The following tables show all the changes from Airlock IAM 7.6 to 7.7.
If not noted otherwise, Loginapp listed features are only available for the Loginapp UI and the Loginapp REST API (but not for the JSP-Loginapp).
The change log also includes the changes to the Loginapp REST UI SDK. For older versions, they were kept on separate pages.
Bugfixes and improvements:
Improvement | AI-18506 | SAML2 IDP: AuthnRequest IDs can now be up to 1000 characters long. |
Bugfix | AI-18715 | Loginapp UI forward locations may now also contain commas. |
Bugfixes and improvements:
Improvement | AI-18337 | Service Container Tasks will support use cases where source and destination directories are located in different filesystems. |
Bugfix | AI-16812 | Loginapp now considers location query parameter in a URL even if accessing a target application using the application id ( |
Bugfix | AI-17446 | Self-registration with an initially locked user will now report the correct lock reason. |
Bugfix | AI-18149 | SAML2 IDP: AuthnRequest IDs can now be up to 150 characters long. |
Bugfix | AI-18156 | Reject forward URI containing a UserInfo part early in request processing. |
Bugfix | AI-18175 | Updated third-party libraries. |
Bugfix | AI-18347 | Upgraded BouncyCastle library to prevent a potential DoS attack (CVE-2023-33202). |
Bugfix | AI-18358 | Tomcat upgrade to 9.0.83 to mitigate CVE-2023-46589. |
Bugfixes and improvements:
Bugfix | AI-17254 | Corrected processing of OAuth URLs containing curly braces ("{" and “}"). |
Bugfix | AI-17545 | XML File Importer Task can be configured to continue processing after errors were encountered. |
Bugfix | AI-17853 | OIDC behavior is now specification compliant for cases where "prompt=none" is requested by the client. |
Bugfix | AI-17942 | Fixed a bug where the logout disclaimer page was not shown when it was set as default target in a parameter based target URI plugin. |
Bugfix | AI-18005 | Verification calls to the CAPTCHA-Services (reCAPTCHA and hCaptcha) are now sent as Form-Parameters in the Body to comply with hCaptchas requirements. |
Bugfix | AI-18026 | Updated third-party dependency libraries. |
Bugfix | AI-18029 | Fixed a bug where Task Schedules with an interval of greater than 1 day would never execute. |
Bugfix | AI-18358 | Tomcat upgrade to 9.0.83 to mitigate CVE-2023-46589. |
Bugfixes and improvements:
Bugfix | AI-17362 | Fixed client certificate authentication in HTTP client. |
Bugfix | AI-17375 | Fixed handling of HTTP responses without body. |
Bugfix | AI-17384 | Fixed a ReDoS vulnerability in URL rewriter filter |
Bugfix | AI-17398 | Update JVM to 11.0.19 |
Bugfix | AI-17399 | Updated third-party dependency libraries |
Bugfix | AI-17401 | Updated IAM docker base image |
Bugfix | AI-17402 | Fix unsanitized path parameter in adminapp log viewer |
Change | AI-17404 | Avoid exception for certain invalid Cronto OTPs |
Bugfixes and improvements | ||
Change | AI-16958 | Changed validation policy for Airlock 2FA "display_name". |
Bugfix | AI-16969 | Handle multiple OAuth handshakes in the same session correctly. |
Bugfix | AI-16997 | Correctly rewrite locale information to conform with RFC 2616. |
Bugfix | AI-17063 | Notification SMS to old phone number can be sent in case of deleted phone number event. |
Bugfix | AI-17102 | Fixed a bug, where configurable UIs required an input field to be submitted to the server. |
Change | AI-17105 | Relaxed property value validation of Customizable Step UI elements to be more compatible with context-data names. |
Change | AI-17106 | Updated tomcat and core libraries to the most recent versions. |
Bugfixes and improvements | ||
Bugfix | AI-16581 | Fixed token validity during daylight saving time changes. |
Bugfix | AI-16610 | Successful logins now correctly updates the login statistics. |
Bugfix | AI-16612 | Fixed UI handling of OAuth 2.0 or SAML 2.0 flows starting with Kerberos authentication. |
Bugfix | AI-16622 | Fixed user insertion for LdapConnector and LdapUserPersister when using a "Special Date Time Pattern". |
Bugfix | AI-16659 | Fixed "Password Authentication Step" and "Username Password Authentication Step" steps to correctly log failed password checks. |
Change | AI-16666 | Improved Config Editor Performance for large Configurations. |
Change | AI-16748 | Added Event Producer for ApplyEmailChange plugin. |
Bugfix | AI-16819 | Configurable UIs render pages correctly when no input fields are configured. |
Change | AI-16822 | Updated REST UI to remove all conflicts with the CSP. |
Bugfixes and improvements | ||
Bugfix | AI-16441 | Security update for Apache Tomcat. |
Bugfix | AI-16487 | Security update for Apache Commons Text. |
Bugfix | AI-16491 | Flow Visualizer correctly handles flows with multiple identical plugins. |
Bugfix | AI-16496 | Security update for Java JDK. |
Bugfix | AI-16522 | Support for reporting to Elasticsearch version 8. |
Authentication flows | ||
New | AI-15996 | Default step UI for user identification step. |
New | AI-16077 | Authentication step to check password without username input. |
New | AI-13467 | Kerberos/SPNEGO authentication step. See Front-Side Kerberos configuration in the Loginapp REST API. |
New | AI-13514 | Risk-based authentication for authentication flows. See Risk-based authentication in the Loginapp REST API/UI. |
New | AI-15901 | Risk extraction based on Airlock Gateway's client fingerprinting. |
New | AI-15833 | Risk extraction based on Airlock Gateway's Anomaly Shield. |
New | AI-15693 | HTTP Basic Authentication Step. |
New | AI-14039 | New Email OTP authentication step with support for language-dependent message templates. |
New | AI-14445 | SAML 2.0 SP support in authentication flows. See SAML SP setup with the Loginapp REST API. |
New | AI-13473 | Option to lock user based on Airlock Gateway's client fingerprinting. See Client fingerprinting-based lockout. |
New | AI-13446 | Voluntary password change step for authentication flows. |
New | AI-3747 | Cronto Digipass online activation. |
New | AI-15773 | Limited support for the Office Form Based Authentication Protocol (MSOFB) with flows and Loginapp UI. See MS-OFBA configuration for the Loginapp REST UI. |
New | AI-16001 | Remove flow tags if roles are dropped by Airlock Gateway. |
Improvement | AI-13301 | Airlock 2FA factor used during login process is now available in identity propagation. |
Bugfix | AI-15927 | SAML 2.0 SP: accept SAMLResponses with multiple attributes with same name. |
Self-registration | ||
New | AI-12474 | Airlock 2FA device activation in self-registration flows. |
New | AI-15756 | SMS resend for phone number verification during self-registration. |
New | AI-15739 | Improved control over user locking during self-registration. |
New | AI-15878 | Fixed password handling when using multiple persisting steps in self-registration flows. |
New | AI-15764 | Fixed phone number uniqueness check in self-registration. Public Self-Services. |
Public self-services | ||
New | AI-13448 | Public self-service to handle links from verification emails. Emails can be sent from self-registration, public self-services, and Adminapp. See Using the Flow Continuation Step in public self-service flows. |
New | AI-15763 | Device Token-based identification for public self-service flows. |
New | AI-16396 | New steps to delete all active OAuth sessions and/or remembered browsers/devices. May be used in public self-services, protected self-services, and authentication flows, e.g., after setting a new password. |
Protected Self-Services | ||
New | AI-14778 | Self-service for management of logged-in devices. See Browser/Device Management Self-Service (Remember-Me). |
New | AI-13544 | Activation step for OneSpan DIGIPASS OTP tokens. See Digipass OTP device activation (protected self-service). |
New | AI-13573 | Account lock self-service. See Lockout Self-Service in the Loginapp REST API/UI. |
Improvement | AI-14481 | Logout link in the header of Loginapp REST UI. |
Improvement | AI-15946 | Device token information REST endpoint returns last token usage. |
Loginapp Miscellaneous | ||
New | AI-13449 | CAPTCHAs for Loginapp REST UI (self-registration, public self-services, User Identification Step). See e.g. CAPTCHAs in the Loginapp REST API/UI. |
New | AI-13443 | Password repository for password check via RADIUS. |
New | AI-15062 | "On-behalf login" flow identity propagator (new plugin On Behalf Login Identity Propagation). |
New | AI-13077 | Support for end-to-end encryption in Loginapp REST UI (REST API was already available in earlier versions). See Password end-to-end encryption configuration in the Loginapp REST API. |
Improvement | AI-14067 | Support for multiple transaction approval flows. See Transaction approval flow selection. |
Improvement | AI-15500 | Roles provider-based on delimiter-separated strings. |
Improvement | AI-15787 | Loginapp UI translations can depend on the tenant ID. |
Improvement | AI-14506 | Loginapp REST UI translation can reference additional attributes from step responses. |
Improvement | AI-15862 | Logout actions can depend on Gateway's session termination reason. |
Improvement | AI-13264 | Multi-file Support for iam-custom.js in Loginapp REST UI SDK. |
Improvement | AI-14401 | Added logout link to protected self-services pages. |
Improvement | AI-16104 | UI tenant ID (OAuth / SAML) can be used to select translations. |
Bugfix | AI-16160 | Fixed handling of Gateway session timeouts. (CASE-33195) |
Bugfix | AI-14657 | Fixed "on failure" handling in Loginapp REST UI. |
New | AI-15021 | Visualizer for flow configurations in Config Editor. See Flow step plugins in IAM flows. |
New | AI-14011 | New handler for sending SMS event notifications. See new plugins SMS Event Subscriber (Loginapp) and SMS Event Subscriber (Adminnapp). |
New | AI-15967 | New event published upon phone number change. |
New | AI-11872 | Support Swisscom's SMS REST API. See new plugin Swisscom REST SMS Gateway. |
New | AI-16373 | Config Editor lists plugins to be removed in IAM 8.0 if a corresponding plugin list file is present in the installation folder. |
Improvement | AI-16154 | Language source for event notifications is now configurable. |
Improvement | AI-15882 | New set of plugins to authenticate REST clients in Loginapp, Adminapp, and Transaction Approval REST APIs. Support for Client certificates, HTTP Basic Auth, OAuth, SSO Tickets. See Authentication of REST requests. |
Bugfix | AI-15895 | Include filter parameters in Adminapp JSON API response links. |
Bugfix | AI-15170 | Failed configuration activations report failure upon fallback to the previous configuration. (CASE-32430) |
Bugfix | AI-15499 | Fixed transformation of empty context data in XML File Importer. |