/
PortalGuard v6 Change Log

PortalGuard v6 Change Log

Owned by Eric Chu (Unlicensed)
Last updated: Mar 20, 2025 by Eric Chu (Unlicensed)
30 min read

2025-03-20 - v6.9.2

v6.9.2 includes a minor fix for a UI error during password recovery, along with updates for consistent Duo Push behavior, fixed reCAPTCHA functionality, and enhanced security features such as Content Security Policy and Help Desk protections.

Components modified: PortalGuard (IDaaS/on-prem), UI, PG Desktop

  • A Javascript bug fix in v6.9.1 causes a UI error during PG Desktop password recovery

  • Password change/reset using Duo Push, “Problems with this authentication method?” now has consistent behavior with the login page

  • Help Desk “Purge Users” functionality prevents accidental deletion of protected accounts

  • Added UTF8 multi-language support

  • Fix for PG Config syslog forwarder settings fixed

  • PG Desktop can be set to enforce FIDO2 user verification

  • IDaaS Default browser “Content Security Policy” updated

  • IDaaS Fix for Batch Importer

  • IDaaS reCAPTCHA on some secondary pages is now working properly

  • IDaaS Fix for Kerberos authentication on certain pages

 

2024-12-31 - v6.9.1

v6.9.1 contains some fixes and enables additional functionality related to features first introduced in v6.9.0.

Components modified: PortalGuard (IDaaS/on-prem), UI, SQL schema update

  • IDaaS Admin Panel bootstrap settings has enabled syslog forwarding configuration

  • IDaaS ActiveDirectory mapped username field changes update user profile data Uname field

  • IDaaS Targeted announcements are now working as expected

  • Duo Universal Prompt conflicts with reCAPTCHA for password reset have been resolved

  • IdP SSO step-up JavaScript error has been fixed

  • BETA Entra ID External Authentication Method feature preview has been enabled for on-prem installations

  • BETA Entra ID External Authentication Method feature preview has enabled FIDO2 and Passkey:YOU authentication

 

2024-11-18 - v6.9.0

v6.9.0 is a major release introducing new features and enhancements for authentication and streamlined deployment.

Components modified: PortalGuard (IDaaS/on-prem), PG Desktop, RADIUS, UI, SQL schema update

  • Users can enroll multiple FIDO2 tokens

  • YubiKey tokens can be enrolled during the login process, using 2FA login enrollment grouping

  • TOTP hardware tokens can be imported for use with PortalGuard via Batch Importer and the PortalGuard Help Desk

  • PortalGuard’s existing IP lockout functionality has been expanded to provide RADIUS password spray attack protection - RADIUSv1 on-prem only

  • The PGConnect installer has streamlined the update process so that uninstalls are no longer required

  • A simplified single PGConnect/DCConnect combo installer ensures that the various PGConnect components are properly installed

  • The PGDesktop installer has streamlined the update process so that uninstalls are no longer required

  • Logging events (Windows Event Log, PortalGuard runtime log) can be forwarded to a log collection server using syslog forwarding - initially for on-prem installations, IDaaS available in a future release

  • Updated certificate-based SmartCardless authentication

  • BETA Microsoft Entra ID External Authentication Method (EAM) integration - Use PortalGuard to supply second factor authentication from Microsoft’s Entra ID authentication flow - initially for IDaaS, on-prem installations available in a future release

  • BETA Social Login integration - allow users to link their PortalGuard account with social logins such as Facebook, Google, LinkedIn via OpenID Connect/OAuth2

 

2024-10-15 - v6.8.7

v6.8.7 includes a single fix for PG Desktop.

Components modified: PortalGuard (IDaaS), PG Desktop

  • PG Desktop: Expired passwords are now managed in their own “change expired password” flow instead of relying on self-service password reset

 

2024-09-24 - v6.8.6

v6.8.6 includes some fixes to v6.8.5, including blastRADIUS mitigation.

Components modified: PortalGuard (IDaaS), PG Desktop, RADIUS

  • Added support for RADIUS Message-Authenticator attribute for blastRADIUS vulnerability mitigation

  • Fixed issue with incomplete processing of large data set Attribute Sync / Group Sync operations

  • Fixed issues related to PG Desktop client and Duo enrollment

 

2024-08-15 - v6.8.5

v6.8.5 includes some bug fixes to v6.8.4. This is a stability oriented release.

  • A number of SSO related conditions were resulting in errors (IDaaS Linux)

    • SAML single sign-out may result in an error

    • Some OAuth redirects may result in an error

    • Some SAML configurations show error “Size of a request header field exceeds server limit”

  • SSO specific announcements were not working properly (IDaaS Linux)

  • Duo Push behavior fixed for PG Desktop and RADIUS

 

2024-06-25 - v6.8.4

v6.8.4 includes some bug fixes to v6.8.3. This is a stability oriented release.

  • Using SASL for LDAP bind could result in improper authentication

  • IDaaS Group lookups failed with certain character sets

  • IDaaS Group cleanup not working with MySQL 8

  • Duo Universal Prompt operation did not account for bootstrap mapping setting

  • Duo bypass code creation failed if the underlying Duo user ID changed

  • WEB-key enrollment could sometimes get into a failed state

  • Custom session timeouts were not being honored

  • PG Desktop can be set to use standard logins in AzureAD environments

 

2024-05-15 - v6.8.3

v6.8.3 is a minor release addressing some issues existing in v6.8.2. Minor UI changes are involved.

Components modified: UI, PortalGuard, PG Connect

  • Patch security vulnerability for Duo MFA

  • Duo Universal Prompt unsuccessful attempts were generating excessive strikes

  • PGConnect Password Reset was not able to reset passwords in some configurations

  • License expiration notification email address has been updated

 

2024-05-09 - v6.8.2

v6.8.2 is a minor release addressing some issues existing in v6.8.1. Minor UI changes are involved.

Components modified: UI, PG RADIUS, PG Connect, PG Desktop

  • PortalGuard RADIUS updates for compatibility with Microsoft RRAS VPN

  • PGConnect GroupSync functionality improved handling of changing group membership

  • PGConnect attempts reconnect when a channel is closed (PGReconnect permanently enabled)

  • PGConnect connections are named to assist with troubleshooting

  • PGConnect Config Editor- Cloud Synchronization Group Settings command prompt suppressed

  • Fix for proper redirection when using SSO step-up MFA

  • Fix when selecting alternate 2FA from FIDO2/WebAuthn

  • Fix when selecting alternate 2FA from Duo Universal Prompt

  • Fix for Duo Universal Prompt change password behavior

 

2024-04-19 - v6.8.1

v6.8.1 is a minor release addressing some issues existing in v6.8.0. Minor UI changes are involved. The following issues are fixed in this release:

  • IDaaS SSO Relying Party claims now emit only groups specified in whitelist, if used

  • IDaaS announcements were displaying HTML tags instead of rendering

  • Prevent GroupSync occasional hanging operation

  • PG Connect attribute objectguidencoded has been reverted back to original name, objectguid, for compatibility with existing configurations

  • Duo Universal Prompt support for PortalGuard’s “Remember Browser” feature was not enabled

  • Handle YubiKey server unavailability gracefully

The following fixes have been made for PG Desktop:

  • Password reset works with FIDO2 authentication

  • Offline logins were failing when WEB-key was selected but the fingerprint reader was not connected

  • OTP grace period was not working with offline-mode OTP

  • “Switch user” availability now relies on underlying Windows setting

  • Offline login counter was not being properly reset in some scenarios

 

