/
PortalGuard v5 Change Log

PortalGuard v5 Change Log

Owned by Stephen Call (Deactivated)
Last updated: Nov 09, 2021
12 min read

PortalGuard Version 5.x

2018-06-05 - v5.8.0.0 (PG_IdP.dll)

  1. Detecting MS Edge as a browser type for reporting

  2. Fix in CAS to remove whitespace characters from POSTed XML artifact data

  3. Support for identity claim case conversion: UPPER(2), lower(1) or No Change(0)

2018-06-01 - v5.8.0.1 (PG.dll)

  1. Fix for "Skip OTP for initial pw change" setting when requiring 2FA when setting a new password

2018-05-25 - v5.8.0.0 (PG.dll)

  1. Duo Push support

  2. Excluding Desktop 2FA agent from login anti-CSRF enforcement

  3. Detecting MS Edge as a browser type for reporting

  4. RADIUS: Changed cache expiration checking to consider a 0 second time difference OK instead of expired. Can occur when someone immediately submits a *blank* OTP.

  5. RADIUS: Allow blank password attributes to continue further into the agent so the RADIUS server sends a response back. Ensures RADIUS client/firewall doesn't retry continuously, eventually marking the PG RADIUS server as "unresponsive"

2018-05-03 - v5.7.0.1 (PG.dll)

  1. Interpreting error 1329/ERROR_INVALID_WORKSTATION from AD as correct username/password (primarily for PG Desktop 2FA)

2018-04-30 - v5.7.0.0 (PG.dll)

  1. Support for Lanyard Login

  2. Reversibly encrypting lanyard login authdata instead of hashing (so bulk operations don't invalidate existing ones)

  3. Fix in Forgot Username action to return different error code if NO matches (1333) vs. MULTIPLE matches (1334) are found

  4. Fix for "Add Phone" link not being available on Acct Mgmt page when backup phones is 0 but primary hasn't yet been enrolled.

2018-04-24 - v5.7.0.0 (PG_IdP.dll)

  1. Support for new SAML digest and signing algorithms: SHA-256, SHA-384, SHA-512

  2. Support for configurable SAML canonicalization algorithm on General IdP and RP levels

  3. Fix for CAS username lookup when additional claims are sent back in a standard CAS response

  4. Support for extra attributes and namespace on <attributevalue> elements in SAML

  5. Can whitelist groups to allow only specific groups to be included as claims (rather than releasing all of a user's group membership!)

  6. Can have an extra child element under <attributevalue> with configurable element name and attributes

  7. Fix for removing empty AttributeStatement element so our SAML is valid XML (according to SAML schema/XSD) (FROM v6.0.0.0)

2018-01-22 - v5.6.4.2 (PG.dll)

  1. Support for Linux crypt in SQL repositories ("$6$" only, which is 5000 rounds of SHA-512)

2018-01-19 - v5.6.4.2 (PG.dll)

  1. Option to also save Mandatory answers as Verbal Auth answers (for Ingham ISD)

2018-01-16 - v5.6.4.2 (PG.dll)

  1. Fix for PG Desktop skip enrollment looping with both Opt and Mand answer enrollment was enabled

  2. Fix for PG Desktop CQA skipping when PW recovery -AND- offline recovery were enabled (skip wasn't being honored in PGD)

2018-01-09 - v5.6.4.2 (PG_IdP.dll)

  1. CAS SSO fix for Banner 9 AppNav links that include ";jsessionid=" in the service parameter of the initial "/cas/login" request but is removed from the subsequent "TARGET" in the /cas/samlValidate call

  2. Fix for Exchange 2013 ECP XSRF error, now clearing window.opener when redirecting from SSO Jump Page (from v5.6.0.1 for Unity)

2018-01-04 - v5.6.4.2 (PG.dll)

  1. Fix for PG Help Desk authorization checking when no Help Desk regions are defined and Group authorization support is misconfigured

2017-12-05 - v5.6.4.1 (PG_IdP.dll)

  1. Support for extra attributes and namespace on <attributevalue> elements in SAML

  2. Can whitelist groups to allow only specific groups to be included as claims (rather than releasing all of a user's group membership!)

