Enterprise Connect

What’s new

Enterprise Connect Passwordless 6.8

Ping Enterprise Connect Passwordless version 6.8 introduces multiple features that further enhance security while maintaining a seamless user experience.

Enterprise Connect Passwordless 6.8 introduces multiple features that further enhance security while maintaining a seamless user experience. Some features require the latest agent versions, Ping Identity recommends the following:

  • Enterprise Connect Passwordless Windows Agent version 4.3 or later

  • Enterprise Connect Passwordless Mac Agent version 4.3 or later

  • Latest version of the ForgeRock Authenticator application mobile app

New features

  • Report templates: The new reports menu of the management console offers a variety of out-of-the-box report templates that enable system administrators to track and monitor user status, enrollment trends, authentication events, authentication device, workstation data, and more.

    Use the report creation wizard to add reports that are relevant to your organization. You can configure and update the report delivery frequency, format, and method, such as email or download, at any time.

    The following report templates are available:

    Report templates

    Template name

    Description

    Administrative users

    Provides a comprehensive summary of users with administrator privileges in the management console.

    Detailed users

    Provides comprehensive data about users based on configurable filtering options.

    Blocked and disabled users

    Provides information about users in the system who are currently blocked or disabled.

    Idle users

    Provides a list of enrolled users who haven’t logged in for a configurable period of time.

    Idle workstations

    Provides a list of workstations that haven’t been used for a configurable period of time.

    Idle authentication devices

    Provides a list of authentication devices that haven’t been used for a configurable period of time.

    Pending enrollments

    Lists users with pending invitations and users who have partially completed the enrollment process.

    Authentication events

    Provides information about successful and unsuccessful authentication events within a configurable period of time.

    Password rotation events

    Provides information about successful and unsuccessful password rotation events within a configurable period of time.

  • Microsoft Office 365 federation for Entra ID: The authentication server supports Microsoft Office 365 federation with the Enterprise Connect Passwordless platform using Entra ID. The Federated to Octopus setting allows the system administrator to designate new directories as federated (when required) upon directory creation.

    The directory settings page with the `Federated To Octopus` toggle button at the bottom.

    Federated Entra ID type directories include a Create User button that lets system administrators add new users directly to the remote Entra ID directory using a simple wizard. After you create new users, the system adds them to the Enterprise Connect Passwordless platform through automatic sync or manual import. Learn more in the Configure the management console.

The Entra ID Create User tab on the Manage Users page.

  • OpenID Connect service: The generic OpenID Connect (OIDC) service provides integration between Enterprise Connect Passwordless and any service that supports the standard OIDC protocol. The new service supports OIDC code flow. Learn more in the Configure the management console.

  • Ping authenticator plugin: The Enterprise Connect Passwordless provides a dedicated template to support Ping Identity as a third-party authenticator. You can configure the plugin as a mobile authenticator, a one-time-passcode (OTP) validator, or both. You can also configure the plugin to use agent token authentication.

    The client ID and secret fields for the PingID plugin.

  • externalSsoUrl custom parameter for SAML: Add the new externalSsoUrl parameter to any security assertion markup language (SAML) service with single sign-on (SSO) enabled. If users don’t have an SSO token and the parameter exists, the system immediately redirects them to the URL specified in the parameter’s value (usually the SSO URL of the external identity provider).

When the parameter exists and users don’t possess a SSO token, they’re immediately redirected to the URL specified in the parameter’s value (usually the SSO URL of the external identity provider).

  • FIDO metadata update: Enterprise Connect Passwordless version 6.8 supports several new Fast Identity Online (FIDO) modules that weren’t supported by previous versions.

Enterprise Connect Passwordless 5.8.2

Enterprise Connect Passwordless 5.8.2 introduces multiple features that further enhance security while maintaining a seamless user experience. As some of these features require the latest Agent versions, Ping Identity recommends the following:

  • Enterprise Connect Passwordless Windows Agent 3.9.3

  • Enterprise Connect Passwordless Mac Agent 2.7.1

  • Latest version of the Authenticator mobile app

  • Hardware OTP token bulk operations [SSA-13659]: You can perform administrative operations (for example, deleting tokens) on multiple tokens simultaneously. You can select several tokens on a page of the Hardware (one-time password) OTP authenticator list, all tokens on a page, or all tokens on the list.

  • Multiple users per HW token [SSA-13889]: To accommodate users who have more than one AD account, Enterprise Connect Passwordless Server now supports enrollment of multiple users with a single hardware OTP token.

    ecp rel note

  • HW OTP support for RADIUS sign on [SSA-13930]: You can now use hardware OTP tokens to authenticate to RADIUS services.

  • Nginx server security enhancements [SSA-13235] [SSA-12938]: Enterprise Connect Passwordless Server version 5.8.2 supports use of optional enhanced security settings for the Nginx server. After installing the server, you can enforce these settings by simply uncommenting the relevant lines in the following files:

    • /etc/nginx/conf.d/sdomon.conf

    • /etc/nginx/conf.d/sdomcbe.conf

      To enable stronger cipher suites, uncomment this line:

      # ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-
POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA
-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384";

  • Shared user accounts [SSA-12370]: Designated users can now log into a generic account on a shared workstation using their personal credentials and devices. This feature facilitates smooth sign on while enhancing authentication security for specific groups of personnel (such as IT, DevOps, manufacturing floor workers, and others) who use shared workstations.