2024-02-08 - v6.8.0

v6.8.0 includes the following enhancements:

  • Support for Duo Universal Prompt

  • HelpDesk has several new features, including:

    • The ability to purge inactive users from a list

    • Automated gathering of diagnostics for support tickets

  • Improved algorithm for synchronizing ActiveDirectory group membership (IDaaS)

  • Selective exceptions of Kerberos authentication for specific client types

 Additionally, the following fixes have been made:

  • Removing monitored groups no longer results in stale entries (PGConnect/IDaaS)

  • Pattern-based authentication loads consistently

  • Fix for some first time users attempting self-service password reset experienced a failure

  • Fix for pattern-based authentication

  • Fix for AzureAD search operation hang

  • Add support for container look up in PGConnect Editor

 

2024-01-10 - v6.7.0

v6.7.0 includes the following enhancements:

  • Certificate Based Authentication

  • Support for multiple WEB-key site configurations provides increased flexibility

  • IDaaS synchronization of ActiveDirectory fields with binary content such as objectGUID via PG Connect

  • Incorporate WEB-key Server and Client 4.1.119x, to enable full support of MobileAuth

  • Allow user enrollment of individual modes to WEB-key by having an initiation line for each in the enrollment screens

 Additionally, the following fixes have been made:

  • Batch Importer functionality preserves existing users' cloud sync attributes

  • A rare crash with some select MS SQL queries in specific environments has been resolved

  • Support for installation on non-English Windows Server OS

  • Non-IDaaS SQL-based user repository group role lookup has been fixed

 

2023-12-22 - v6.6.1.2 IDaaS only update

v6.6.1.2 is a minor release addressing some issues existing in v6.6.1.1. The following issues are fixed in this release:

  1. Security Policies with large password expiration periods may experience user password reset looping.

  2. Minor security improvements have been made.

NOTE: Some self-registration customizations and WiFi/Captive Portal functionality may not be available in this version. If you require this functionality in IDaaS, please contact PortalGuard technical support.

 

2023-10-19 - v6.6.1.1

v6.6.1.1 is a minor release addressing some issues existing in v6.6.1.0. No front-end files have been changed so upgrading from v6.6.1.0 should be seamless.

The following issues are fixed in this release:

  1. Help Desk actions fail when performed by an administrator in a fallback user repository.

  2. Depending on the version of ODBC driver installed, some rare MS SQL queries may result in a process crash, leading to login failures

  3. Active Directory users with the flag “Password never expires” may be stuck in a password reset loop

  4. SMS delivery failures when using file-based user data repository

  5. Interstitial announcements page may result in a HTTP 500 error when clicking “Continue To Your Requested Website”

2023-08-30 - v6.6.1.0 (PG.dll, PG_IdP.dll)

  1. Added integration with Epic Hyperdrive (IdP)

  2. Added support for PKCE (proof key of code exchange) for OAuth 2.0

  3. Added ability to perform MFA during SSH (2FA API)

  4. Added support for fixed credentials SSO (IDaaS/IdP)

  5. Added certificate based authentication (PGConnect/DCConnect)

  6. Added integration with Nafath Identity Provider API

  7. Added integration with Duo Web v2 SDK

  8. Security enhancements in the following areas:

    • Announcements

    • OAuth

    • Account Management MFA enrollment

    • 2FA API

    • XSS prevention

  9. Various fixes and improvements:

    1. Prevent error due to non-standard Office 365 header with iOS devices (IdP)

    2. Accessibility improvements for better ADA & WCAG compliance

    3. Various WEB-key integration fixes and improvements

    4. Update WEB-key API usage

    5. Update Veridas API usage

    6. Support additional username (UPN) format for Kerberos SSO

    7. Prevent RADIUS initialization failure when using custom settings

    8. Fix inactivity lockout behavior (IDaaS)

    9. General fixes for announcements module

    10. Resolve minor memory leak with in email module

    11. Minor SQL script updates

    12. Deprecation of FIDO U2F

2023-03-08 - v6.6.0.3 (PG.dll, PG_IdP.dll)

  1. Minor release to support ID Director for Epic use with WEB-key

2023-02-24 - v6.6.0.2 (PG.dll, PG_IdP.dll)

  1. Support for [PROVIDERNAME] placeholder for SAMLResponse generation

  2. Fix occasional improper date reporting on PortalGuard Dashboard

  3. Silence IDaaS health check logging output, only generates log entries on errors

2023-01-30 - v6.6.0.1 (PG.dll, PG_IdP.dll)

  1. Support for new BIO-key Mobile Authenticator app multifactor authentication methods, in addition to PalmPositive:

    1. BIO-key Mobile Authenticator FacePositive

    2. BIO-key Mobile Authenticator Push

    3. BIO-key Mobile Authenticator device biometrics

  2. SSO Jump Page Bookmarks: PortalGuard’s SSO Jump Page has a dedicated type for tiles that simply use static URLs which do not require SSO protocol support for convenience

  3. SMS throttling and quarantine options help prevent SMS pump attacks

  4. PortalGuard’s RADIUS implementation now supports FIDO2 WebAuthn

    1. NOTE: Requires install/usage of SSO Concierge as “broker” between the FIDO token and VPN Client

  5. Direct Azure AD Domain Joining: use Azure AD as primary domain

  6. PortalGuard’s Help Desk has added customizable LDAP/SQL search filters for global administrators.

  7. Dashboard now displays login name along with the PortalGuard username for more granular reporting information

  8. 2FA-API extended to validate username and password

  9. 2FA-API field ClientType is now case-insensitive

  10. Configurable database column size reduction for better memory usage

  11. Fix for app-specific SSO looping issue related to case-sensitivity and updated IP addresses

  12. Fix for targeted announcements used with CBA 2.0 geolocation

  13. Fix for Help Desk Actions count of “total users affected” when using file-based user profiles

  14. Fix for specific situations with grouped 2FA enrollment and unenrolled default MFA option

  15. Fix involving IP2Location6 table (IDaaS only)

2022-07-26 - v6.5.3.6 (PG.dll)

  1. IDaaS / PG Connect: Improved support for synchronization with multi-domain environments.

  2. Various fixes have been made for "Expire Password on First Login", and "Remember this device" settings.

  3. Support for long Group DNs has been improved.

  4. Fixed unclickable radio buttons when the screen is between 768px - 990px for Grouped 2FA

  5. Changes made to user's default OTP method logic for Grouped Self-Service Password Reset enrollment

  6. Various tooling and back-end improvements have been made for IDaaS transitions and migrations.

  7. IDaaS fix for an issue with the pwdlastset attribute

2022-07-06 - v6.5.3.5 (PG.dll)

  1. Support for Attribute Mapping for IdaaS SQL-based user repositories (Email, Display Name, and User Profile Mapping)

  2. Updated PGConnect and PG.dll to format first time login FullData to match Attribute Sync format (Active Directory and OpenLDAP based repositories)

  3. Resolved SQL repository initialization bug

  4. Change PGConnect to allow the domain to determine whether or not AttributeSync is enabled (prior behavior was to use root level AttributeSyncEnabled flag in PGConnect)

  5. Remember Browser Sessions is shown in the Account Management page with CBA 2.0 enabled.

  6. User selected OTP method is set as the default for self-service actions and will not be overruled by a security policy default method

  7. When changing password, the old saved password in some browser's autofill would be filled in during the OTP confirmation screen. The browser autofill for the OTP confirmation screen has been disabled, and the password field has been hidden, requiring only the OTP. 

