Enterprise Connect

What’s new

5.8.2

Enterprise Connect Passwordless 5.8.2 introduces multiple features that further enhance security while maintaining a seamless user experience. As some of these features require the latest Agent versions, we strongly recommend to use the following:

  • Enterprise Connect Passwordless Windows Agent 3.9.3

  • Enterprise Connect Passwordless Mac Agent 2.7.1

  • Latest version of the Authenticator mobile app

  • Hardware OTP token bulk operations [SSA-13659]: Administrative operations (e.g., deleting tokens) can now be performed on multiple tokens simultaneously. Selection options include several tokens on a page of the Hardware OTP Authenticator list, all tokens on a page, or all tokens on the list.

  • Multiple users per HW token [SSA-13889]: To accommodate users who have more than one AD account, Enterprise Connect Passwordless Server now supports enrollment of multiple users with a single hardware OTP token.

    ecp rel note

  • HW OTP support for RADIUS login [SSA-13930]: Hardware OTP tokens can now be used as a means of authentication to RADIUS services.

  • Nginx server security enhancements [SSA-13235] [SSA-12938]: Enterprise Connect Passwordless Server version 5.8.2 supports use of optional enhanced security settings for the Nginx server. After installing the server, you can enforce these settings by simply uncommenting the relevant lines in the following files:

    • /etc/nginx/conf.d/sdomon.conf

    • /etc/nginx/conf.d/sdomcbe.conf

      To enable stronger cipher suites, uncomment this line:

      # ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-
      POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA
      -AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384";
  • Shared user accounts [SSA-12370]: Designated users can now log into a generic account on a shared workstation using their personal credentials and devices. This feature facilitates smooth login while enhancing authentication security for specific groups of personnel (such as IT, DevOps, manufacturing floor workers, etc.) who use shared workstations.

    New checkboxes in the Settings tab of the MSIUpdater client allow the admin to enable support of shared accounts and control whether the Windows Login screen will allow switching between shared account login and standard account login. Shared account support also requires some configuration in the Enterprise Connect Passwordless Server. For more information, please refer to the ECP Windows Agent.

  • Hardware OTP token support [SSA-13179]: Enterprise Connect Passwordless Server now supports use of HW OTP tokens for login to Windows and the User Portal, in online and/or offline mode. New functionality in the Management Console enables the system admin to easily import lists of supported tokens, and users then enroll using their unique device.

    sdo hw otp support

    Like other authenticators, support of HW OTP token authentication is specified in the settings of integrated directories. For more information, please refer to the Enterprise Connect Passwordless Server Guide.

  • Strong authentication per service [SSA-13514]: Global settings for Adaptive Authentication (which requires an extra layer of security for initial logins from unrecognized devices) can now be overridden for specific services in the new Devices tab of the service settings. Adaptive Authentication can be enabled / disable for a service, or individual settings within the mechanism (such as length of verification code) can be changed as required.

  • Legacy mode support per ADPA service [SSA-12880]: The global setting for Legacy Workstation Agent support (enabled or disabled) can now be overridden for individual Active Directory Authentication services. Legacy workstations are those running versions below Windows Agent 3.3 and Mac Agent 2.3.0.

  • List paging and scrolling enhancements [SSA-13230]: New paging and navigation features in many menus of the Enterprise Connect Passwordless Server Console enable the admin to choose the number of items displayed on a page (10, 20, 50 or 100) and to immediately navigate to any page of the list by selecting the relevant page. Note: These features are not yet implemented for the Manage Users menu.

    sdo list paging scrolling
  • Enhanced Database Server support [SSA-13232]: Enterprise Connect Passwordless Server version 5.8 supports PostgreSQL 15.

  • Option for controlling upgrade of external components [SSA-13714]: The Enterprise Connect Passwordless Server installation file now supports an optional parameter to prevent upgrade of various external components during the installation process, including the Nginx web server, the Redis server and the Node.js runtime environment.

    To implement the parameter:

    1. Add the -s switch followed by the relevant comma-separated keywords: nginx, redis, node.

    2. Make sure to use the following required syntax:

      • -s must be preceded by a double dash

      • There must be no spaces in the comma-separated list

        For example:

        ./octopus-el7-5.8-b0062.run — -s nginx,node
  • Option for disabling auto-search [SSA-13405]: To reduce load on the database, a new parameter in the production.json file can now be set to disable autocomplete when searching for users in the Enterprise Connect Passwordless Server Console.

    To implement this option:

    1. Change the value of the autoSearchEnabled parameter from true to false:

      "autoSearchEnabled": false
    2. Then, restart the service.

In addition, the following additional security-related headers are provided:

  • Content Security Policy: Helps protect your site from XSS attacks by whitelisting sources of approved content.

  • Referrer Policy: Allows your site to control how much information the browser sends to destination servers with navigations away from a document.

  • Permissions Policy: Allows your site to control which features and APIs can be used in the browser.

    To use these headers, uncomment the following lines:

    # add_header Content-Security-Policy "default-src 'self'; script-src 'self'
    'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:";
    # add_header Referrer-Policy 'origin';
    # add_header Permissions-Policy
    geolocation=(),midi=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),
    fullscreen=(self),payment=()";
  • Alternative ACS URL parameter: A new custom parameter for generic SAML services, altAcsUrl, enables you to route SAML requests originating from a mobile device to a dedicated ACS URL. When the parameter is set, the user-agent header of the request is checked. If a mobile user-agent is detected, the altAcsUrl value is used instead of the ACS URL defined in the service settings.

5.4.8

Enterprise Connect Passwordless 5.4.8 provides features that enhance security and we recommended that you install the latest following agents versions for compatibility:

  • Enterprise Connect Passwordless Windows Agent 3.8.4

  • Enterprise Connect Passwordless Mac Agent 2.6.7

Workstation limit per user

You can now define a limit on the number of workstations an end user can authenticate from. Once the end user reaches the limit, authentication to other workstations fails. To accommodate users who need access to many workstations, the Override Workstation Limit setting in a user’s details (Security tab) enables you to specify a limit for each user.

DMZ delegation support

You can now Enable Authentication Servers in the DMZ to communicate directly with a server within the network.

Reporting authenticator plugin

You can enable a third-party authenticator to be the designated reporting authenticator. The third-party authenticator receives workstation authentication event logs so you can view the log reports in a third-party platform.

To enable third-party event reporting, you must specify the reporting authenticator in the Authentication tab of the directory settings.

Management Console minimum password length support

For on-prem deployments, you can now define the minimum number of characters required for local user passwords to access the management console. You specify the value in a new parameter in the configuration file.

Automatic password sync

A new setting enables users to authenticate using the mobile app even when the AD password has changed. When the agent detects a mismatch, the Octopus Authentication Server sends a password reset request, and the user must approve the authentication request to log in successfully. Enable this setting in the Management Console under corporate directory settings.

5.4.4

Initial release of Enterprise Connect Passwordless Servers that provides instructions on how to install the Authentication and Management Console servers and configure the Management Console.