug logging warning 434356
Support signed SAML authentication request on HTTP redirect binding 436637 Make encryption strength configurable for SAML applications 436638 Send sid and email context information to Security Analytics Engine 436742 Allow signing policy to be relaxed on SAML authentication requests 436929 Administration function to delete selected users and deprovision application user
accounts
437956 Remove redundant option to trial Security Analytics Engine 441938
Add internationalization support to status pages 442030
vWorkspace: import app "folders", convert into Cloud Access Manager app "sections", move icons into other sections
Indicate in audit report that login was via a social authentication 451652
Sign all certificates with SHA-2 453631
OAuth v2.0 / OpenID Connect token lifetime configuration 454047 OAuth v2.0 / OpenID Connect support for opaque access tokens 454050
OAuth v2.0 / OpenID Connect refresh tokens 454052
Set secure flag when clearing CAM_SID and .ASPXAUTH cookies 455645
Support for IIS 10 464135
OpenID Connect: Allow claims to be included in id tokens on a per application basis 464756 Include the content length for compressed responses in the proxy access log 465301
Write performance statistics to the proxy logs 465558
Remove RC4 cipher suite from default supported list 465700
OpendID Connect - Add access token expiry time claim (exp) to userinfo endpoint 466045 Add objectSid to the default user attributes for Front End Authenticators 466210 OpenID Connect: Allow claims to be included in by value Access Tokens 469058 When replacing an existing certificate, prefill existing certificate domain name 469327
OAuth V2 tokens persisted in database 471060
Performance improvements to the login process for Active Directory® logins 472318 Limit access to unprotected content to public and backup folders 472681
Allow hyphens in header names 474102
Allow application links for OAuth applications regardless of client type 474996
Add version number to dbsnapshot 478735
Adjust default values for Security Analytics Engine risk 479180 New application configuration template for Dell One Identity Manager 7.0. 496099
Resolved issues
The following is a list of issues addressed in this release.
Table 2. General resolved issues
Resolved issue Issue ID
Server error when showing home realm discovery page when SAML request with large RelayState
Accessibility: Inconsistent focus display in app portal 372769 Login form inspection tool should open and warn if unable to identify/use elements
from a different domain
388861
Unable to log out when authenticated with ADFS 2.0 406506
Upgrade should stop and restart IIS site 418211
Audit report has no validation on typed entries into the "Show events from" / "Show events to" fields.
420149
IE 9 failing to submit credentials to OWA 2010 420155
Unused _VIEWSTATE parameter unencrypted 422902
Logout from a session that has reached the default timeout - browser stays at the app portal
423055 cam.avoidPathsForConfirmPassword should be application-specific 423769 Keyboard access to remove button on personal links also opens edit dialog 424094
Accessibility: focus lost on page after closing popup 424156
OWA reports “Your request couldn’t be completed” when proxied 429288 Admin audit report incorrectly reports changes to Configuration Settings page 430355 Proxy not updating its configuration in a high-availability deployment with one STS
down
431459 Unicode characters not being displayed correctly as username 432434 Character translation error in Customize Application Name 432990 Administrator needs to save Security Analytics Engine configuration twice when not in
trial mode
433433
Blackberry® 9720 display problem on app portal 435750
Do not add app portal link to the desktop when installing in Production mode 436186 License shown as expired at UTC time in administration page whereas proxy expires at
localtime
437819 Same user or group can be added to a role multiple times 439467 OpenID Connect Flow Test tool crashes when invalid certificate used for signing 447541
Cacerts file can be overwritten with zero length file 447659
No submit button for two-factor authentication OTP page when using IE8 447892
SmartcardCtxt field is missing from DB Snapshot 447971
Cannot add personal links using IE8 447980
Save not enabled when unchecking 'Do not store' in Password Wallet 448366
'Do not store' ignored for proxyless form fill apps 448368
Front End Authenticator selection page can appear when using step up two-factor authentication
Special ASCII characters in Application Name cause broken HTML tag to appear on IE9 449575 Social authentication login is possible against the wrong Front End Authenticator 449744 Inconsistent behavior enabling Security Analytics Engine 450087 Audit report doesn't include “unauthorized login” attempts 453413 “Invalid Credentials” when using smart card as second authentication factor 454997 If Google User Provisioning fails, the application is still added to the app portal 457263 Credentials not displayed in password wallet for vWorkspace in IE 8 457461 App links redirecting to login page on Windows Phone 8.1 IE browser 461729 Salesforce shows login error if the threat level configuration is edited 461829 Improve error log message when the proxy throws a HTTP 500 error 463342
OpenID Connect: IAT claim should not be a string 464758
Redirect to App after Session expiry not working for WS-Federation applications 467572
Null pointer exception in proxy catalina logs 469090
Apostrophe in application name prevents app portal from loading 473115 URL translation tool adds an extra '/' to the translated URL 474684 Service account password logged in plain text in installation log 486321
Known issues
The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.
Table 3. General known issues
Known issue Issue ID
Change password form-fill configuration is not being saved successfully when details are entered manually.