2022-06-24 - v6.5.3.4 (PG.dll)

  1. Azure Active Directory integration now utilizes Microsoft Graph API v1.0

  2. Cleaned up how we handle tracked browsers within the UserProfile

  3. Replace MPIR library with Boost Multiprecision library

2022-05-23 - v6.5.3.3 (PG.dll)

  1. WEB-Key enrollment caching is no longer performed by PG. This allows existing WEB-key customers to utilize all their previously enrolled WEB-key data through PG. In prior versions, PG required users to perform WEB-key enrollment through it before it was seen as being available.  eliminate webkey enrollment caching

  2. RADIUS authentication is now supported against IDaaS using a plug-in module installed on an on-premises FreeRADIUS server. This supports the PAP, CHAP and MSCHAPv2 RADIUS protocols. It utilizes the back end PortalGuard 2FA API and allows the following MFA types: MobileAuth PalmPositive, SMS, Duo Push, TOTP, HOTP, Printed, Email, Help Desk OTPs, RSA SecurID

2022-05-13 - v6.5.3.2 (PG.dll, PG_IdP.dll)

  1. Group-based authorization is now available for managing access to PortalGuard Dashboard

  2. A health check endpoint has been added to enable monitoring of PortalGuard server health. The new endpoint reports the status of PortalGuard’s connection to various backend services, such as databases and user directories.

  3. In addition to IPv4-based geolocation, IPv6-based geolocation is now supported as well. This is mostly utilized in PortalGuard’s Contextual Authentication feature.

  4. For the announcements feature, group-based targeting is now supported

  5. Added support for multiple SAML configs that share the same identifier

  6. AttributeSync is now available for the IDaaS platform, which enables automatic syncing of user attributes (standard and custom fields) between the IDaaS cloud directory and on-premises LDAP or Active Directories. This represents a one-way sync from any on-premises directories to the IDaaS cloud directory that can be scheduled on a recurring basis depending on what type of syncing schedule you want to have. The IDaaS Cloud Directory fully supports password expiry, synchronized with the backend directory.

  7. Miscellaneous changes and fixes:

    1. Event logging functionality is now more robust when encountering an unexpected broken connection to the database (specific for MySQL)

    2. Update _PG-SAML-Metadata-Template.xml file to generate well-formed XML

    3. Fix for decompression of larger SSO customization blobs

    4. DuoPush and Duo OTP can be selected as viable self-service actions

    5. Fixed reports related to Successful PW Resets (CQA, SMS, and Email reports)

    6. Ensure blank passwords are not accepted during VPN MFA (where password and OTP are submitted in the same field)

    7. Prevent browser shell errors on Tippy JS (remove PG_Custom_head.inc from login.aspx)

    8. IdP: Fix for Forms-based SSO config initialization for SQL when using the PortalGuard Admin Panel

    9. IdP: Fix for non-interactive PowerShell logins to Azure AD (via WS-Security)

    10. The search filter for some non-Microsoft LDAP implementations (Domino, Novell) has received a minor fix in the Identity Provider Configuration Editor

2022-03-26 - v6.5.2.9 (PG.dll)

  1. Support for Duo Bypass Codes

2022-01-21 - v6.5.2.8 (PG.dll)

  1. Another fix for ensuring current password isn't reused during initial Set Password action for a user (no PW history in PG)

2021-12-10 - v6.5.2.7 (PG.dll, PG_IdP.dll)

  1. New Writer lock timeout behavior for updating configuration at run-time. Returns error code 1105 if the 5 second timeout occurred before the configuration update could be attempted. In this case the PG server’s runtime configuration was not updated, but (on a good note) the PG server no longer “hangs”. An IISRESET will most likely be needed in this case to apply the new configuration changes.

2021-12-03 - v6.5.2.6 (PG.dll)

  1. Increased max length of acceptable Duo Prompt "OTP" value

2021-11-24 - v6.5.2.6 (PG.dll)

  1. For MobileAuth, changed default PalmID server name and allowed override via new Bootstrap parameter.

2021-11-18 - v6.5.2.5 (PG.dll)

  1. Fixed bug where Duo was reported as YubiKey auth type

2021-11-05 - v6.5.2.5 (PG.dll)

  1. Added "DuoPromptAppKey" field in the bootstrap (generated & encrypted automatically)
    Support for use of Duo Prompt in Acct Mgmt, login and step-up MFA

2021-11-03 - v6.5.2.4 (PG_IdP.dll)

  1. Now compressing SSO customization blobs to get under 8000 MS ODBC limit on varchar(max) columns

2021-11-03 - v6.5.2.4 (PG.dll)

  1. Fix for PG Password Change not adding initial PW to PW History

2021-10-29 - v6.5.2.3 (PG.dll, PG_IdP.dll)

  1. (IDaaS only) Support for Attribute Sync

2021-09-27 - v6.5.2.2 (PG.dll)

  1. Support for "custom" value for DuoUsername in bootstrap. Uses new DuoMappingValue meant to take square-bracketed "simplified" values like SQL SSO claims (e.g. [UPN]).

2021-09-26 - v6.5.2.2 (PG_IdP.dll)

  1. Fix for "Group Mapping" claim types in CAS and OAuth

  2. Support for credential vault encryption in IdPAgentThickClientSSO

  3. New IdPAgentThickClientSSO for handling thick client SSO requests

  4. (IDaaS only) Fix for use of [USERNAME] as Simplified SSO claim. CPSRPClaim::GetIdentityValue() had been returning getPGName() from the identity object, but that attribute is now CONFIGURABLE using the "auth_sql_upmapcolumn" setting in the User Repository!"

  5. (IDaaS only) Allow placeholder passwords to continue for all IdP-related agents in IdentityEngineSQL. This was blocking Kerberos SSO users from performing federated SSO.

2021-09-26 - v6.5.2.2 (PG.dll, PG_IdP.dll)

  1. Fix in CPSCrypto::AES256CryptExt to return 0 for unexpected key or IV format

  2. Prevent heap corruption when attempting to base64 decode an empty string

  3. Changes in RootCert, RootCertAPI and new functions in CPSCrypto

  4. Now base64-encoding the Thick Client SSO access token so client-side code can use it "as is"

  5. Initial support for Thick Client SSO operations: Access Token creation, Cred Vault upload/download, Template upload/download

2021-09-26 - v6.5.2.2 (PG.dll)

  1. (IDaaS only) Allow placeholder passwords to continue for all IdP-related agents in IdentityEngineSQL. This was blocking Kerberos SSO users from performing federated SSO.

