SafeNet IDPrime Virtual 2.9.1
Issue Month: April 2025
Build Details
-
Server: 2.8.2
-
Windows Client: 2.9.1.10
Product Description
SafeNet IDPrime Virtual (IDPV) is a PKI-based software authenticator that uses latest innovation in software-based smart token technology to combine the strong two-factor security of a smart card. It is cost effective and convenient for the software authentication. IDPV emulates the functionality of physical smart cards used for authentication, email, data encryption, and digital signing to enable the use cases such as VDI, BYOD, backup, and mobility on any device. It secures user private key on HSM with user authentication from OIDC compatible Identity providers (IDPs).
Release Description
SafeNet IDPrime Virtual Client v2.9.1.10 includes Security patch updates.
Advisory Notes
Before deploying this release, note the following high-level requirements and limitations:
-
It is recommended to install IDPV Client before installing SafeNet Authentication Client (SAC Middleware).
-
On a multi-user session supported machine, if an administrator changes the registry value of On Behalf connect from 0 to 1, the Connect On Behalf option in the system tray becomes available for all users. Additionally, if the tenant is set up with the -u flag as true, non-admin users will also be able to create more tokens.
-
If the IDPV Client is installed in the Remote Desktop Access (RDP) mode, then SAC must be installed in the Typical mode.
-
If the IDPV Client installation type is modified from Typical to Remote Desktop Access (RDP) or vice versa, a system reboot is required.
-
If SafeNet IDPV Client is installed using Remote Desktop Access (RDP) mode after the SAC installation, then system reboot is required.
-
After uninstalling IDPV Client, a system reboot is required if any application is performing PKI operations.
-
Identity Providers (IDPs) need to be configured distinctively for different IDPs. To know about the newly supported IDPs, refer to SafeNet IDPrime Virtual Server Client Integration Documentation.
-
The functionality of signing and verification in offline mode using SHA384 and SHA512-PSS mechanisms depends on the TPM chip vendor. For more information, refer to the TPM vendor documentation.
-
Simultaneous write operations from different IDPV Client machines is not support for IDPV virtual tokens.
Localization Support
Operating System is localization based. Therefore, it is automatically managed.
The currently supported languages are:
-
English (default)
-
Spanish
-
German
-
French
-
Hindi and Hebrew as experimental
This list is expandable based on Qt cross-platform development solution and its internationalization support.
Default Password
Virtual IDPrime cards are supplied with the following default token password: “000000” (6 zeros) and the Administrator Password must be entered using 48 zeros.
Password Recommendations
We strongly recommend changing all device passwords upon receipt of a token/ smart card as follows:
-
User PIN should include at least 8 characters of different types.
-
PIN character types should include upper case, lower case, numbers, and special characters.
For more information, refer to the ‘Security Recommendations’ section in SafeNet IDPrime Virtual Server-Client Product Documentation.
Compatibility Information
Operating Systems
Following operating systems are supported:
Client Operating Systems
-
Windows 10 (2004 or higher)
- Microsoft Trusted Platform Module (TPM 2.0) for Offline Mode
-
Windows 11 (23H2 or higher)
Middleware
-
SafeNet Authentication Client 10.9 R1 (10.9.4482.0)
-
SafeNet Minidriver 10.9 R1 (10.9.4482.0)
Virtual Smart Card Features
Below table specifies the various features that are supported by IDPV:
| Features: | Device: SafeNet IDPrime Virtual |
|---|---|
| Number of Keys | 15 max |
| RSA Key Size | 2048 bit, 3072 bit, and 4096 bit |
| RSA Padding | PKCS#1 v1.5 |
| Hash and Signature Schemes | • SHA-2 512-bit • CKM_SHA1_RSA_PKCS_PSS • CKM_SHA256_RSA_PKCS_PSS • CKM_SHA384_RSA_PKCS_PSS • CKM_SHA512_RSA_PKCS_PSS |
| Supported APIs | PKCS#11 V2.20, PKCS#15, MS CryptoAPI and CNG(CSP,KSP), PC/SC |
| Supported cryptographic algorithms | 3DES, SHA-256, RSA upto 2048/3072/4096, RSA PSS |
Compatibility with Third-Party Applications
Following third-party applications are supported:
| Solution Type | Vendor | Product Version |
|---|---|---|
| Virtual Desktop Infrastructure (VDI) | VMware VSphere | vSphere 7.0.3.01400 |
Identity Access Management (IAM) Identity Management (IDM) |
vSEC:CMS | vSEC:CMS 6.11 |
| Certificate Authority (CA) | Microsoft (Local CA) |
For All Windows platforms |
| Browsers | Mozilla | Firefox 123 or higher |
| Microsoft | Edge (Chromium) 121.0.2277.112 or higher | |
| Chrome 122.0.6261 or higher |
Compatibility with Thales Applications
Virtual IDPrime cards can be used with the following products:
-
SafeNet Authentication Client 10.9 R1 (10.9.4482.0)
-
SafeNet Minidriver 10.9 R1 (10.9.4482.0)
Known Issues
This section lists the known issues that exist in this release. The following table defines the severity of the issues listed in this section.
| Severity | Classification | Definition |
|---|---|---|
| C | Critical | No reasonable workaround exists. |
| H | High | Reasonable workaround exists. |
| M | Medium | Medium level priority problems. |
| L | Low | Lowest level priority problems. |
Known Issues
Below are the known issues that exist in this release.
| Issue | Severity | Synopsis |
|---|---|---|
| IDPV-3333 | L | Summary: SAC/IDPV Client doesn't decrement the retry counter if the user PIN is less than 4 characters. Workaround: None |
| IDPV-3334 | H | Summary: If the user tries multiple incorrect PINs in Offline Mode and then restarts the service in online mode, the User PIN retries do not synchronize with the IDPV server. Workaround: None |
| IDPV-8123 | M | Summary: Bundle Expiry is upgraded after the IDPV client upgrade. Workaround: None |
| IDPV-10050 | M | Summary: If SafeNet IDPV Client is installed using remote desktop access after the SAC installation, then system reboot is required. Workaround: None |
| IDPV-10209 | L | Summary: The IDPV Client behavior (in the Offline mode) on a physical is different than on a virtual machine. Workaround: None |
| IDPV-11322 | L | Summary: After repairing the IDPV Client in remote mode, the services are not synchronized. Workaround: Uninstall the IDPV Client and and then reinstall it. |
| IDPV-11409 | L | Summary: The setuptenant update command does not work if the IDP client secret (-a) begins with a dash (-). Workaround: Generate a new IDP client secret in Azure Entra ID that does not begin with a dash (-), and update it in the tenant accordingly |
| ASAC-15236 | L | Summary: In case of preserve token settings, user PINs do not synchronize, whereas admin PINs are synchronized. Workaround: None |
Related Product Documentation
The following documentation on ThalesDocs is associated with this release:
We have attempted to make the documentation complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product.
