Airlock IAM 7.7 - Actions required when upgrading

This section describes changes in Airlock IAM 7.7 LTS that may require manual changes. Whether changes are necessary depends on the features and/or custom extensions that are in use.

Upgrading an Airlock IAM version may require special actions. Consult the respective upgrade requirements:
Actions required when upgrading from IAM 7.5 to IAM 7.6
Actions required when upgrading from IAM 7.4 to IAM 7.5

Various features

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
IAM database	Flow-continuation tokens (Email links)	AI-13448	If using email links for a password reset, user verification, or if using the flow continuation concept in general (public self-service flows), the IAM database schema must be upgraded. See also: Email link password reset flow example (using flow continuation) Email links for user verification in self-registration flows Using the Flow Continuation Step in public self-service flows Relational databases for IAM	7.7
Loginapp	Client-centric OIDC/OAuth AS	-	As announced with IAM 7.3, 7.4, 7.5, and 7.6, the client-centric AS (authorization server) will be removed in IAM 8.0 and all instances using it must migrate to the AS-centric AS. Since IAM 7.7 is the last release with both AS variants (client-centric and AS-centric), a seamless transition requires to do the migration in IAM 7.7 (or earlier). See AS-centric AS - seamless migration for more information.	7.7
Loginapp	SAML IdP	AI-15482	The default Key Transport Algorithm in the SAML Federation Config has changed to use the more secure RSA-OAEP. Existing configurations migrated to IAM 7.7 continue to use the old algorithm without OAEP. It is strongly recommended to check RSA-OAEP compatibility with the SAML SPs and then manually change the IdP configuration to use RSA-OAEP as Key Transport Algorithm. This affects both the JSP-Loginapp and the Loginapp REST UI.	7.7
Loginapp, Adminapp, Transaction Approval	REST client authentication	AI-15882	The Request Credential Policy to authenticate single requests in the Loginapp, Adminapp, and Transaction Approval modules will be removed in IAM 8.0. Configuration migration ensures that older configurations still work using a legacy adapter plugin. It is recommended to adapt the configuration to use the new Request Authentication plugins in 7.7. See Authentication of REST requests.	7.7
Adminapp	SSO ticket-based admin authentication	AI-15884	If using SSO tickets to authenticate admins to the Adminapp (Adminapp >> Administrators >> SSO Ticket Authentication): The feature has been improved and the Authenticator property has been removed. If using the Authenticator property to lookup and verify the user, the configuration has to be manually changed. Use the new properties User Store, Roles Blocklist, Username Key, and Roles key.	7.7
Database	Oracle	-	Note that the minimum supported Oracle version is now 19c. The database must be upgraded if still using an older Oracle version. See also Hardware and system requirements.	7.7

Loginapp REST UI SDK

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
Loginapp REST UI SDK	Secret questions and custom UI customizations	AI-15460	In the Loginapp REST UI the tag `<secret-question>` has been changed to `<iam-secret-question>`. Custom CSS or JS referring explicitly to this HTML tag must be adjusted accordingly.	7.7
Loginapp REST UI SDK	mTAN/SMS OTPs and custom UI customizations	AI-15656	The user instructions for the mTAN OTP page in the Loginapp REST UI are no longer of type `<iam-alert-...>`, but now of type `<iam-text-message>`. Custom CSS or JS referring explicitly to the alert message must be adjusted accordingly. The default translation string for `resend-info` has been changed to match similar use cases of other flow types.	7.7
Loginapp REST UI SDK	Loginapp REST UI SDK configuration	AI-14506	Only affects the SDK configuration. Not relevant at runtime for existing customizations: Page configurations can have a top-level block `additionalAttributes`. Attribute `allowResends` has been renamed to `resendPossible`. `matrixChallenges` is now part of `additionalAttributes` (instead of `pageSettings`). `acknowledgementMessageId` has been renamed to `messageId` and is now part of `additionalAttributes` (instead of `pageSettings`).	7.7
Loginapp REST UI SDK	Logout link on protected self-service pages.	AI-14481	A logout link has been added to all protected self-service pages. It can be enabled and disabled using SASS variable `iam-show-logout-link.` Re-run the `sdk build` command and redeploy IAM with the newly generated customizations in order to make IAM respect the variable. Failing to rebuild the custom UI artifacts may result in a logout button automatically being displayed on all protected self-service pages. See Using the Loginapp REST UI SDK command-line tool.	7.7

Custom code

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
All	Custom code dealing with OTPs	AI-15852	Changed the `Otp` class in `common-api` to unify the handling of OTPs in IAM. Adjust custom code to use the new `UnverifiedOtp` class for handling user input.	7.7
Loginapp	Custom code handling events	AI-13446	The `PASSWORD_CHANGED` event code interface has been moved (package change) to be available for all flow types. Adjust custom code accordingly.	7.7

Further information and links

Upgrade Airlock IAM
Upgrading database schemas: Relational databases for IAM