Deprecation announcement
4.3. Airlock IAM 7.6 - Deprecation announcement for future releases

The following features have been deprecated with IAM 7.6 or earlier releases. They are planned to be removed in future releases and are still available in Airlock IAM 7.6.

IAM Release 8.0 is scheduled for spring 2023. The last release prior to IAM 8.0 will be supported until mid 2024.

Note that release schedule information is preliminary and subject to change.

Topic
Description
May be removed in version
Deprecated since
Loginapp (JSP)
The JSP-Loginapp will be removed in favor of the new Loginapp REST UI. See 4.6. JSP-Loginapp Deprecation Announcement and especially 17.5.6. Features discontinued with the JSP-Loginapp.
8.0
7.4
Table 1: JSP-Loginapp Deprecation
Topic
Descriptions
May be removed in version
Deprecated since
Non-flow-based password reset REST end-points
The non-flow-based REST end-points for the password reset self-service will be removed.
  • Affected end-points:
  • /public/users/userId/password/start-reset/
  • /public/users/userId/password/verify-reset/
Use the corresponding public self-services end-points:
/rest/public/self-service/flow/
8.0
7.6
CAPTCHA end-points for non-flow-based services.
The CAPTCHA REST end-points for the old user registration and password reset services will be removed.
  • Affected end-point:
  • /public/captcha/
New CAPTCHA end-points for the flow-based services will be available as of IAM 7.7.
8.0
7.6
Health and live end-point - state attribute
The response attribute state is no more returned by Loginapp end-points /health/ready und /health/live. Use the attribute status instead.
8.0
7.5
Flow-based password reset REST end-points
REST end-points of the flow-based password reset REST API before it has been migrated to the public self-service flows.
Affected REST end-points:
/rest/public/password-reset/*
Similar or identical end-points are available in:
/rest/public/self-service/flow/
8.0
7.5
Legacy authentication end-points for custom extensions
The legacy authentication end-points for custom authentication extensions:
/rest/public/<custom>/authentication/*
will be removed. Instead use the end-points:
/rest/public/authentication/<custom>/*
8.0
7.4
Email address change REST end-points
The Loginapp REST API provides the following REST end-points to the end-user to change the email address:
  • /rest/protected/my/email/change/
  • /rest/protected/my/email/verify-email-change/
These end-points will be removed. REST clients need to be adapted. Use the new REST end-points in the protected self-service flows instead.
  • /rest/protected/self-service/data/edit/
  • /rest/protected/self-service/email/verification/otp/check/
8.0
7.3
Loginapp Self-Registration REST API (non-flow-based)
The non-flow-based REST API for user self-registration will be removed. Please migrate clients to use the new flow-based REST API instead.
  • Affected end-points:
  • /public/users/*
8.0
7.1
GET end-points in Flow APIs
GET end-points in the authentication flow API have been deprecated and replaced by corresponding POSTs.
8.0
7.0
Table 2: Loginapp REST API
Topic
Description
May be removed in version
Deprecated since
OAuth/OIDC legacy token format
The IAM-internal legacy format for OAuth tokens (username.randomstring) is no more supported. The format has never been an API but clients may rely on it.
The legacy format could be issued until IAM 7.0 or older.
8.0
7.5
OAuth Implicit flow
The client-centric OAuth AS / OIDC OP will be removed (see separate entry). With it, the OAuth implicit flow will no longer be supported.
8.0
7.5
Client-centric OAuth / OIDC
The client-centric OAuth AS / OIDC OP will be removed. Migrate to the AS-centric variant. See OAuth / OIDC documentation for further information.
8.0
7.3
OAuth Session Management
The JSP files for OAuth2 session management contain an unused import statement referencing class com.airlock.iam.login.misc.oauth2.token.OAuth2Token. The class will be removed and thus customized JSPs have to be adapted.
Note that the JSP-Loginapp will be removed in 8.0 (announced with 7.4).
8.0
7.3
Table 3: OAuth / OIDC
Topic
Description
May be removed in version
Deprecated since
IAM on Gateway (WAF)
Airlock Gateway 8.0 (planned for q4/2022) will no more support the Docker host.
Airlock IAM can therefore no longer be deployed on Airlock Gateway.
IAM support for the installation on Airlock Gateway will end with IAM 8.0.
8.0
7.6
Message providers for transaction approval
The transaction approval message provider plugins listed below may be removed in a future IAM version.
  • mTAN:
  • Plugin to be removed: mTAN Message Provider (Transaction Approval only)
  • Replacement: Generic mTAN Message Provider
  • Airlock 2FA:
  • Plugin to be removed: Airlock 2FA Transaction Approval Message Provider
  • Replacement: Generic Airlock 2FA Message Provider
  • Cronto
  • Plugin to be removed: Transaction Approval Cronto Message Provider
  • Replacement: Generic Cronto Message Provider
8.0
7.6
Adminapp web UI paths
Old Adminapp URL paths
  • …/auth-admin/listUsers
