2.0.3 Release Notes

Enhancements

Added ability to set an exclusion list for site URLs:
- Sites listed in the exclusion list will not have Secrets populated into the Username/Password fields by default. Secrets can still be populated in these fields by clicking the Green check icon to autofill. This should help prevent none username/password fields from having values filled in them automatically even if they are identified as username/password type fields
- An “Exclusion exception” list also exists so specific pages on the site domain will still auto-populate as normal.
- This can be set per-user or generally on the machine and WPF reads the information from a local Json file using the web browser’s native services. This does require an additional .NET 4.5.2 app to help roll out the local JSON file.
  The user story is that the exclusion list is set to exclude a site at URL Company1.site1.com but has an exclusion exception for Company1.site1.com/login.aspx. In this case if they navigate to the login page then the secret will auto-populate in the login fields (if users only have 1 secret). After users login and go to any other page on the site that also has fields which are detected as username/password type fields, the Web Password Filler will not do anything unless directed by the user. This is to prevent the Web Password Filler from auto filling values in fields, when the auto fill action is unwanted.
Added a new “Site” drop down option to the “Add Secret” dialog in the Web Password Filler, to allow users to select which Secret Server Distributed Engine site a Secret should be saved to (defaults to “Local” value)

Security

Added sanitization on Secret Server Secret name on the pop-up display to prevent JavaScript code (using script code in the Secret name) from allowing the website to create an opening using the Secret name for access.

Bug Fixes

Resolved an issue with a PaloAltoNetwork site that prevented the Password from auto filling after selecting the Secret.
Resolved an issue with the Cisco APIC console returning a “Token Error” message after the login fields were populated and the user tried to log in.
Resolved an issue for a Wells Fargo site login (https://wellsoffice.ceo.wellsfargo.com) where the “Login” button was still disabled by the site after the login fields were populated with valid values.
Resolved an issue with the Delinea Force Customer portal login that prevented the site from reading valid values in the login fields when the “Log in” button is clicked.
Resolved an issue that returned the message “Enter a value in the User Name field” even when a value was entered by the Web Password Filler on https://delinea.force.com/support/s/login.
Resolved an issue that displayed a deleted Secret in the Secret list for a site, if the user deleted the secret in Secret Server after they logged into the Web Password Filler, but before the Web Password Filler refreshed its list.
Resolved an issue for DUO login sites that prevented the page URL from being captured in the “URL” field when adding a new Secret on the “Add Account to Secret Server” dialog.
Resolved an issue that prevented users from logging into the Web Password FIller with multiple Identity Providers configured and the Secret Server URL ending with a double slash (for example, https://Domain.Company/SecretServer//”)
Resolved issue for sites that prevented the username or password for an existing Secret from being updated:
- https://adobeid-na1.services.adobe.com, https://secureb.eyefinity.com, https://admin.zscaler.net, https://app.zipbooks.com, https://mibank.com, https://www.economist.com, https://www.internic.ca, https://www.svbconnect.com, https://id.getharvest.com, https://login.bnymellonwealth.com, https://www.sumopaint.com

Known Issues

A delay may occur and trigger an error message due to indexing on the Secret Server side after a URL change for Secrets that are setup for an exact URL match. The error message will state that the exact domain doesn't exist.

The workaround is to try again after about a minute.