  3. Can have an extra child element under <attributevalue> with configurable element name and attributes

  4. Fix for removing empty AttributeStatement element so our SAML is valid XML (according to SAML schema/XSD) (FROM v6.0.0.0)

2017-09-14 - v5.6.4.0 (PG.dll)

  1. Support for bootstrap setting to enable/disable terminated session enforcement/tracking

2017-09-01 - v5.6.4.0 (PG_IdP.dll)

  1. Fix for accessing a specific index of a multi-valued field

2017-08-22 - v5.6.4.0 (PG.dll)

  1. Support for requiring password re-prompt on Acct Mgmt page when performing certain actions

2017-08-21 - v5.6.4.0 (PG.dll)

  1. Support for preventing CAPTCHA re-use during Forgot User lookup

2017-08-02 - v5.6.4.0 (PG_IdP.dll)

  1. Created new [EXP_TIME-1] template placeholder available to satisfy SPs that need SubjectConfirmationData/@NotOnOrAfter earlier than the same attrib in the <conditions> element.

2017-07-21 - v5.6.3.1 (PG.dll)

  1. Fix for XML escaping group and OU names in getGroupsByUsername. This had been causing a stack trace to appear on the login screen if the user was a member of a group that contained '&'.

NOTE: This fix does NOT allow Announcement targeting to groups that contain '&' (or other reserved XML chars).

2017-07-03 - v5.6.3.0 (PG.dll)

  1. Support for custom SMS delivery

  2. Returning 2FA options in account management page when 2FA opt-in is enabled, but the user has not yet opted-in (so we can check enollment status before allowing opt-in)

2017-06-26 - v5.6.2.3 (PG.dll)

  1. Support for end-user self activation

2017-06-13 - v5.6.2.2 (PG.dll)

  1. Fix for Dashboard reporting results by start/end date returning results as of UTC instead of local time

  2. Fix for showing correct computed AD expiration date in Dashboard User Lookup

2017-06-08 - v5.6.2.1 (PG.dll)

  1. Allowing Login OTP override on Account Management page when CBA is enabled

2017-05-26 - v5.6.2.0 (PG.dll)

  1. Support for new "computed" PW Expiration model - expiration date is computed at runtime based on Last Password Change date

  2. Support for HTML formatting in PW Expiration Reminder emails

  3. Support for Email PW Expiration Reminders to include user-specific fields in the email (e.g. first name, last name, account name).

  4. Support for Email PW Expiration Reminders to use "msDS-UserPasswordExpiryTimeComputed" attribute to accurately represent AD password expiration

  5. License expiration warning emails - to customer email(s) and licensecheck@portalguard.com

  6. Now storing Kerberos SSO activity and created new associated report

  7. New "Easy to read" OTP character set, letters: ABCDEFGHJKLMNPQRTUVWXY, numbers: 346789. Removed: I & 1, O & 0, S & 5, Z & 2

  8. Support for batch importing the following user profile fields: OTPMethod_Login_UserOverride OTPMethod_ChangePW_UserOverride OTPMethod_RADIUS_UserOverride OTPMethod_Desk2FA_UserOverride OTPMethod_UnlockAcct_UserOverride OTPMethod_ResetPW_UserOverride OTPMethod_RecoverPW_UserOverride

2017-05-26 - v5.6.2.0 (PG_IdP.dll)

  1. CAS username manipulation (optional lookup, case change and parsing)

  2. Support for a static protocol, servername and port in the PG IdP metadata. By default, it uses the values from the request.