  • …/auth-admin/editUser?uid=jdoe
are no longer supported. Use the new URL paths:
  • …/auth-admin/ui/app/secure/users
  • …/auth-admin/ui/app/secure/users/jdoe
8.0
7.5
Transaction approval message provider
The transaction-approval-specific message provider plugins (mTAN Message Provider (Transaction Approval only), Transaction Approval Cronto Message Provider) will be removed.
Use the generic plugins (Generic Cronto Message Provider) instead.
8.0
7.5
ti&m Secure Mobile
The ti&m Secure Mobile feature (loginapp and adminapp) will be removed and is no more supported.
8.0
7.5
Session Binding with Header token
The setting Session Binding With Header Token (in Loginapp REST API auth flows) will be removed.
A new feature introduced with Airlock Gateway 7.4 makes this setting obsolete.
8.0
7.4
Native RSA integration
The RSA SecurID server no longer supports the RSA-native agent-host protocol. Connect via RADIUS instead.
Please note that starting with Airlock IAM 7.0, the RSA-native connection only works with old RSA libraries. See also Known Issue about IAM and native RSA connection.
8.0
7.3
REST API
Transaction approval with Kobil TMS is currently possible using two resource paths:
  • Legacy path: /rest/kobil-tms/devices/list/
  • New path: /rest/transaction-approval/cronto/push-devices/retrieve/
The legacy path is deprecated. REST clients may have to be adapted.
8.0
7.3
User Importer Task
The User Importer Task will be removed. Please use the User Sync Task instead.
There is no automatic configuration migration, i.e. the new task must be configured manually based on the configuration of the removed task.
8.0
7.3
DB schema change
The DB schema must be upgraded (even if not using new features). In particular, the TOKEN_ID row in tables token and token_assignment must be adapted according to the latest DB schema. See 6.2.1. Relational databases for IAM.
  • Layout 1.0: oauth2-user-session-management.jsp
  • Layout 2.0: oauth2-user-session-management-content.jsp
8.0
7.3
Headless Password Change
The "headless password change" HTTP interface will be removed.
8.0
7.1
Statistics Module
The statistics module will be removed. Please use the new reporting solution (since 7.1).
8.0
7.1
Table 4: Miscellaneous
Topic
Description
May be removed in version
Deprecated since
Custom steps
Skip Condition Tags and Pre Condition Tags have been replaced by Skip Conditions and Pre Conditions. The configuration is migrated automatically.
The constructor of class AbstractFlowStepConfig that is still accepting the skip- and pre-condition tags has been deprecated and will be removed. Custom step implementations must be adapted accordingly.
8.0
7.5
REST Extensions
Custom REST extensions must use the SPI (service provider interface) approach as described in the supplementary IAM Custom Development Guide.
You can request the latest version of the IAM Custom Development Guide by opening a support ticket. See (ergon.ch) Techzone - Airlock support process) for more information.
8.0
7.4
Custom steps
The Java interface OverridingFailedLoginsIncrementStep will be removed.
8.0
7.4
Auth flow steps
Custom authentication flow steps that do not return step results of type AuthenticationStepResult will no more compile.
They must be adapted to return step results of type AuthenticationStepResult.
8.0
7.4
Step results
  • Static creator methods like StepResultImpl.success(), StepResultImpl.skip() and so on are removed. Use corresponding methods on StepResultFactory instead.
  • StepResult.nextStep() will be removed. Use StepResult.nextAction() instead.
  • StepResultImpl.getMetadata() will be removed. Use StepResult.metadata() instead.
8.0
7.3
HK2 binders
The possibility to use HK2 binder will be removed. Use Guice modules instead.
8.0
7.3
Jackson serialization
Custom REST application configurations could be annotated with jacksonSerialization in order to specify the packages to scan for transfer objects. This is no more necessary and the method will be removed.
8.0
7.3
Validation message classes
The interface ValidationMessageCredential and its subclasses will be removed. They are no longer used since the SOAP interface has been removed wit IAM 7.1.
8.0
7.3
Constants in Configuration class
The following constants in class com.airlock.iam.login.app.misc.config.Configuration will be removed: TICKET_KEY_USERNAME, TICKET_KEY_PASSWORD, TICKET_KEY_ROLES. The constants still exist in class com.airlock.iam.core.misc.util.ticket.SessionTicketKeys.
8.0
7.3
Service Container tasks
Custom implementations of "com.airlock.iam.servicecontainer.app.internal.domain.model.task.AbstractTask" must use the new interfaces "com.airlock.iam.servicecontainer.api.domain.model.task.AbstractTask" and "com.airlock.iam.servicecontainer.api.application.configuration.task.TaskConfig".
8.0
7.1
Old package names
Old package names (ch.ergon.medusa.*) will no more be supported. Custom code, custom JSPs and other files containing package names must be migrated. See https://techzone.ergon.ch/airlock-iam-7.1-package-rename for details. IAM 7.1 contains a migration tool.
8.0
7.1
Table 5: Custom code