Highlights
- User-Aware SSO for OIDC / Entra ID (Primary Identifier Flow)
- Improved Config File Download
- New Location for Agent Logs
Enhancements
User-Aware SSO for OIDC / Entra ID (Primary Identifier Flow)
- In this release, we’ve added a new option for the Open ID Connect and Entra ID SSO adapters for the default view to show a page asking the user to provide their primary identifier (e.g. email address).
- This feature enables user-aware login flows as follows:
- If the user only has a single registered TruU Authenticator (desktop, mobile, passkey / security key or workflow), we immediately start the login process for that device type.
- If the user has multiple options, we will show the account picker, but the picker will be a curated list only showing the options applicable to that user.
- Upon a successful authentication with a device (non-workflow), the last authentication method will be remembered. That authentication flow will appear as the primary authentication method.
- NOTE: this feature was introduced for the SAML Adapter in the 24.161 release. However, with Open ID Connect and Entra ID, the feature also supports honoring a login hint. For example, if the user enters their user identifier in Entra ID or Okta - and is redirected to TruU for authentication - that identifier is passed to the TruU adapter and the user will not be prompted by TruU to enter the identifier again.
Improved Config File Download
- In addition to bundling the config file with the agent download, Admins now have an option to download config files for the desktop authenticators without having to download the installers as well.
New Location for Agent Logs
- If you configure your environment to have agent logs uploaded to the tenant, we now show the logs on the same page within “Settings” where that configuration is made.
Bug Fixes
- We have fixed an issue that prevented diagnostics and user enrollment from working when a user’s email address contains an apostrophe.
- We have fixed a UI issue where text would overlap in enrollment screens on Android when device font is set to large.
Known Issues
| Ticket Number | Component | Summary |
|---|---|---|
| PLAT-11042 | Event Logging | No event is generated in the Admin Console when a user cancels enrollment. |
| PLAT-9447 | Misc. | Unfriendly error message when Device is below Minimum Device Assurance Level for Application SSO |
| PLAT-9359 | Admin Console | The view of devices does not get updated immediately when dormant settings are modified. If the Admin changes the “Stale Device Handling” configuration under “Settings > Security”, the status for devices (Active / Dormant) may not be accurate for up to 15 minutes as the status is cached and updated every 15 minutes. |
| PLAT-9302 | Admin Console | In rare instances, Admin Console may fail to load. If this happens, refresh the page |
| PLAT-9891 | PIN Reset | If a PIN profile is updated from not requiring PIN rotation to require PIN rotation, already enrolled devices will not honor that policy. Workaround: manually set the enrolled device(s) to require a PIN change. This will force the user to change their PIN on next check-in, and updated PIN profile will be used moving forward. |
| WA-19238 | Login | Security keys do not work on Windows when Windows Authenticator is configured to require FIDO2. |
| PLAT-11299 | Login | When using SSO for the SAML Adapter configured to require the primary user identifier, the curated method picker screen may contain cached options that are no longer available (if the user has recently viewed that screen, and one of the methods is subsequently removed, and the user navigates back to the screen). |
PLAT 24.165 Release Notes PLAT 24.160 Release Notes