    New checkboxes in the Settings tab of the MSIUpdater client allow the admin to enable support of shared accounts and control whether the Windows sign-on screen will allow switching between shared account sign on and standard account sign on. Shared account support also requires some configuration in the Enterprise Connect Passwordless Server. Learn more in ECP Windows Agent.

  • Hardware OTP token support [SSA-13179]: Enterprise Connect Passwordless Server now supports use of HW OTP tokens for sign on to Windows and the user portal, in online or offline mode. New functionality in the Management Console enables the system admin to import lists of supported tokens, and users then enroll using their unique device.

    Hardware OTP tokens support

    Like other authenticators, support of HW OTP token authentication is specified in the settings of integrated directories.

  • Strong authentication per service [SSA-13514]: You can now override global settings for adaptive authentication for specific services in the New Devices tab of the service settings. You can enable or disable adaptive authentication for a service, or change individual settings within the mechanism (such as length of verification code) as required.

  • Legacy mode support per ADPA service [SSA-12880]: You can now override the global setting for legacy workstation agent support (enabled or disabled) for individual Active Directory authentication services. Legacy workstations run versions below Windows Agent 3.3 and Mac Agent 2.3.0.

  • List paging and scrolling enhancements [SSA-13230]: You can now use new paging and navigation features in many menus of the Enterprise Connect Passwordless Server console to choose how many items to display on a page (10, 20, 50, or 100) and immediately navigate to any page of the list by selecting the relevant page.

    These features aren’t yet implemented for the Manage Users menu.
    List paging and scrolling enhancements

  • Enhanced Database Server support [SSA-13232]: Enterprise Connect Passwordless Server version 5.8 supports PostgreSQL 15.

  • Option for controlling upgrade of external components [SSA-13714]: The Enterprise Connect Passwordless Server installation file now supports an optional parameter to prevent upgrade of various external components during the installation process, including the Nginx web server, the Redis server and the Node.js runtime environment.

    To implement the parameter:

    1. Add the -s switch followed by the relevant comma-separated keywords: nginx, redis, node.

    2. Make sure to use the following required syntax:

      • -s must be preceded by a double dash

      • There must be no spaces in the comma-separated list

        For example:

        ./octopus-el7-5.8-b0062.run — -s nginx,node

  • Option for disabling auto-search [SSA-13405]: To reduce load on the database, a new parameter in the production.json file can now be set to disable autocomplete when searching for users in the Enterprise Connect Passwordless Server Console.

    To implement this option:

    1. Change the value of the autoSearchEnabled parameter from true to false:

      "autoSearchEnabled": false

    2. Then, restart the service.

In addition, the following additional security-related headers are provided:

  • Content Security Policy: Helps protect your site from XSS attacks by whitelisting sources of approved content.

  • Referrer Policy: Allows your site to control how much information the browser sends to destination servers with navigation away from a document.

  • Permissions Policy: Allows your site to control which features and APIs can be used in the browser.

    To use these headers, uncomment the following lines:

    # add_header Content-Security-Policy "default-src 'self'; script-src 'self'
'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:";
# add_header Referrer-Policy 'origin';
# add_header Permissions-Policy
geolocation=(),midi=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),
fullscreen=(self),payment=()";

  • Alternative ACS URL parameter: A new custom parameter for generic SAML services, altAcsUrl, enables you to route SAML requests originating from a mobile device to a dedicated assertion consumer service (ACS) URL. When you set the parameter, the system checks the user-agent header of the request. If it detects a mobile user-agent, it uses the altAcsUrl value instead of the ACS URL defined in the service settings.

Enterprise Connect Passwordless 5.4.8

Enterprise Connect Passwordless 5.4.8 provides features that enhance security and Ping Identity recommends that you install the latest following agents versions for compatibility:

  • Enterprise Connect Passwordless Windows Agent 3.8.4

  • Enterprise Connect Passwordless Mac Agent 2.6.7

  • Workstation limit per user: You can now define a limit on the number of workstations an end user can authenticate from. After the end user reaches the limit, authentication to other workstations fails. To accommodate users who need access to many workstations, the Override Workstation Limit setting in a user’s details (Security tab) enables you to specify a limit for each user.

  • DMZ delegation support: You can now enable authentication servers in the demilitarized zone (DMZ) to communicate directly with a server within the network.

  • Reporting authenticator plugin: You can enable a third-party authenticator to be the designated reporting authenticator. The third-party authenticator receives workstation authentication event logs so you can view the log reports in a third-party platform.

    To enable third-party event reporting, you must specify the reporting authenticator in the Authentication tab of the directory settings.

  • Management console minimum password length support: For on-prem deployments, you can now define the minimum number of characters required for local user passwords to access the management console. You specify the value in a new parameter in the configuration file.

  • Automatic password sync: Users can use a new setting that allows them to authenticate using the mobile app even when the AD password has changed. When the agent detects a mismatch, the authentication server sends a password-reset request, and the user must approve the authentication request to log in successfully. Enable this setting in the management console under corporate directory settings.

Enterprise Connect Passwordless 5.4.4

Initial release of Enterprise Connect Passwordless Servers that provides instructions on how to install the authentication and management console servers and configure the management console.

Learn more in Install Enterprise Connect Passwordless Servers and Configure the management console.