With release 21.6, CyberArk Identity supports the following new features:
Single Sign-On
Redesigned CyberArk Identity sign-in experience
With this release, the redesigned sign-in screen for CyberArk Identity is enabled by default. The new sign-in page reflects a modern design and improves the sign-in experience for users and administrators with a streamlined layout of all authentication options, including QR code, password, and social login. The design of the new sign-in page can also be tailored to your specific needs. For example, you can upload your company's logo, update the background image, and change the color scheme to align with your corporate colors. You can revert to the legacy sign-in page at any time by updating preferences in your Admin portal. To learn more about the new sign-in page, please see here.
Storage of business application credentials in the CyberArk self-hosted vault
You can now store user credentials for business applications in the CyberArk self-hosted vault. Previously, login credentials for business applications using the username and password authentication method were stored in the CyberArk Identity Cloud. Now, you can choose to store these credentials in your on-premises vault. This enables you to continue providing users a frictionless experience of accessing business applications using CyberArk Identity Browser Extension, CyberArk Identity User Portal, and the CyberArk Idaptive mobile app while maintaining complete control over user credentials. All credentials for business applications stored in the self-hosted vault can be retrieved without deploying additional agents or having an active VPN connection. To learn more about this capability, please see here.
Additional rights for delegated administrators
CyberArk Identity supports Organizations - a collection of user identities representing a subset of the global user population. Organizations enable you to group users by specific attributes and manage access to enterprise resources in a structured, hierarchical way. For example, you can delegate administration responsibilities over a particular Organization to a specific non-admin user. With this release, you can provide delegated administrators the ability to create new roles within an Organization that include MFA unlock, role management, and user management rights. For example, a delegated administrator can create an MFA Support role within an Organization and allow users assigned this role to temporarily suspend multi-factor authentication requirements for specific users. Delegated administration allows you to spread administrative duties and segregate administrative capabilities so that no administrator has too much control. To learn more about CyberArk Identity Organizations, see here.
Multi-Factor Authentication
General availability of Secure Zones
CyberArk Identity now allows you to define Secure Zones – specific IP ranges within your internal and external networks. Secure Zones are used to define authentication requirements and enforce access policies. Previously, you could only create authentication rules based on the location of IP addresses either inside or outside of the pre-defined corporate IP range. Now, you can create rules for specific IP addresses within your Secure Zones. For example, you can define a new Secure Zone that is limited to a subset of your corporate IP range. You can then add a rule that applies only to users accessing CyberArk Identity from the IP addresses within that Secure Zone requiring secondary authentication using physical tokens. To learn more about Secure Zones, see here.
Limit on the number of concurrent user sessions
You can now define the number of concurrent sessions allowed for all users or a group of users. Concurrent sessions allow users to log in to CyberArk Identity using the same account across multiple devices. Previously, there was no limit on concurrent sessions. Now, you can allow users to have up to ten concurrent sessions, with the unlimited setting remaining as default. For example, if concurrent sessions are limited to two, a user will be able to access their CyberArk Identity account on a laptop and a mobile device. However, the user will not be able to use their account on a third device until one of the active sessions is terminated. With this feature, administrators can also sign out a single user from all active sessions. To learn more about session management, please see here.
User Behavior Analytics
Splunk add-on update
The new version of the Splunk add-on allows you to collect event data from CyberArk Identity without the Syslog Writer or dependencies on any on-prem CyberArk Identity components. In addition, you can grant Splunk solution access to events directly in the Identity Cloud and view all denied multi-factor authentication attempts in a consolidated dashboard. The updated version of the Splunk Add-on is available for download from the CyberArk Identity Admin Portal downloads area. To learn more about Splunk Add-on, please see here.
Additional features included in this release:
- CyberArk Identity User Portal customization options
- You can now hide specific tabs in the User Portal, such as Devices, Activity, and Organizations.
- You can also make a user's profile in the User Portal read-only
- Windows Cloud Agent
- Now supports Self-Service Password Reset for remote, domain-joined Windows machines
- Mac Cloud Agent
- Adds support for macOS 11 (Big Sur)
- You can now use Mac Cloud Agent only for endpoint MFA without enrolling devices into CyberArk Identity Device Management (MDM).
For more information on the 21.6 release, please see CyberArk Identity release notes.