2017-05-26 - v1.2.11.4 (PG.NET.dll)

  1. Removing leading and trailing whitespace from authenticated usernames, standardized on use of PGCommon.getCurrentUsername("")

2017-05-19 - v5.6.1.0 (PG.dll)

  1. Support for authentication against Azure AD as a User Repository

2017-04-26 - v5.6.0.7 (PG.dll)

  1. Another fix for mobile app enrollment prompt when CBA results in 1FA

2017-04-26 - v5.6.0.6 (PG.dll)

  1. Change when receiving CONSTRAINT_VIOLATION from AD, returning as "UNWILLING" error code since it typically means AD rejected a new password for complexity reasons (e.g. new pw contained user's name)

  2. Fix for Mobile App enrollment prompting when CBA results in single factor login

2017-04-26 - v5.6.0.5 (PG.dll)

  1. Fix for 2FA via CBA when mixed with Mobile Authenticator login prompting

2017-04-25 - v5.6.0.4 (PG.dll)

  1. Fix for AD pre-emptive password sync during initial account link. Now looking up AD user attributes (when it's secondary)

2017-04-25 - v5.6.0.3 (PG.dll)

  1. Fix for bug in reCAPTCHA display when the password is expired in the PG user profile (was not a problem when expired in the directory)

2017-04-24 - v5.6.0.2 (PG.dll)

  1. Fix for bug in password history when multiple entries needed to be deleted (if the security policy setting was reduced after a user had more than now allowable)

2017-04-07 - v5.6.0.1 (PG.dll)

  1. Allowing new "Static Text" values to be returned as custom RADIUS attributes for both LDAP and SQL-based repositories

  2. Can now optionally perform password synchronization against secondary/linked repositories before updating the primary

  3. New setting to validate AD Password Complexity when an AD-based repository is used as a secondary

2017-03-25 - v5.6.0.0 (PG.dll)

  1. New 'Announcements' feature for displaying messages during logon and SSO

  2. Added getConfigInfo() and doEntrySearch() for announcement/typeahead support

  3. Fixed bug in LDAP accessor when getting distinguishedName from non-MS LDAP servers

2017-03-16 - v5.5.0.4 (PG.dll)

  1. Fix for OTPs not being sent for RADIUS requests when RBA is enabled on the user's security policy

2017-03-03 - v5.5.1.0 (User Interface)

  1. Changes to better conform with WCAG 2.0, level AA accessibility guidelines

2017-02-21 - v5.5.0.3 (PG.dll)

  1. Support for Plivo as a SMS provider

2017-02-20 - v5.5.0.1 (PG_IdP.dll)

  1. Fix in SAML SLO that was incorrectly considering LogoutRequests with NotOnOrAfter attribute as expired

2017-02-09 - v5.5.0.2 (PG.dll)

  1. Fix for user type-ahead to LDAP repositories to ensure the proper values are returned when the same attribute is used for multiple return values (e.g. "email" and "display")

2017-02-01 - v5.5.0.1 (PG.dll)

  1. Fix for sending CAPTCHA back from AgentLogin when a password is expired

  2. Fix for properly indicating CAPTCHA should be displayed during self-registration

2017-01-26 - v5.5.0.0 (PG.dll)

  1. Fix in OTPEntry agent if SSPR enrollment is still required (CAPTCHA was not displaying and user couldn't continue)

  2. Fix for user typeahead/lookup when Group Authz is disabled

  3. Properly initializing opt-in 2FA member variable in CPSReturn object

2017-01-23 - v5.5.0.0 (PG.dll)

  1. Support for controlling Help Desk actions in Help Desk regions

  2. Support for LDAP group/SQL role authorization for Help Desk console

  3. Fix for AD pw complexity checking to check for sAMAccountName and parts of the displayName

  4. Option to allow end-users to change the default OTP type for each SSPR action (unlock, pw reset, & pw recovery)

  5. Support for "opt-in" 2FA web login when the security policy is configured to default to Password only"

  6. Support for reCAPTCHA v2

  7. Display last 10 strike records in Admin Dashboard "User Detail" lookup

  8. New Security Policy option to prevent password changes through PortalGuard

  9. Pre-emptively send and display complexity rules for password resets and password changes (now configurable in policy instead of a JS variables)

2016-12-15 - v5.4.1.6 (PG.dll)