When configuring change password functionality for a proxied form-fill application in Cloud Access Manager this should be done using the LFIT tool as described in To
configure single sign-on for the form fill application change password page in the Dell™ One Identity Cloud Access Manager Configuration Guide.
501393
When using the One Identity Cloud Access Manager for SharePoint application with SharePoint™ 2010 it is important the certificate used for establishing the SAML trust is placed in the application’s executable folder and the application loads it from this location. Failure to do this will cause the trust between Cloud Access Manager and SharePoint to fail. If it has already been loaded from a different location the certificate should be moved and reloaded using the Update Certificate button, this will correctly establish the trust.
500504
Browser support
Note that support for Safari®, on Windows, for administrators and end users, has been discontinued in this release.
System requirements
Before installing Cloud Access Manager 8.1, ensure that your system meets the following minimum hardware and software requirements.
Hardware requirements
Database requirements
Hardware requirements
Table 4. Hardware requirements (Security Analytics Engine not operational)
Requirement Details
Processor Min. 8 cores
Memory Min. 8 GB
Hard Disk Space Min. 200 GB
Operating System Any of the following:
Microsoft® Windows Server® 2008 R2 (with latest updates applied)
Microsoft® Windows Server® 2008 R2 Server Core (with latest updates applied)
Microsoft® Windows Server® 2012
Microsoft® Windows Server® 2012 Server Core Microsoft® Windows Server® 2012 R2
Table 5. Hardware requirements (Security Analytics Engine operational)
Requirement Details
Processor Min. 8 cores
Memory Min. 8 GB
Hard Disk Space Min. 250 GB
Operating System Any of the following:
Microsoft® Windows Server® 2008 R2 (with latest updates applied)
Microsoft® Windows Server® 2008 R2 Server Core (with latest updates applied)
Microsoft® Windows Server® 2012
Microsoft® Windows Server® 2012 Server Core Microsoft® Windows Server® 2012 R2
Microsoft® Windows Server® 2012 R2 Server Core
Database requirements
Table 6. Database requirements
Requirement Details
Database Microsoft® SQL Server® 2014, 2012 R2, 2012, 2008 R2 or 2008
Product licensing
To activate either a trial or a purchased commercial license
1 Copy the license file to a machine where a Cloud Access Manager STS instance is installed. 2 On the same machine, click the desktop shortcut Cloud Access Manager Administration (fallback
login) to log into Cloud Access Manager as the fallback administrator. 3 Click the Licensing link.
4 Click the Upload License button. 5 Select the license file.
Getting started with One Identity Cloud
Access Manager 8.1
Upgrade/installation instructions
Upgrade/installation instructions
To upgrade/install this releaseBefore you install this release, ensure you have a current backup of Cloud Access Manager. This release is provided for all Cloud Access Manager hosts and we recommended that you apply to each host. For further information on how to backup Cloud Access Manager, refer to the backup and restore instructions in the Dell
One Identity Cloud Access Manager Installation Guide.
1 On the STS Host, either mount the release ISO or extract the release ZIP file to a temporary location. 2 Start the Dell Autorun and navigate to the Install section.
3 Click Install on Cloud Access Manager IIS Components. 4 Accept the license terms to start the upgrade.
5 Wait for the installation on the STS Host to complete and click Close.
6 On the Proxy Host, either mount the release ISO or extract the release ZIP file to a temporary location. 7 Start the Dell Autorun and navigate to the Install section.
8 Click Install on Cloud Access Manager Proxy. 9 Accept the license terms to start the installation.
10 Wait for the installation on the Proxy Host to complete and click Close. Determining if this release is installed
To determine if this release is installed, log in to the Cloud Access Manager Administration Console, click the About button in the top right corner and verify that the version number matches that of the release. Removing this release
To remove this release, refer to the backup and restore instructions in the Dell One Identity Cloud Access
Manager Installation Guide.
NOTE:If you are uninstalling and reinstalling Cloud Access Manager, ensure that you delete the Cloud
Access Manager SQL database before reinstalling the product.
Additional resources
Additional information is available from here: Dell One Identity Cloud Access Manager online product documentation
Globalization
This section contains information about installing and operating this product in non-English configurations, such as those needed by customers outside of North America. This section does not replace the materials about supported platforms and configurations found elsewhere in the product documentation.
Third party components
Third party components used in this product can be found listed in the About box in the Dell One Identity Cloud Access Manager Administration User Interface.
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit www.software.dell.com.
Contacting Dell
Technical support:Online support
Product questions and sales: (800) 306-9329
Email:
Technical support resources
Technical support is available to customers who have purchased Dell software with a valid maintenance contract and to customers who have trial versions. To access the Support Portal, go to
http://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. In addition, the portal provides direct access to product support engineers through an online Service Request system.
The site enables you to:
Create, update, and manage Service Requests (cases) View Knowledge Base articles
Obtain product notifications
Download software. For trial software, go to Trial Downloads. View how-to videos
Legal notices
© 2015 Dell Inc. ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Dell Inc.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact: Dell Inc.
Attn: LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656
Refer to our web site (software.dell.com) for regional and international office information. Trademarks
Dell and the Dell logo are trademarks of Dell Inc. and/or its affiliates. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting