Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.5 - Release Notes

Safeguard Authentication Services 5.0.5

Safeguard Authentication Services 5.0.5

Release Notes

21 February 2022, 10:46

These release notes provide information about the Safeguard Authentication Services 5.0.5 release. For the most recent documents and product information, see Safeguard Authentication Services - Technical Documentation.

About this release

Safeguard Authentication Services extends the capabilities of UNIX, Linux, and Mac systems to seamlessly and transparently join Active Directory and integrate Unix identities with Active Directory Windows accounts.

Safeguard Authentication Services 5.0.5 is a minor release that includes various bug and stability fixes. See Resolved issues for a list of fixes included in this release.

End of support notice

After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021. For definitions of support, see the Software Product Support Lifecycle Policy.

As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.

New features

New features in version 5.0.5

Safeguard Authentication Services supports group managed service accounts (gMSA). For more information, see Group managed service accounts (gMSA) in the Safeguard Authentication Services Administration Guide.

New features in version 5.0.4
  • All packages shipped by One Identity are now signed. You can verify that the packages you download has been created by One Identity and not by a malicious intermediate.

  • New supported platforms are available. For more information, see Supported platforms.

See also:

New features in version 5.0

Ansible support (224151)

Infrastructure Administrators can use Ansible 2.9 or later for the following functions, including generating reports.

  • Install, upgrade, and uninstall Safeguard Authentication Services (SAS) software packages and create reports to summarize software deploy status
  • Configure and join Safeguard Authentication Services to my AD domain including:
    • Perform preflight checks

    • Modify vas.conf

    • Modify users/groups.allow and users/groups.deny

    • Modify user/group overrides

    • Join/unjoin SAS from domain

    • Create reports to summarize configure/join status

Authentication Services Ansible Collection

The One Identity Authentication Services Ansible Collection, referred to as ansible-authentication-services, consists of roles, modules, plugins, report templates, and sample playbooks to automate software deployment, configuration, Active Directory joining, profiling, and report generation for Safeguard Authentication Services. Go to: https://github.com/OneIdentity/ansible-authentication-services.

Ansible details

For Ansible information consult:

NOTE: One Identity open source projects are supported through One Identity GitHub issues and the One Identity Community. This includes all scripts, plugins, SDKs, modules, code snippets or other solutions. For assistance with any One Identity GitHub project, please raise a new Issue on the One Identity GitHub project page. You may also visit the One Identity Community to ask questions. Requests for assistance made through official One Identity Support will be referred back to GitHub and the One Identity Community forums where those requests can benefit all users.

Explicit mapping of users to valid certificates (smart card) (198067)

Mapping certificates to users can be done implicitly or explicitly. Authentication Services supports mapping one cert to one user or mapping multiple certs to one user. Mapping one cert to multiple users is not supported. For details, see the Smart Cards Administration Guide, Map certificate to user (implicit and explicit).

Group policy updates (198055)

Safeguard Authentication Services can apply additional policies to Unix systems:

  • mac OS X policies are updated
  • Privileged Manager Policies are updated

License validator (198066)

New licenses have to be added prior to upgrading to version 5.0. If you have a mixed environment with some clients running on 5.0 and some running on an older version, you will need to have both licenses available.

CAUTION: If you upgrade Safeguard for Authentication Services before adding the license, the caches will empty and SAS will be unusable. You can add the license then either rejoin or restart vasd and run vastool flush. You can update the Control Center any time without issue.

Windows Administrators can load the Safeguard Authentication Services license into Active Directory.

Unix Administrators must have a current license.

macOS: Added functionality (198050)

The following functionality was added for macOS platforms. For additional information, see KB 322901.

  • Installation is from the One Identity Support page.
  • In Application Properties, an Options tab has been added to control App Store and Game Center settings. For example, you can choose to allow software update notifications.
  • In Media Access Properties, there are two new settings:
    • Allow AirDrop
    • Allow transfers with Finder or iTunes
  • Software Update Properties have been added related to purchasing or installing apps.
  • System Preference Properties selection was enhanced.
  • Wireless Profile Properties now include the ability to use hidden networks, auto join networks, proxies, protocol configurations, and authentication. This policy also works with vascert to provide a certificate that can be used to join a network.

Support for unattended join using Windows Offline Domain Join (ODJ) credentials (198057)

An Administrator can use a Windows Offline Domain Join (ODJ) credential instead of a keytab for scripting an unattended installation of Safeguard Authentication Services to enhance security.

There must be connectivity from the Unix machine to domain controllers. When using this method of joining AD, the [domain] is not needed on the vastool join command, nor credentials. That information will come from the file. More information is in the vastool man page.

The join can work in the following ways:

  • vastool join -j <path to the offline join file>
  • vastool join and use the ENV option AUTHENTICATION_SERVICES_DJOIN_FILE set to the location of a valid djoin file.
  • vastool join and /tmp/AUTHENTICATION_SERVICES_DJOIN file will be used if that file exists, and is a valid djoin file.

For more information, see vastool man page and search for djoin.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in version 5.0.5
Resolved Issue Issue ID

Fixed an issue where single sign-on (SSO) did not work through the GSS-API if the domain name of the user profile contained lower case letters.

226677

Group Policies are now applied even if the client is in disconnected mode.

293676

Fixed an issue where Microsoft Fix for CVE-2021-42287 update broke Safeguard Authentication Services' functionality.

Previously, updating Microsoft Fix for CVE-2021-42287 and then enabling Enforcement mode caused the following issues:

  • vastool could not complete a join to a domain from Unix/Linux systems.

  • Elevated users could not set passwords.

The issue is now fixed. However, in some cases, after kinit has been used to authenticate as an elevated user, when the Microsoft update is present and Enforcement mode is enabled, the user may need to re-enter their password for certain actions.

297741

Supported platforms

The following table provides a list of supported Unix and Linux platforms for Safeguard Authentication Services.

CAUTION: In Safeguard Authentication Services version 5.1, support for the following Linux platforms and architectures will be deprecated:

  • Linux platforms

    • CentOS Linux 5

    • Oracle Enterprise (OEL) Linux 5

    • Red Hat Enterprise Linux (RHEL) 5

  • Linux architectures

    • IA-64

    • s390

Make sure that you prepare your system for an upgrade to a supported Linux platform and architecture, so that you can upgrade to Safeguard Authentication Services version 5.1 when it is released.

Table 2: Unix agent: Supported platforms

Platform

Version

Architecture

Alma Linux

8

x86_64, AARCH64, PPC64le

Amazon Linux

AMI, 2

x86_64

Apple MacOS

10.14 or later

x86_64, ARM64

CentOS Linux

5, 6, 7, 8

Current Linux architectures: s390, s390x, PPC64, PPC64le, IA-64, x86, x86_64, AARCH64

CentOS Stream

8

x86_64,

Debian

Current supported releases

x86_64, x86, AARCH64

Fedora Linux

Current supported releases

x86_64, x86, AARCH64

FreeBSD

10.x, 11.x, 12.x

x32, x64

HP-UX

11.31

PA, IA-64

IBM AIX

6.1, 7.1, 7.2

Power 4+

OpenSuSE

Current supported releases

x86_64, x86, AARCH64

Oracle Enterprise Linux (OEL)

5, 6, 7, 8

Current Linux architectures: s390, s390x, PPC64, PPC64le, IA-64, x86, x86_64, AARCH64

Oracle Solaris

10 8/11 (Update 10),

11.x

SPARC, x64

Red Hat Enterprise Linux (RHEL)

5, 6, 7, 8

Current Linux architectures: s390, s390x, PPC64, PPC64le, IA-64, x86, x86_64, AARCH64

Rocky Linux

8

x86_64, AARCH64

SuSE Linux Enterprise Server (SLES)/Workstation

11, 12, 15

Current Linux architectures: s390, s390x, PPC64, PPC64le, IA-64, x86, x86_64, AARCH64

Ubuntu

Current supported releases

x86_64, x86, AARCH64

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating