MagicEndpoint V1.4


Release Notes

View All


MagicEndpoint Support

WinMagic strongly recommends that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and new features.

About This Release

This document contains important information about the current release. We strongly recommend that you read the entire document.

Recommended – WinMagic recommends this service release for all environments. Apply this update at your earliest convenience.


MagicEndpoint Client and IdP Documentation can be accessed at:


Previous Versions


Release Date


ME 1.4 (Current)

November 11, 2023
EOL Apr 16, 2026

Updates, improvements, new features
Build#,  Build# 9.0.300.118 (ME IdP Server)

ME 1.3.1

March 2, 2023
EOL Mar 1, 2026

Updates, improvements, new features
Build#,  Build# 9.0.300.118 (ME IdP Server)

ME 1.3

December 9, 2022
EOL Dec 8, 2025

Updates, improvements, new features
Build#,  Build# (ME IdP Server)

ME 1.2

July 20, 2022
EOL Jul 19, 2025

Updates, improvements, new features

ME 1.0
IdP 9.0

March 31, 2022
EOL Mar 30, 2025

Initial Release of MagicEndpoint and
MagicEndpoint Identity Provider (IdP)


System Requirements

  1. MagicEndpoint requires that the SecureDoc client agent software be installed and registered with a SecureDoc Enterprise Server before installing MagicEndpoint.  NOTE:  While it offers optimum security to permit SecureDoc to encrypt the disk drive, it is not a necessity;  The SES Client can be installed with a Profile/Installation Package that specifies Removable Media Only (RMO) protection.

  2. If using MagicEndpoint Identity Provider (IdP) service as the delegated IdP to an Azure AD (AAD) domain (for instance, to use MagicEndpoint IdP for Microsoft 365/Office 365), it is important to note that new devices cannot be joined to that AAD domain.

    a. In such a case, the environment needs to be a hybrid one, meaning devices need to be joined to the local domain, which is then synchronized to the Azure AD domain for O365.

  3. For TPM-based authentication (preferred), devices must have TPM 2.0..  For devices having TPM 1.2 or earlier, or which lack a TPM completely, those devices will not be able to generate or use TPM-based Keys, but can still utilize Software Tokens for authentication. Software tokens still constitute strong security, but do not reach the level of strength that TPM-based tokens can provide.

Client OS Support

In this initial version, only Windows devices are supported.
Devices utilizing MagicEndpoint authentication must have Windows 10 or Windows 11 – Windows 7 is not supported.


Version 1.4 of MagicEndpoint

NOTE: This version does not support direct upgrade on top of a previous version.  Existing customers having previous versions of MagicEndpoint installed should a) Uninstall the MagicEndpoint client, then b) Install this version, then c) Clear their Internet Browser’s cache before attempting to use MagicEndpoint for authentication.

Which customers should upgrade to ME version 1.4?

New customers should deploy this version. Existing customers who had been testing MagicEndpoint 1.0, 1.1, 1.2, or 1.3, or the same product under pre-release/Beta names like FIDO Eazy Diamond/3.0/Enterprise or SecureDoc Passwordless Authentication and who wish to explore new and updated functionality in this version should install this service release per the recommendation above.  


New Features


User Interface (UI) for IdP-Initiated Single Sign-On (SSO)

Description: Enhancing the IDP Home Page and Configuration by incorporating a User Interface (UI) for IDP-initiated Single Sign-On (SSO).

Solution: The latest features include an "IDP-initiated SSO" option in the Service Provider (SP) configuration and a new "Service Providers" section on the Home Page. The Service Providers Table now exclusively lists IDP-initiated SPs, displaying only those allowed for non-admin users based on group configurations. Clicking on a specific SP in the table initiates the SAML Single Sign-On (SSO) process.

Affected tickets: SD-45281


Resolved Issues

Upon re-logging into ME via the system tray in BLE RMO, ME necessitates the use of the SD password instead of BLE.

Issue: Instead of utilizing Bluetooth, ME mandates the use of the SD password for re-login after logging out with the RMO package.

Solution: Introduce a verification step using "SdpaClientCheckUserExistEx" to confirm the user's protection type before initiating any login attempt (when SDMode = 1). This guarantees a consistent requirement for Bluetooth during re-login with BLE protection when MagicEndpoint (ME) is logged out.