  2. (IDaaS only) Fix to prevent CBA 2.0 from "blocking" users during Kerberos SSO (happens if Geolocation isn't configured correctly -AND- the default/error auth type is "block")

  3. In Azure AD, added code 50158 "External security challenge not satisfied" as an indication the provided password was correct

2021-09-25 - v6.5.2.1 (PG.dll, PG_IdP.dll)

  1. Fixes for CPSDate instantiation from SQL date/times. Caused OAuth UserInfo failures during "spring ahead" DST

2021-09-25 - v6.5.2.1 (PG_IdP.dll)

  1. Fix for SAML IdP metadata was invalid when SLO was enabled due to improper placement of <SingleLogoutService> element in the metadata

  2. Fix for app-specific/step-up authentication for OAuth/OIDC-based configurations was not working

2021-09-24 - v6.5.2.1 (PG.dll)

  1. Fix bug for HelpDesk actions not working for AD-based directories (a UserProfile key is never set in the CPSHDActionResult object)

2021-09-08 - v6.5.2.1 (PG_IdP.dll, PG.dll)

  1. SAML SSO memory leak fixes

2021-08-31 - v6.5.2.0 (PG.dll, PG_IdP.dll)

  1. Added support for Authy Push

  2. Added support for Twilio as a voice messaging system

2021-08-23 - v1.2.19.9 (PG.NET.dll)

  1. Workaround for BitDefender breaking change where it sets Content-Length to 0 for POST requests and stopped users from logging into PortalGuard

2021-08-06 - v6.5.1.9 (PG.dll)

  1. Increased allowable email TLD (Top-Level Domain) length from 4 to 63 chars

  2. Support for new User Profile mapping field for SQL-based user repositories. The "cleaned" username as provided by the end-user was used previously. Includes changes in HelpDesk.

2021-07-21 - v6.5.1.8 (PG.dll)

  1. Fix for cases where Grouped 2FA enrollment is belatedly enabled for existing users and the SecPol default 2FA method is *not* satsified by what the user has enrolled. In this case Grouped 2FA enrollment is satisifed, but the user didn't enroll the default which leads to an enrollment prompt that fails with error 1104 because OTPEnrollType is blank. The fix update the user's personal default OTP methods if grouped 2FA is satisifed.

2021-07-19 - v6.5.1.7 (PG_IdP.dll)

  1. Fix for Azure AD-based Attribute Stores with SQL-based configurations. Had been erroring out with "CPSAttrStore::initFromJSON(): Unsupported attribute store type 5"

  2. Now printing agent name in log for IdPAgentSSOCustomizations (instead of "<unknown>")

  3. Standardizing on the PGName attribute as the user identifier for SSO Jump Page customizations (had been a problem in calls to saveSSOBlob and deleteSSOBlob)

  4. Allowing OAuth ROPG clientID and secret to be submitted in POST request (had previously only honored Authorization header)

  5. Fix for use of OAuth Resource Owner Password Grant type where the submitted username was not being used in resolution of the repository. This had resulted in "user not found" in multiple directory deployments.

2021-07-07 - v6.5.1.6 (PG.dll & PG_IdP.dll)

  1. Handle MFA for users in Azure AD. Added errorcode 50076, means valid creds, but MFA is required for user.

2021-07-06 - v6.5.1.5 (PG_IdP.dll)

  1. Change in IdPAgentBase to set identity object "authenticated name" so SSO agents work with Kerberos SSO in IDaaS (ignoring the "placeholder" password)

2021-07-06 - v6.5.1.5 (PG.dll)

  1. Changes in AgentDoKerberos to support dynamic user lookup for new users in IDaaS

2021-06-28 - v1.2.0.1 (WEB-keyCOMInterop.dll)

  1. Fix for issue preventing new users from enrolling finger prints through WEB-key client on PG Desktop

2021-06-28 - v6.5.1.5 (PG_IdP.dll)

  1. Fix for dynamic CAS user field lookup aginst SQL attribute stores. Now supports use of simplified SSO claims, e.g. [EMAIL]

2021-06-25 - v6.5.1.5 (PG.dll)

  1. Change to how IDaaS LAN2Cloud password sync requests are handled. Using SID instead of username. SID is the strongest possible match and is required if samaccountname is the same in multiple directories (they're using fallback). PGConnect 3.0.0.6 has been modified to include SID in the JSON message and there are new SQL SPs for looking up -AND- updating passwords using SID

2021-06-23 - v6.5.1.5 (PG.dll)

  1. Fix to increment counter for HOTP tokens when used with PG Desktop 2FA

2021-06-16 - v6.5.1.5 (PG_IdP.dll)

  1. Fix for "Group Mapping" claim types in CAS and OAuth

  2. Support for custom SAML metadata. Required for supporting InCommon's "errorURL" SAML metadata attribute: https://refeds.org/specifications/saml-v2-0-metadata-deployment-profile-for-errorurl-version-1-0

2021-05-28 - v6.5.1.5 (PG.dll)

  1. Prevent heap corruption when attempting to base64 decode an empty string

  2. Patch for Kerberos on Mac issue that was originally resolved in a customer-specific patch

2021-05-28 - v6.5.1.4 (PG.dll)

  1. Fix for bug where deleted User Repositories remained in the configuration map even after an update. Now clearing at start of update.

2021-05-17 - v6.5.1.3 (PG_IdP.dll)

  1. WSTrust - Support duplicate IDs for Azure AD domain joining

  2. WSTrust - ACL support for machines (Group & OU) for Azure AD domain joining

2021-05-12 - v6.5.1.3 (PG.dll)

  1. Using random user identifier for MobileAuth transactions instead of username

  2. Fix for Account Unlock via SSPR propagating to PGConnect (had been treating it as a PW reset)

2021-05-11 - v6.5.1.3 (PG_IdP.dll)

  1. Support for [GROUPS_CN] "simplified" SQL claim value (just the bare "CN" of the user's groups)

2021-05-05 - v6.5.1.3 (PG.dll)

  1. Fixed MobileAuth bug where device re-enrollment (which fails) caused an orphaned BKMobileDevice field that prevented further enrollment after user deleted a device.

2021-05-01 - v6.5.1.3 (PG.dll)

  1. Support for multiple domains in IDaaS

2021-05-01 - v6.5.1.3 (PG_IdP.dll)

  1. New "simplified" SQL claim values: [EMAIL_SUFFIX], [EMAIL_PREFIX]

2021-04-27 - v6.5.1.2 (PG.dll)

  1. Fix for MobileAuth enrollment on iOS to ensure duplicate devices aren't enrolled

2021-04-20 - v6.5.1.2 (PG.dll)

  1. Allowing self service actions to continue when a "placeholder" password is encountered (needed for batch imported IDaaS users)

  2. Returning "bare" BIO-key MobileAuth enrollment URL in <bkm_enrollurl>element in addition to QR-encoded version. Allows a URL to be displayed when enrolling on a mobile device.

2021-04-15 - v6.5.1.2 (PG.dll)

  1. Allowing IdEngConfig::resolveHDByOU to continue for SQL-based repositories where DirSync is enabled

  2. Support for clearing BKMobile enrollments from cloud vendor in PG HelpDesk (done for "specific field" -AND- clearing ALL UP fields)

2021-04-09 - v6.5.1.1 (PG.dll)

  1. Support for displaying enrolled BK Mobile devices in Admin DB User Detail Lookup

2021-04-07 - v6.5.1.1 (PG.dll)

  1. Using PG server in BK Mobile messages instead of client IP address

2021-04-06 - v6.5.1.1 (PG.dll)

  1. Changed following default timeouts: AsyncOp purge: 20 min (had been 5 min), PalmID enrollment: 10 min (had been 1 min), PalmID auth: 2 min (had been 1 min)

2021-04-01 - v6.5.1.1 (PG.dll)

  1. Terminating back-end asynchronous polling when a max timeout is reached (measured from when the AsyncOp creation timestamp in SQL)

2021-04-01 - v6.5.1.1 (PG_IdP.dll)

  1. Fixes to support Hybrid Azure AD domain joining and "direct" Azure AD domain joining

2021-03-25 - v6.5.1.0 (PG.dll)

  1. Fix for Google Auth used in HMAC mode.

2021-03-16 - v6.5.1.0 (PG.dll)

