Airlock IAM 7.7 - Actions required when upgrading

Various features

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

IAM database

Flow-continuation tokens
(Email links)

AI-13448

If using email links for a password reset, user verification, or if using the flow continuation concept in general (public self-service flows), the IAM database schema must be upgraded.

7.7

Loginapp

Client-centric OIDC/OAuth AS

-

As announced with IAM 7.3, 7.4, 7.5, and 7.6, the client-centric AS (authorization server) will be removed in IAM 8.0 and all instances using it must migrate to the AS-centric AS.

Since IAM 7.7 is the last release with both AS variants (client-centric and AS-centric), a seamless transition requires to do the migration in IAM 7.7 (or earlier).

See AS-centric AS - seamless migration for more information.

7.7

Loginapp

SAML IdP

AI-15482

The default Key Transport Algorithm in the SAML Federation Config has changed to use the more secure RSA-OAEP.

Existing configurations migrated to IAM 7.7 continue to use the old algorithm without OAEP.

It is strongly recommended to check RSA-OAEP compatibility with the SAML SPs and then manually change the IdP configuration to use RSA-OAEP as Key Transport Algorithm.

This affects both the JSP-Loginapp and the Loginapp REST UI.

7.7

Loginapp, Adminapp, Transaction Approval

REST client authentication

AI-15882

The Request Credential Policy to authenticate single requests in the Loginapp, Adminapp, and Transaction Approval modules will be removed in IAM 8.0.

Configuration migration ensures that older configurations still work using a legacy adapter plugin.

It is recommended to adapt the configuration to use the new Request Authentication plugins in 7.7. See Authentication of REST requests.

7.7

Adminapp

SSO ticket-based admin authentication

AI-15884

If using SSO tickets to authenticate admins to the Adminapp (Adminapp >> Administrators >> SSO Ticket Authentication):

The feature has been improved and the Authenticator property has been removed. If using the Authenticator property to lookup and verify the user, the configuration has to be manually changed.

Use the new properties User Store, Roles Blocklist, Username Key, and Roles key.

7.7

Database

Oracle

-

Note that the minimum supported Oracle version is now 19c. The database must be upgraded if still using an older Oracle version.

See also System requirements.

7.7

Loginapp REST UI SDK

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

Loginapp REST UI SDK

Secret questions and custom UI customizations

AI-15460

In the Loginapp REST UI the tag <secret-question> has been changed to <iam-secret-question>. Custom CSS or JS referring explicitly to this HTML tag must be adjusted accordingly.

7.7

Loginapp REST UI SDK

mTAN/SMS OTPs and custom UI customizations

AI-15656

The user instructions for the mTAN OTP page in the Loginapp REST UI are no longer of type <iam-alert-...>, but now of type <iam-text-message>.

Custom CSS or JS referring explicitly to the alert message must be adjusted accordingly. The default translation string for resend-info has been changed to match similar use cases of other flow types.

7.7

Loginapp REST UI SDK

Loginapp REST UI SDK configuration

AI-14506

  • Only affects the SDK configuration. Not relevant at runtime for existing customizations:
  • Page configurations can have a top-level block additionalAttributes.
  • Attribute allowResends has been renamed to resendPossible.
  • matrixChallenges is now part of additionalAttributes (instead of pageSettings).
  • acknowledgementMessageId has been renamed to messageId and is now part of additionalAttributes (instead of pageSettings).

7.7

Loginapp REST UI SDK

Logout link on protected self-service pages.

AI-14481

A logout link has been added to all protected self-service pages. It can be enabled and disabled using SASS variable iam-show-logout-link.

Re-run the sdk build command and redeploy IAM with the newly generated customizations in order to make IAM respect the variable.

Failing to rebuild the custom UI artifacts may result in a logout button automatically being displayed on all protected self-service pages.

See Using the Loginapp REST UI SDK command-line tool.

7.7

Custom code

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

All

Custom code dealing with OTPs

AI-15852

Changed the Otp class in common-api to unify the handling of OTPs in IAM. Adjust custom code to use the new UnverifiedOtp class for handling user input.

7.7

Loginapp

Custom code handling events

AI-13446

The PASSWORD_CHANGED event code interface has been moved (package change) to be available for all flow types. Adjust custom code accordingly.

7.7