Affected tickets: SD-45408

Reply with the reason for rejected authentication in the Identity Provider (IDP).

Issue: When the ME makes a request to the IDP server, the server has the capability to reject the request for various reasons, such as a signature mismatch or the user not belonging to the Service Providers (SPs) group, among others.

Solution: This issue is now updated and resolved.  

Affected tickets: SD-45386

Implement access policies according to "device signals."

Issue: The MagicEndpoint Identity Provider (ME IdP) faces a challenge in assessing user and device access to Service Providers (SPs) due to the absence of event-driven signals. The current process relies on server-initiated polls instead of the endpoint notifying the server of any status changes.

Solution: This issue is now resolved.

Affected tickets: SD-45312

Single Sign-On (SSO) Initiated by IdP

Issue: The IDP Portal should display registered Service Providers (SPs), allowing users to initiate Single Sign-On (SSO) to the selected service provider by clicking on it.

Solution: A "Service Providers" section has been introduced on the IDP Home page. When a Service Provider (SAML) is configured with "IDP-initiated SSO" enabled, it will be included in the list of IDP-initiated SSO on the IDP Homepage. Users belonging to the SP access group can initiate Single Sign-On to the selected service provider by clicking on it.

Note: WinMagic IDP currently supports SP-initiated login only.

Affected tickets: SD-44033

[ME] Even after multiple unsuccessful login attempts to the Service Provider (SP), Fingerprint or FaceID authentication remains mandatory.

Issue: If a user logs out after a previous login, attempts to access an SP, and cancels or fails the biometric authentication prompt, ME will subsequently request the PIN for login.

Solution: Biometrics can no longer be used to log back in after logging out. Users are prompted to enter their PIN or password instead, enhancing security during login attempts. This change applies to accessing service providers (SPs) and logging back into ME directly from the system tray icon.

Ticket affected: SD-45013


[IdP] Launching IdP Page Fails with HTTP Error 500 in the Event of IdP-Only Installation

Issue: Upon attempting to log into the IDP portal, an HTTP Error 500 is presented.

Solution: To resolve this issue, it is recommended to install IDP on the same server as SES Console. A fix for this problem is anticipated in version 9.1.

Affected tickets: SD-46654



How to Install/Upgrade

Customers with an active support plan should contact to receive the latest download link for their MagicEndpoint  / MagicEndpoint IdP upgrade.




Contacting WinMagic

5770 Hurontario Street, Suite 501
Mississauga, Ontario, L5R 3G5
Toll free: 1-888-879-5879
Phone: (905) 502-7000
Fax: (905) 502-7001
Human Resources:
Technical Support:
For information:
For billing inquiries:


This product includes cryptographic software written by Antoon Bosselaers, Hans Dobbertin, Bart Preneel, Eric Young ( and Joan Daemen and Vincent Rijmen, creators of the Rijndael AES algorithm.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

WinMagic would like to thank these developers for their software contributions.

©Copyright 1997 – 2023 by WinMagic Corp. All rights reserved.

Printed in Canada Many products, software and technologies are subject to export control for both Canada and the United States of America. WinMagic advises all customers that they are responsible for familiarizing themselves with these regulations. Exports and re-exports of WinMagic Inc. products are subject to Canadian and US export controls administered by the Canadian Border Services Agency (CBSA) and the Commerce Department’s Bureau of Industry and Security (BIS). For more information, visit WinMagic’s web site or the web site of the appropriate agency.

WinMagic, SecureDoc, SecureDoc Enterprise Server, MagicEndpoint, MagicEndpoint IDP, Compartmental SecureDoc, SecureDoc PDA, SecureDoc Personal Edition, SecureDoc RME, SecureDoc Removable Media Encryption, SecureDoc Media Viewer, SecureDoc Express, SecureDoc for Mac, MySecureDoc, MySecureDoc Personal Edition Plus, MySecureDoc Media, PBConnex, SecureDoc Central Database, and SecureDoc Cloud Lite are trademarks and registered trademarks of WinMagic Inc., registered in the US and other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2023 WinMagic Corp. All rights reserved.

© Copyright 2023 WinMagic Corp.  All rights reserved. This document is for informational purpose only. WinMagic Corp. makes NO WARRANTIES, expressed or implied, in this document. All specification stated herein are subject to change without notice.