  1. Support for Duo asynchronous API

  2. Support for Biometric mobile app auth type (all 7 auth types, login enrollment prompting, Grouped 2FA enrollment, pw required/email notification on Acct Mgmt change)

2021-03-11 - v6.5.0.1 (PG.dll)

  1. Generic support for asynchronous operations

  2. Removed useless SQL trace messages

2021-03-03 - v6.5.0.1 (PG.dll)

  1. Fixed SMS and voice OTP delivery for MessageMedia (only changed target URL)

2021-02-28 - v6.5.0.1 (PG.dll)

  1. Consolidated SQL config functionality in SQLConfigAccessor object

2021-02-25 - v6.5.0.1 (PG.dll & PG_IdP.dll)

  1. Fixes to prevent crash when SQL configs are enabled but can't be pulled

2021-02-10 - v6.5.0.0 (PG.dll)

  1. Fix for timezone offset from browser to ensure start & end dates align with admin's local time zone

  2. Changes to prevent login enrollment prompting (MFA & SSPR enrollment, CQA, TOU) during FIDO2 passwordless auth

  3. Fixes to have PG Desktop reporting accurate when WEB-key is used

  4. PG IDaaS: Reverted to reading environment variables from the process's environment block (instead of the registry)

  5. FIDO2 "passwordless" support

  6. Support for clearing SSO Customization user data from the Help Desk console

  7. Ability to export Admin Dashboard report results to CSV

2021-01-27 - v6.5.0.0 (PG_IdP.dll)

  1. Support for Hybrid Azure AD domain joining

  2. Crash fix for escaping '&' chars in the SP entityID

  3. Support for SSO Jump Page customization

2021-01-03 - v6.4.5.1 (PG.dll)

  1. Fix in SQLConfigAccessor.h when logging event error when no configs are present

2020-12-23 - v6.4.5.1 (PG.dll)

  1. Change in hasUserEnrolledDuo() to allow for "token only" enrollments

2020-12-22 - v6.4.5.0 (PG.dll)

  1. Fixes for Azure AD as directory: Fixed bug related to WinHttp class. Needed to add a null terminating character to the HTML response buffer.

  2. Added case-insensitive attribute searching for JSON responses

2020-12-22 - v6.4.5.0 (PG_IdP.dll)

  1. Fixed Azure AD groups bug for CAS and OAuth. Previously unable to send AAD Groups as display name.

2020-12-16 - v6.4.4.0 (PG.dll)

  1. PG IDaaS: GroupSync 2.0 implementation for PGL2C service

  2. PG IDaaS: Tweak to Account Disabling implementation in PGL2C service to perform all operations in the same SQL connection

2020-12-11 - v6.4.3.0 (PG.dll)

  1. PG IDaaS: Support for Kerberos SSO

2020-12-09 - v6.4.2.1 (PG.dll)

  1. Fix in CPSHTTPClient::initResponse() reading in response body in chunks. The temp buffer wasn't NULL terminated so garbage characters could appear at the 4K boundaries.

2020-12-03 - v6.4.2.1 (PG_IdP.dll)

  1. Fix for CAS TARGET values getting doubled '&' chars which breaks the 2nd hop. Only happens when SAML Artifact support is enabled.

2020-12-02 - v6.4.2.1 (PG.dll)

  1. Fix for validating Yubikey OTPs through Duo. If the user had YubiKeys direct in PG, but NOT the one through Duo, OTP checking would stop once the YubiKey was seen as "unenrolled".

2020-11-30 - v6.4.2.1 (PG.dll)

  1. Returning 2FA methods even if there is a problem with SMS delivery. Ensures SMS delivery failures don't prevent any 2FA options from being shown

2020-11-24 - v6.4.2.0 (PG.dll, PG_IdP.dll)

  1. PG IDaaS: Support of disabled account sync

  2. PG IDaaS: Utilizing disabled account status for login

2020-11-17 - v6.4.1.0 (PG.dll, PG_IdP.dll)

  1. Support for Azure AD as a first class directory

2020-11-07 - v6.4.0.0 (PG.dll, PG_IdP.dll)

  1. Support for reading JSON-based configuration files

  2. Support for using SQL-based config files (via environment variables for SQL connectivity)

2020-10-20 - v6.3.4.0 (PG_IdP.dll)

  1. Support for multiple IdP signing certs

2020-10-05 - v6.3.3.0 (PG.dll)

  1. Added support for Duo TOTP token as 2nd factor

2020-09-27 - v6.3.2.5 (PG.dll, PG_IdP.dll)

  1. PG IDaaS: Support for custom text attributes from customer directory

2020-09-10 - v6.3.2.4 (PG.dll)

  1. Fix to copy email address changes from SQL user repository into the <email>element of the User ProfileDirectory Fallback support for Desktop 2FA

  2. PG IDaaS: Support for PGConnect Heartbeat/ping

2020-08-23 - v6.3.2.3 (PG.dll)

  1. Fix to prevent Verbal Auth from causing auto-population of Email or Phone for target user

2020-09-09 - v6.3.2.1 (PG_IdP.dll)

  1. Returning ALL groups when using [GROUPS] for SQL formatted claims

2020-08-03 - v6.3.2.2 (PG.dll)

  1. PG IDaaS: Propagate HelpDesk PW reset down to local AD

2020-07-21 - v6.3.2.1 (PG.dll)

  1. Support for customizable session timeouts based on Group or OU membership

  2. Fix for terminated session checking bug. Exiting doPGLogout with an error if agent initialization fails.

2020-07-09 - v6.3.2.0 (PG.dll)

  1. Nebula: Account Activation DirSync fixes (prevent UserAttributes as "extra data" and suppress DirSync during SSPR if PGACT cookie is present)

2020-07-09 - v6.3.2.0 (PG_IdP.dll)

  1. Support for simplified static and user attribute SQL claims in IdP

2020-06-25 - v6.3.1.6 (PG.dll)

  1. Nebula SaaS: Allowing Account Activation to continue when user has PLACEHOLDER password

2020-06-23 - v6.3.1.6 (PG.dll)

  1. Nebula SaaS: Initial support for Group Synchronization

2020-06-19 - v6.3.1.5 (PG.dll)

  1. Fix for PG Desktop offline 2FA with mobile authenticator

2020-06-11 - v6.3.1.4 (PG.dll)

  1. Support for and verification of WEB-key transaction key during operation as smart proxy

2020-06-11 - v1.2.19.2 (PG.NET.dll)

  1. Added passing of WEB-key proxy transaction key to PG_NET.doWEBkeyProxy

2020-06-09 - v6.3.1.4 (PG.dll)

  1. Fixes for WEB-key as Desktop 2FA (passing through WEB-key error codes)

2020-05-31 - v1.2.19.1 (PG.NET.dll)

  1. New "WEBkeyProxyHandler" HTTP handler for PG's WEB-key smart proxy

2020-05-28 - v6.3.1.3 (PG.dll)

  1. Support for WEB-key as Desktop 2FA method

2020-05-27 - v6.3.1.2 (PG.dll)

  1. Added WEB-key enrollment info to Admin DB User Detail Lookup

2020-05-27 - v6.3.1.2 (PG_IdP.dll)

  1. Support for OAuth Refresh Tokens

2020-05-25 - v6.3.1.2 (PG_IdP.dll)

  1. Confirmation of Client Credentials grant feature

  2. Support for OAuth Resource Owner Password Creds grant type

2020-05-22 - v6.3.1.2 (PG.dll)

  1. Fix for crashes when Account Activation is used in conjunction with Directory Fallback

  2. Nebula SaaS: For DirSync, sending Account Unlock message to Nebula for self-service Account Unlock action as well.

2020-05-20 - v6.3.1.2 (PG.dll)

  1. Support for one-time use GUID to prove user identity during Terms of Use (TOU) prompting from the PG Desktop client

2020-05-13 - v6.3.1.1 (PG.dll)

  1. Nebula SaaS: Propagate PG account unlock down to local AD. For HelpDesk and user-initiated unlocks.

2020-05-12 - v6.3.1.0 (PG_IdP.dll)

  1. Crash for fix when Announcements are in place, OAuth SSO is requested and end-user must perform full login as a result of it. Fix in IdPAgentSSOSelector class.