  1. Fix for "period email confirmation" when the email hasn't been enrolled yet.

  2. Changed how we set a default User Repository if one isn't explicitly marked

  3. Fix for indexing issue when removing intermediate YubiKeys (e.g. #2 when 3 are defined)

  4. Fix for supporting phone and emailed OTPs for 2FA - dealt with using different 'From' fields for each since some services (e.g. Twilio and Office 365) validate the 'From'

2016-10-26 - v5.4.1.5 (PG.dll)

  1. Alternate behavior for Help Desk Verbal Authentication - Displaying answers to Help Desk

  2. Fix for expiring strikeouts during self-service

2016-10-24 - v5.4.1.5 (PG_IdP.dll)

  1. Fix for CPSDate parsing of non-standard Set-Cookie time HTTP response headers

  2. Fix for URLEncoding POST parameters _names_

  3. Support for checking body text during Forms SSO validation

2016-10-19 - v5.4.1.4 (PG_IdP.dll)

  1. Now XML encoding the ACS URL when building a SAML response. Embedded '&' characters in them were causing SAML creation to fail.

  2. For SQL cred lookup in Forms-based SSO, now supporting "USERNAME_NODOMAIN" which contains the username without any email domain (if present). It contains the standard username if it doesn't contain '@'.

2016-10-18 - v5.4.1.3 (PG.dll)

  1. Support for prompting for Mobile App enrollment during login when it's the default 2FA logon type. It will not prompt if "Enrollment During Login" for MobileApp is Disabled.

2016-10-17 - v5.4.1.3 (PG_IdP.dll)

  1. CAS changes for Banner 9 support

  2. Support for new configuration flag to send back CAS ticket as 42-byte, base64 encoded "SAMLart" parameter

  3. Ensuring SAMLart does not contain '+' (which can be decoded as ' ') or '/' (can be mis-interpreted as a path separator)

2016-09-22 - v5.4.1.3 (PG_IdP.dll)

  1. Displaying friendly error message if Issuer is blank in SAMLRequests

2016-09-14 - v5.4.1.2 (PG.dll)

  1. Fix for CPSHTTPClient URL parsing if the path contains a ':' character (it was being treated as a port number)

2016-09-02 - v5.4.1.2 (PG_IdP.dll)

  1. Support for SHA265, SHA384 and SHA512 signing algorithms for SAML Single Log Out

  2. Bug fix for SAML SLO certificate encoding

2016-08-26 - v5.4.1.1 (PG.dll)

  1. Support for dynamic Target Container/OU in End-User Self Registration for LDAP-based directories

  2. Fix for preventing double XML encoding of claim values (e.g. "" was coming through as "<")

2016-08-22 - v5.4.1.1 (PG_IdP.dll)

  1. Forms-SSO from looked up credentials via SQL

  2. Support for multi-valued, static identity claims using the 'Formatted String' type

  3. Setting to honor the ACS included in the SAMLRequest rather than using the value in the PG Relying Party configuration

2016-08-22 - v5.4.1.0 (PG.dll)

  1. Support for user-defined attribute stores

2016-07-29 - v5.4.0.4 (PG_IdP.dll)

  1. Fix for CAS support for dynamic attribute stores. Username was not performing attribute store resolution during /serviceValidate.

2016-07-28 - v5.4.0.4 (PG_IdP.dll)

  1. Support for "duplicate identifiers" in WS-Security authentication. Needed for multiple Office 365 domains for a single customer.

2016-07-14 - v5.4.0.3 (PG_IdP.dll)

  1. Support for overriding the SAML Issuer value per relying party (required for federating multiple Office 365 domains)

2016-05-26 - v5.4.0.2 (PG_IdP.dll)

  1. Not setting SessionIndex in SAML when RP configuration has SLO disabled. Fixed error with SAML 1.1 tokens where proper parent element wasn't present.

