With release 21.4, CyberArk Identity supports the following new features:
Single Sign-On
General Availability of Enhanced Delegated Administration with CyberArk Identity Organizations
CyberArk Identity organizations is a collection of user identities representing a subset of the global user population. Organizations enable you to group users by specific attributes and manage access to enterprise resources in a structured, hierarchical way. For example, if your company operates in multiple regions, you can create separate organizations that correspond to each of the regions. You can then delegate administration responsibilities over these organizations to specific non-admin users. Users with delegated admin rights can only manage users, roles and apps in the assigned organization. This type of delegated administration allows you to spread administrative duties and segregate administrative capabilities so that no administrator has too much control. To learn more about CyberArk Identity organizations, see here.
Multi-Factor Authentication
Account Unlock Notification
You can now display a pop-up message to users that have successfully unlocked their account using the self-service account unlock feature. Self-service account unlock enables users to restore their accounts suspended for exceeding the threshold for failed sign-in attempts without involving the Help Desk. To unlock their accounts, users are required to pass a Multi-Factor Authentication challenge. Once the account is active and users have successfully authenticated, they will see a pop-up message informing them that their sign-in experience was different because their account was locked. This notification pop-up is optional and is only displayed the first time the user logs in to the CyberArk Identity User Portal after being locked out.
Policy Rules for Secure Zones
CyberArk Identity now allows you to define Secure Zones – specific IP ranges within your internal and external networks. Secure Zones are used to define authentication requirements and enforce access policies. Previously, you could only create authentication rules based on the location of IP addresses either inside or outside of the pre-defined corporate IP range. Now, you can create rules for specific IP addresses within your Secure Zones. For example, you can define a new Secure Zone that is limited to a subset of your corporate IP range. You can then add a rule that applies only to users accessing CyberArk Identity from the IP addresses within that Secure Zone requiring secondary authentication using physical tokens.
The Secure Zones feature is currently in PREVIEW and is not enabled by default. Customers can test this feature by reaching out to CyberArk Support.
CyberArk Authenticator for Desktops
You can now get CyberArk Authenticator capabilities on your Mac and PC devices. Previously, customers who leveraged a time-based one-time passcode (TOTP) authentication mechanism to secure access had to use CyberArk Authenticator in the CyberArk Identity iOS or Android mobile apps. This presented challenges to end-users that could not use their personal mobile devices for business purposes or those working in environments with restrictions on smartphone use. Now, customers can install CyberArk Authenticator directly on the end-user Mac or PC computers. With CyberArk Authenticator for Desktops, customers can reduce the number of devices that can be used for authentication and ensure that end-users are able to access TOTP-protected resources even if working offline. CyberArk Authenticator desktop client can support up to 20 accounts, is protected with a PIN, and can only be downloaded from the Administrator Portal. To learn more about CyberArk Authenticator, please see here.
Support for Strong Biometrics Unlock on Android
You can now unlock CyberArk Identity mobile app and the included capabilities, such as a QR code scanner and authenticator, using Android’s strong biometric unlock mechanisms. Previously, you could only unlock the CyberArk Identity app using a fingerprint or a PIN code as a backup. With the introduction of the Strong Biometric Unlock Security standard by Google, you can now use all strong biometric options available on Android devices, such as fingerprint, face recognition, and iris scan. For example, if your device includes fingerprint and face recognition capabilities that meet the Strong Biometric definition, you can use either mechanism to unlock the CyberArk Identity mobile app. However, if only one of the available mechanisms meets the Strong Biometric criteria, only that mechanism will be able to open the app. To learn more about CyberArk Identity mobile applications, please see here.
For more information on the 21.4 release, please see CyberArk Identity release notes.