2020-05-09 - v6.3.1.0 (PG_IdP.dll)

  1. Support for OAuth Client Credentials grant Changes to OAuth configuration to require explicit OAuth grant types to be chosen (requires re-save & potential tweaking of existing OAuth configs!)

2020-05-06 - v6.3.0.3 (PG.dll)

  1. Nebula SaaS: Fix for batch imported users when using DirSync. Verbal Auth and Dashboard User Detail lookup were failing.

  2. Fix for expiring password from Help Desk (stand-alone "expire" action AND during a PW Reset). Now setting LastPWChangeTime to 1/1/1970 (if they're using 'computed' PG pw expiration).

  3. Preventing DB User Detail Lookup from saving any modifications to the target user profile. This can happen if they're using computed PW expiration and the user has never logged in before.

2020-04-28 - v6.3.0.2 (PG.dll)

  1. Changes to support Terms of Use (TOU) acceptance prompting from PG Desktop login

2020-04-23 - v6.3.0.2 (PG.dll)

  1. Handling new return case from Duo preauth check where users were in Duo, but hadn't enrolled any devices. They were being treated as "ready for Duo", but they actually weren't and the cache was stopping Duo from being shown as available after they actually did enroll.

2020-04-16 - v6.3.0.1 (PG.dll)

  1. Nebula SaaS: Fix for catching and correctly erroring out for blank return attributes during DirSync user authentication

2020-04-10 - v6.3.0.1 (PG.dll)

  1. Nebula SaaS: Passing in DirSync SQL config params from bootstrap

2020-04-08 - v6.3.0.1 (PG.dll)

  1. Nebula SaaS: Asynchronous DirSync support

  2. Fix to prevent "No OPENSSL_AppLink" error when generating Root CA in PG_Config (from 2020-04-08 - v6.3.0.0)

2020-04-05 - v6.3.0.1 (PG_IdP.dll)

  1. Support for SP-initiated POST SAML Single LogOut (SLO)

2020-04-05 - v6.3.0.0 (PG.dll)

  1. Visual Studio 2019 port (requires different Visual C++ redistributable)

2020-04-05 - v6.3.0.0 (PG_IdP.dll)

  1. Visual Studio 2019 port (requires different Visual C++ redistributable)

2020-04-01 - v6.2.6.0 (PG.dll)

  1. Change to allow MySQL reporting support for start and end times

  2. Change in Self Registration for MySQL to not advance the result set (MySQL doesn't treat the nested call to cleanUserRegData in getUserRegData as another result set) Associated fixes in AgentLogout & AgentSelfReg as well

2020-03-25 - v6.2.6.0 (PG.dll)

  1. Fix to ensure server side PW quality rules are returned in the XML for a failed PW reset (they ARE correctly there on a failed PW change). This bug was causing the server side rules to show initially on "New Password" screen, then disappear if they submitted an insufficiently complex password.

2020-03-18 - v6.2.6.0 (PG.dll)

  1. Nebula SaaS: Fix for allowing batch imported users to manually login (checking for PLACEHOLDER as password field) Change to "saved" pw expiration logic. If the ExpirationDate field is not present and the policy is set to "expire on first use", the LastPWChangeTime is used as the starting point if present.

2020-03-17 - v6.2.6.0 (PG_IdP.dll)

  1. Nebula SaaS: Fix for allowing batch imported users to manually login (checking for PLACEHOLDER as password field)

  2. Support for MySQL in IdPAgentOAuthBase::getAuthZCode

2020-03-12 - v6.2.6.0 (PG_IdP.dll)

  1. Regression fix for sending all groups in a SAMLResponse

2020-03-11 - v6.2.6.0 (PG_IdP.dll)

  1. Fix for Forms SSO crash when "Shared/Fixed creds" type is selected, but template accidentally contains a "Username" or "Password" type field

2020-03-09 - v6.2.6.0 (PG_IdP.dll)

  1. Group mapping claims using tokenGroups field (AD only) NOTE: This does NOT support group name substitution/RegEx!

2020-02-28 - v6.2.5.1 (PG.dll)

  1. Nebula SaaS: Changed DirSync auto-registration to require LoginName/sAMAccountName instead of Email Address (which some accounts may not have)

2020-02-20 - v6.2.5.0 (PG.dll)

Small changes in User Profile mapping for SQL and DirSync to get logins working with either Email or sAMAccountName

2020-02-17 - v6.2.5.0 (PG.dll)

  1. Can return Forgot Username results (single or multiple) to user via email

  2. Can programmaticaly return a specific username during Web Authentication (Identity values passed back to NetworkAUP.ashx.cs)

  3. Returning new minor error code when AD binds fail due to newer signing & channel binding requirements

2020-02-04 - v6.2.4.0 (PG.dll)

  1. Support for calling a stored proc to get SQL roles

2020-02-03 - v6.2.4.0 (PG_IdP.dll)

  1. Change to make OAuth token endpoint response use a Content-Type of "application/json" (section 3.1.3.3 of https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest)

2020-01-20 - v6.2.4.0 (PG.dll)

  1. Nebula SaaS: Support for LAN-2-Cloud password synchronization

2020-01-23 - v6.2.3.7 (PG.dll)

  1. Support for single quotes in username/email with SQL directories

  2. Added support for wildcard searching in Admin Reports - use [prefix%] -OR- [%suffix] -OR- [%mid%]. These searches are case-insensitive!

2020-01-19 - v6.2.3.6 (PG.dll)

  1. Nebula SaaS: Batch import support for auto-enrolling users (looks for "UserAttributes" field).

2020-01-15 - v6.2.3.6 (PG.dll)

  1. For "post" password changes from the PG Desktop, downgrades the Password Change authentication level to name & password (100) if the security policy requires something higher (e.g. 2FA is 400). The PW change has already been accepted by Windows so PG should not send OTPs, etc.

2019-12-13 - v6.2.3.6 (PG.dll)

  1. Exiting CPSLDAP::expirePasswordByUsername() immediately for non-Active Directory LDAP types (was causing 20 sec hangs/delays)

2019-12-11 - v6.2.3.6 (PG.dll)

  1. Support for searching for exact match only in Help Desk & Admin Db user lookup (triggered when '$' is the end of search term). Works for both LDAP and SQL-based repositories.