2016-05-24 - v5.4.0.2 (PG_IdP.dll)

  1. Support for Forms-based SSO enrollment to request additional input fields from user during enrollment (besides username & password)

  2. Forms-based SSO pre-fetch type (popup or IFRAME) is now configurable per website

2016-05-24 - v5.4.0.1 (PG.dll)

  1. Fix for using the proper subject, "from" and body settings for emailed OTPs. It had been using the SMS values.

2016-05-08 - v5.4.0.1

  1. Returning any relaystate from originating SP during SP-initiated SLO

2016-05-06 - v5.4.0.1

  1. Support for IdP-initiated SAML SLO via HTTP Redirect binding (via web browser redirection)

  2. Fix for using the proper subject, "from" and body settings for emailed OTPs. It had been using the SMS values.

2016-05-05 - v5.4.0.0

  1. Support for SP-initiated SAML SLO via HTTP Redirect binding (via web browser redirection)

2016-05-04 - v5.4.0.0

  1. Changed MessageMedia to always use "+{COUNTRY-CODE}{NUMBER}"

2016-04-22 - v5.3.3.3

  1. Optional anti-CSRF support during login activities (enabled in bootstrap, still disabled by default)

2016-04-13 - v5.3.3.3

  1. Manually setting WinHTTP TLS types to support TLS 1.2 using the WINHTTP_OPTION_SECURE_PROTOCOLS option. Required when PG IIS site is configured to use something like TLS 1.1 and 1.2 only. The PG IIS server simply resets the connection when it sees ciphers it doesn't support.

2016-04-04 - v5.3.3.2

  1. Fix for multiple CAS identifiers in the same config when dupe ID support is enabled

2016-03-24 - v5.3.3.2

  1. Allowing "OTP Only" logins to use a password initially to enroll a phone (otherwise, they must import a 2FA method!)

  2. Fix for showing correct display name of "primary" user repository in password sync results (had been assuming the default repository)

2016-03-14 - v5.3.3.1 (forward port from v5.3.2.6)

  1. Fix for breaking change in Regroup's SMS API. They changed the name of the XML element containing the destination phone number which prevented SMS messages from being accepted/delivered.

2016-03-09 - v5.3.3.1

  1. Support for 2nd SQL password salt value/column

2016-02-22 - v5.3.3.0

  1. New Forms-SSO type for "Fixed Credentials" - does NOT require the PGUP cookie! (update in IdP_Config.exe as well)

2016-02-18 - v5.3.2.5

  1. Fix for username prefixes or suffixes not being removed in HelpDesk app. User type-ahead works, but modifying a user returns "Unknown user" error.

2016-02-17 - v5.3.2.4

  1. Fix crash on *successful* AD password changes when Native Windows feature is disabled.

2016-02-16 - v5.3.2.4

  1. Fix for Mobile App and RSA OTP types being recognized for SSPR usage

2016-02-15 - v5.3.2.3

  1. Reporting fix for more complex queries - allowing start/end date to be configured in report XML

2016-02-14 - v5.3.2.2

  1. New API for getting user groups/roles and OUs

2016-02-12 - v5.3.2.1

  1. For Forms-Based SSO, ensuring "Accept: */*" is always being sent as a request header when adding a site/testing creds

2016-01-09 - v5.3.2.1

  1. Now performing case-INsensitive searches for username in new password when AD PW Complexity checking is enabled.

2016-01-08 - v5.3.2.0

  1. Support for duplicate CAS identifiers

  2. Support for hiding relying party conifgurations in UI (SAML, Ws-Fed and CAS only)

2015-12-23 - v5.3.2.0

  1. Responsive UI to support usage from phones and tablets (uses the Bootstrap framework)

  2. Support for external authentication as additional OTP type (e.g. pattern-based auth)

2015-12-22 - v5.3.1.3

  1. Support for read-only WordPress PHpass password hashing, password update NOT supported!

2015-12-15 - v5.3.1.0

  1. Re-versioned just to keep pace/tie-in with PG_IdP project

2015-12-03 - v5.3.0.6

  1. Kiosk support for "Remember Browser" KBA & 2FA feature

2015-12-02 - v5.3.0.6

  1. SQL repository support for .NET Identity 2.0 framework (replaces .NET Membership providers). Uses PBKDF2.

2015-11-17 - v5.3.0.5

  1. Getting MS-specific error codes even when using generic LDAP

2015-10-23 - v5.3.0.3

  1. Always clearing self-registration CAPTCHA cookie upon successful self registration. Otherwise, repeated self-regs always resulted in bad captcha on subsequent attempt