2019-12-10 - v6.2.3.6 (PG_IdP.dll)

  1. Support for emitting only a whitelist of UPN suffixes in the IdP Issuer override. This can be used to ensure child/sub-domains are not used in the Issuer value if they inherit from the root domain (the sub-domains have no federation settings of their own). This is most helpful in Office 365. Example value: _http://[UPNSUFFIX:foo.com,bar.com]/pgidp

2019-12-05 - v6.2.3.6 (PG.dll)

  1. Bug fix to ensure Email 2FA enrollment is allowed when "Only allow enrollment from Acct Mgmt page" option is enabled for Phone

  2. In CBA v2 (network and IP-based geolocation), now taking the right-most value IP address when multiple IPs are present (e.g. from use of a proxy)

  3. Added LDAP function: unexpirePasswordByUsername to fix customer-specific issue where PW Resets caused new PW to be seen as 'expire on first use' immediately after

2019-12-05 - v6.2.3.6 (PG_IdP.dll)

  1. Support for dynamic UPN suffix in IdP Issuer override using [UPN_SUFFIX] placeholder. Meant for use with multiple Azure AD child domains. NOTE: This only works for AD-based Attribute Stores -AND- the userPrincipalName must be used as an identity claim to ensure it is available to this feature

  2. Support for Group Whitelist filtering on prefix or suffix using wildcards

  3. Support for redirect_uri values that use Custom URL Schemes (https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uris-native-apps/). These are typically used for mobile apps performing OAuth.

  4. Added LDAP function: unexpirePasswordByUsername

2019-12-03 - v1.2.13.9 (PG.NET.dll)

  1. Removed regex checking on <signoutwhitelist>urls to allow for mobile app URLs, e.g. com.acme.someapp://idp.acme.com

2019-11-14 - v6.2.3.5 (PG.dll)

  1. Support for writing single "PG_Log.txt" file when environment variable PG_KUBE=1 (for log hooking)

2019-11-04 - v6.2.3.4 (PG.dll)

  1. Fix for DirSync: Using provided username value to find User Profile after user created in SQL

  2. Support for Web Authentication and agreements in Cisco Wireless LAN Controllers

2019-10-23 - v6.2.3.3 (PG.dll)

  1. Support for 2FA Enrollment Grouping (Phone, Email and Mobile Authenticator) - Users must enroll X of Y types as part of 2FA login.

2019-10-23 - v6.2.3.3 (PG_IdP.dll)

  1. In OAuth token endpoint, support for reading client id and secret from "Authorization: Basic" header

2019-10-09 - v6.2.3.2 (PG.dll)

  1. DirSync wrapper changes to allow for initial RMQ connections to be re-tried by the .NET library.

  2. Fix to NOT check for SMS custom XML file is SMS delivery is not set to "Hosted" (had been causing error 1122 on apply/sync if the underlying XML file was never created)

  3. Added logging to show when initialization and refreshConfig finish

2019-10-02 - v6.2.3.2 (PG_IdP.dll)

  1. New code that supports "response_mode=form_post" in OAuth authorization (will POST the resulting Authorization Code instead of a 302 redirect to the callback URL)

  2. New de-duplication code when finding matching configurations for OAuth/OIDC (looks at all GUIDs and removes dupes)

2019-09-27 - v6.2.3.1 (PG_IdP.dll)

  1. Support for CAS/SAML NotBefore clock skew

  2. Fix for regression in getSQLLookupCreds() that passed the db name instead of the configured username

  3. Support for modifying SAML response to indicate whether 2FA was performed by cynamically changing the "AuthnContextClassRef" element value. Use [AUTHTYPE MFA_VAL="somevalue"] placeholder in the SAMLResponse template. The "MFA_VAL" attribute has the value to use for users that performed 2FA "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" is used otherwise.

2019-09-27 - v1.2.13.8 (PG.NET.dll)

  1. Calling PGCommon.handleCORS() in OAuth and OIDC metadata handlers so it works for AJAX-based JS clients

2019-09-05 - v6.2.3.1 (PG.dll)

  1. Support for multiple ? placeholders in SQL User Search query (to query multiple columns)

2019-08-20 - v6.2.3.0 (PG.dll)

  1. Support for printing LDAP server name after connection

2019-08-12 - v6.2.3.0 (PG.dll)

  1. Initial implementation of DirSync using Rabbit MQ

2019-08-12 - v6.2.2.6 (PG.dll)

  1. Fix in PW expiration checking to honor the hours, minutes and seconds instead of truncating them. This helps prevent PG from treating passwords as expired a day early.

2019-08-12 - v6.2.2.6 (PG_IdP.dll)

  1. Support for RS256, RS384, RS512 signing for OIDC

  2. Added HS256, HS384 & HS512 algorithms to "id_token_signing_alg_values_supported" in the OIDC/jwks.json metadata

  3. Substituting accesstoken in IdPAgentOAuthToken if nonce is missing (for compatibility with Citrix NetScaler).

2019-08-07 - v6.2.2.5 (PG.dll)

  1. Support for Agreements - Can require users to "accept" an agreement before accessing specific federated applications or getting a valid logon session with the PG server. The "accept" (or "reject") timestamps can be reported on from SQL. This feature is an extension to the Announcements feature and is good for ensuring users see and confirm Acceptable Use Policies before continuing.

  2. Optional email notifications for all Account Management actions

  3. Support for sending email notifications when a user changes their password through PG

2019-07-30 - v6.2.2.4 (PG.dll)

  1. Fixed crash when "prevent session re-use" and directory fallback were both enabled

2019-07-23 - v6.2.2.4 (PG.dll)

  1. Fix in CPSHTTPClient to only change WINHTTP_OPTION_CLIENT_CERT_CONTEXT when SSL is enabled

  2. Fix in URLDecode -AND- URLEncode to support UTF-8 chars up to 0xFF (including the £ char).

2019-07-22 - v6.2.2.4 (PG_IdP.dll)

  1. Fix in URLDecode -AND- URLEncode to support UTF-8 chars up to 0xFF (including the £ char)

2019-07-01 - v6.2.2.4 (PG.dll)

  1. Fix in URLDecode to support UTF-8 chars up to 0xFF (including the £ char)

2019-06-27 - v6.2.2.3 (PG.dll)

  1. Support for BIO-key's WEB-key offering as 2nd factor method

2019-06-26 - v6.2.2.2 (PG.dll)

  1. Using new SQL connect timeout setting of 10 sec

2019-06-26 - v6.2.2.2 (PG_IdP.dll)

  1. Using new SQL connect timeout setting of 10 sec

2019-06-24 - v6.2.2.2 (PG.dll)

  1. Support for directory failover.

  2. New HelpDesk & Dashboard user lookup using drop-down list for choosing repository.

2019-06-11 - v6.2.2.1 (PG.dll)

  1. Fix for Account Activation and "PG-POST-File" param being seen as "extra" data

  2. Fix for enforcing Strike Expiration even when Lock Expiration is disabled (ensures the StrikeDateTime field is written when either feature is enabled)

2019-06-07 - v6.2.2.1 (PG.dll)

  1. If the username contains a backslash, we'll never be able to save or restore user profiles if configured to stores these in flat files. Change in UserProfileEngineFile to replace the backslashes with hyphens (this is not an issue for SQL-based user profiles).

  2. Including "uid" in global HD type-ahead search filter for Domino and SunOne LDAP types.

  3. Allowing HD Regions to have a blank Base DN (also required a change in PG_Config).

  4. Fix for SMSGlobal (3rd party messaging provider) that was requesting cert-based authentication for all HTTP requests. Now specifying WINHTTP_NO_CLIENT_CERT_CONTEXT in all requests from our HTTP client.

2019-06-07 - v6.2.2.1 (PG_IdP.dll)

  1. Fix to restore "DOMAIN\" prefix to username in IdPAgentFederatedSSO when Domino LDAP is the attribute store. We were treating it as a NetBIOS AD domain and were removing it automatically.

2019-05-21 - v6.2.2.0 (PG.dll)

  1. Fix for Day of Week bug in CBA 2.0 "new browser" email notifications. UTC time was being used for DoW instead of local time.

  2. Patch in AD PSO reading of msDS-MinimumPasswordAge value to IGNORE any values less than 1440 and treat them as 0.

  3. Support for FIDO2 / Web Authentication ("WebAuthn") as a 2nd factor

2019-05-21 - v6.2.2.0 (PG_IdP.dll)

  1. Fix for bug that OAuth configurations could not have the same client_id but different callback URLs (stored as Ids in our configs). Now filtering multiple configuration matches using redirect_uri/callback after initial lookup on client_id. NOTE: This code only runs when "Allow Duplicate IDs" is enabled in the General IdP Settings. Otherwise, the first match is used!

2019-05-02 - v6.2.1.0 (PG.dll)

  1. Version that has undergone annual Manual Penetration Testing by Veracode

  2. Fix to support backup phone indexes for back-end 2FA API

  3. Additional boundary checks based on Veracode static scanning

  4. Checking for a ".wav" extension as part of file validation in AgentAcctVoiceIt::handleRequest()

2019-04-02 - v6.2.0.5 (PG.dll)

  1. Returning details to the UI for all 6 server-side pw quality rules to potentially display all rules:

a. AD complexity b. Minimum age c. PW History d. PW Dictionary e. PW Similarity f. RegEx

  1. Fix for positive time zone offsets when dealing with blank/NULL dates in reporting

  2. Extra boundary checking in checkChallengeAnswers to prevent crashes

2019-03-25 - v6.2.0.5 (PG_IdP.dll)

  1. For Forms SSO, replacing double-quote literal (") with HTML-encoded version of "

2019-02-28 - v6.2.0.2 (PG_IdP.dll)

  1. Fix to prevent PG server init crashes when value is blank in _PG_IdP_Config.xml (resulted from IdP_Config.exe v6.2.0.0, fixed in v6.2.0.1)

2019-01-27 - v6.2.0.1 (PG_IdP.dll)

  1. Fixes for properly outputting exponent, modulus and thumbprint in jwks.json (for OIDC)

2019-01-21 - v6.2.0.3 (PG.dll)

  1. Fix for properly handling PG-POST-File parameter during new user self-registration.

2019-01-15 - v6.2.0.2 (PG.dll)

  1. Added "Reset failed logon attempts count after X mins" setting to Security Policies.

  2. Support for directly leveraging Active Directory "Password Setting Objects" (PSO) settings instead of duplicating the configuration in Security Policies: Password Complexity, Expiration & Account Lockout Settings

2018-12-28 - v6.2.0.1 (PG.dll)

  1. Fixes for handling import of HOTP token seed values if they contain embedded NUL characters.

2018-12-28 - v6.2.0.1 (UI)

  1. Additional changes to multiple InetPub\PortalGuard files related to WCAG 2.0 conformance.

2018-12-17 - v6.2.0.0 (PG_IdP.dll)

  1. Support for OAuth v2.0.

  2. Support for OpenID Connection v1.0.

  3. CAS fix for using the URL's full path if no query string arguments are provided in the request. This can fix errors related to the CAS logout action.

2018-12-17 - v6.2.0.0 (PG.dll)

  1. Support for use of Google reCAPTCHA on main PG login form.

  2. New setting to prevent end-users from changing any YubiKey enrollment (they can only be batch imported when enabled).

2018-11-30 - v6.1.0.0 (PG.dll)

  1. FIDO U2F support.

  2. Support for voice biometrics OTP type through VoiceIt service provider. Had to add logic to prevent voice biometric phrases from being seen as potential YubiKey OTPs.

  3. Support for smart card-based logons to PG.

  4. Fix for creating PG SSO cookie after password change as well (was only being done on login, prior)

  5. Password Recovery Fix: HTML-encoding the value to ensure XML processing doesn't break in PG.NET. Characters containing reserved XML characters (e.g. '&') were not displaying.

  6. Returning new element on AcctMgmt to indicate if Duo is enabled for any actions in the security policy.

  7. Fix for Verbal Authentication - Ensuring the HD user's groups and OUs are cleared before looking up the target user. Without the fix, this could result in the wrong security policy being applied to the target user.

2018-11-30 - v6.1.0.0 (PG_IdP.dll)

  1. Fix in CAS agent for using the full path if no query string is provided in the request

  2. In IP Blocking feature, not doing any blocking when the IP value is blank.

  3. Checking static white list before adding an entry to the dynamic IP blacklist. Prevents "new dynamic IP blocked" email when the IP is already white-listed.

  4. For easier log parsing, adding "X-MS-Forwarded-Client-IP={IP}" to the log line showing username when a WS-Sec auth fails.

  5. Support for static formatting around Group CNs for SAML/WS-Fed

2018-09-17 - v6.0.0.5 (PG.dll)

  1. Fix to enforce blocked access via CBA v2.0

  2. UI: Fix for phone type radio button selector javascript bug

2018-08-16 - v6.0.0.4 (PG.dll)

  1. Support for grouping Challenge Answers, Phone & Email enrollments and allowing a subset to satisfy the enrollment requirement (e.g. 1 of 2, 2 of 3).

2018-07-31 - v6.0.0.3 (PG.dll)

  1. Restored IP geolocation support in CBA v2.0

2018-07-30 - v6.0.0.3 (PG_IdP.dll)

  1. HTML encoding any double-quotes in RelayState so it doesn't break the POST

  2. For Banner 9 AppNav integration, changed the CAS "jsessionid" behavior to truncate EITHER or BOTH the "svc" value in the request and the value stored in SQL.

2018-07-24 - v6.0.0.2 (PG_IdP.dll)

  1. IP Lockout no longer blocking requests where X-MS-Forwarded-Client-IP request header is "blank".

  2. Critical section now being released in exception handlers if an exception occurs during SAML signing.

2018-07-19 - v6.0.0.2 (PG.dll)

  1. PW dictionary fix to lowercase the actual dictionary words as well during "contains" checking. If the words had any capital letters in the config, they weren't matching.

2018-07-12 - v6.0.0.1 (PG.dll)

  1. Fix for deadlock when performing update/sync when long running agents tried to filter event reporting.

2018-07-12 - v6.0.0.1 (PG_IdP.dll)

  1. Using shared reader lock approach on Bootstrap access from AgentBase, minimizes number of read locks IdP agents request.

2018-06-27 - v6.0.0.0 (PG.dll)

  1. Suppressing "unknown OTP type" error when Duo is available, but user failed validating with different type (e.g. phone).

  2. Support for report event filtering Fix for crashes when using KBA and reducing the number of challenge questions in the security policy. Now returns PGAPI_RC_CONFIG_ERROR/1122 which displays following error on Login page: The security policy is incorrectly configured - please contact the administrator

  3. Support for writing PGAS cookie to reflect authentication type for app-specific 2FA.

2018-06-28 - v6.0.0.0 (PG_IdP.dll)

  1. For NameID claims, only adding the "Format" attribute if the schema value is non-blank.

  2. Support for report event filtering.

  3. Support for SSO to legacy web applications.

  4. Support for app-specific 2FA.

  5. Support for IP blocking "whitelist".

  6. Support for "persistent" IP blocking for Office 365/WS-Security logins.

  7. Support for claim case conversion: UPPER(2), lower(1) or No Change(0).

Related content