  2. Forgot username functionality

2015-10-16 - v5.3.0.2

  1. Full challenge answer normalization (remove all non-alpha numeric chars, then convert to lowercase, then hash/save)

2015-10-15 - v5.3.0.2

  1. 'No Access' mode for Website logins

  2. Adding PID to log file names is now configurable in PG_Config/IdP_Config

2015-10-13 - v5.3.0.1

  1. Clickatell SMS support

2015-10-08 - v5.3.0.0

  1. Adding PID to PG and IdP log file names to support multiple PG websites (w3wp.exe) on same server

  2. Specifying ACL on mutexes to allow RADIUS service and IIS websites to access them on Win2012. Website was getting ACCESS DENIED when run as standard App Pool identity.

2015-10-02 - v5.3.0.0

  1. Optional SQL isolation for each PG repository

2015-09-14 - v5.2.2.0

  1. Support for RADIUS ACLs

2015-08-31 - v5.2.1.1

  1. Support for caching mobile app OTPs to prevent timeouts during SSPR

2015-08-18 - v5.2.1.0

  1. Support for SQL roles for security policy resolution and IdP authorization

2015-08-18 - v5.2.0.1

  1. Added support for SQL CHAR type

2015-08-14 - v5.2.0.0

  1. Updated version to bring in line with PG_IdP.dll

2015-07-27 - v5.1.0.2

  1. Only initializing Kerberos for w3wp.exe processes. Had been throwing an error in the PG RADIUS service.

2015-07-23 - v5.1.0.2

  1. New RADIUS configuration option to use a static security policy

  2. Voice OTP support for Regroup

2015-07-16 - v5.1.0.1

  1. New option to allow challenge answers containing a single, repeated character (disables our default check)

2015-07-16 - v5.1.0.1

  1. Changed mandatory answer batch import default behavior to no longer delete optional challenge answers when none are supplied. POST "ClearOptAnswers=1" to revert to old default behavior.

2015-07-01 - v5.1.0.0

  1. Built-in Kerberos ticket decryption (new API entry point). Needs PG.NET.dll v1.2.9.0 as well!

2015-06-25 - v5.0.1.3

  1. Fix for utilizing SQL password hash encoding when salting is NOT enabled. Prior to this fix, the setting was only read in when salting was enabled.

2015-05-09 - v5.0.1.2

  1. Support for sending pw expiration email reminders to users with passwords that have expired for any number of days

2015-05-08 - v5.0.1.1

  1. Fix for users attempting to use SSPR before they have enrolled - caused bogus Phone enrollment dialog to appear that resulted in 1104 error

2015-04-30 - v5.0.1.1

  1. Ensuring labels in Windows Event Logging are unique

  2. Added more info for Windows Event Logging for RADIUS actions (continue, error)

2015-04-29 - v5.0.1.1

  1. Support for SQL username look-ahead query to only contain a single '?' param for username.

2015-04-27 - v5.0.1.0

  1. Support for parameterized queries and stored procedures for updating SQL-based user repositories

2015-04-25 - v5.0.0.3

  1. Regroup SMS support

2015-04-24 - v5.0.0.2

  1. Twilio SMS support

2015-04-17 - v5.0.0.1

  1. New entry points for creating SQL report logging thread - called by RADIUS service

2015-04-07 - v5.0.0.0

  1. Saving OTP type in reporting data for 2FA/OTP only

  2. Sending email without MIME to prevent SMS from showing "Attachment(s) removed"

  3. Including authentication type in Windows Event Logging

  4. Added more SSPR authentication type details in reports

2015-04-02 - v5.0.0.0

  1. Fixed bug that caused "OTP only" login to always use phone SMS as the OTP type

2015-03-29 - v5.0.0.0

  1. Improved cookie-based SSO:

  2. Own decryption page/module

  3. Single-use cookies

  4. Variable encryption keys per policy

2015-03-18 - v5.0.0.0

  1. Updated Dashboard reports framework

Related content