Airlock IAM 8.0 - Changelog

Fixed a memory leak in plugin injection.

Fixed an issue that prevented representation of locked users after authentication.

SAML2: Gateway session is now correctly terminated for SP in an IdP-initiated SLO (single logout).

Support Airlock 2FA payload encryption (end-to-end encryption between IAM and Futurae service).

Updating of the login statistics can now be disabled in the Default Authentication Processor configuration.

Added Futurae-Session ID to logs to facilitate log correlation between the Airlock 2FA service and IAM. These log entries may change with a future release of Airlock IAM.

Loginapp now considers a location query parameter in a URL even if accessing a target application using the application id (/ui/application/access/application-id).

Fixed a crash in the Adminapp logviewer search, if the resulting log lines did not contain a valid timestamp.

OAuth 2.0/OIDC correctly handles custom URIs for the /oauth2/v3 authorize and check-session endpoints.

Fixed a bug where the Login from new device-cookie was served without a path.

Reject forward URI containing a UserInfo part early in request processing.

Updated third-party libraries.

Upgraded BouncyCastle library to prevent a potential DoS attack (CVE-2023-33202).

Corrected processing of OAuth URLs containing curly braces ("{" and “}").

OIDC behavior is now specification-compliant for cases where "prompt=none" is requested by the client.

Verification calls to the CAPTCHA-Services (reCAPTCHA and hCaptcha) are now sent as Form-Parameters in the Body to comply with hCaptchas requirements.

Fixed client certificate authentication in HTTP client.

Update JVM to 11.0.19

Updated IAM docker base image

Selection Password Repository for request authentication to select a password repository based on the username.

New flow step Airlock 2FA Activation Step to enroll additional Airlock 2FA devices in authentication flows.

Fixed UI handling of OAuth 2.0 or SAML 2.0 flows starting with Kerberos authentication.

Loginapp UI automatically handles timeouts on the first flow step (e.g. password page).

An event is published upon registration of a new device token.

Use Bootstrap 5 (instead of 4). jQuery is no longer bundled with the Loginapp.

Airlock IAM's login UI SDK is now referred to as Loginapp Design Kit (instead of Loginapp REST UI SDK).

Add support for all configurable UI elements to display initial data.

Relaxed property value validation of Customizable Step UI elements to be more compatible with context-data names. Some context data names could not be used before.

Handle multiple OAuth handshakes in the same session correctly.

Avoid exceptions for certain invalid Cronto OTPs.

Fixed logging of provided username during OAuth 2.0 account linking.

User management extensions (UME) allow adding custom user management features.

See User Management Extension in the IAM Adminapp.

Introduced Content Security Policy (CSP) for Adminapp. The CSP is enabled by default and disables the rich-text editor for maintenance messages.

See Adminapp Content Security Policy (CSP).

Configuration option to make user search in the Adminapp more efficient by only searching in selected user attributes.

Configuration selects the default log file in the log viewer.

Fixed Adminapp user search with locked user filter.

Support for PostgreSQL databases.

User change listener plugins can have a condition of whether they should handle a change or not.

Migrated all DATETIME/TIMESTAMP fields in token and token_assignment to BIGINT/NUMBER(19) to properly support multiple time zones and DST changes.

Improved performance when searching users in the Adminapp. The Rowset Range Pattern property in the Database User Persister is no longer required to have the application optimize queries containing an offset and a limit when searching for user entries.

New configuration variables concept allows using variables in the configuration and assigning values from environment variables when starting up IAM instances.

See Using environment variables in the IAM configuration.

Improved performance of the config editor for large configs.

Improved readability of the output of the CLI command iam upgrade.

Config activation may falsely show a failed activation, even though all individual modules were activated successfully.

New service task to import existing file-based user trail logs into the new user trail database table. The service task is intended to be run manually, either from the Adminapp user interface or the terminal client.

New event published if context data is changed.

New SMS gateway plugin to select an SMS gateway based on the phone number prefix.

New properties in instance configuration (instance.properties) control whether the Tomcat web server and access logs are written to stdout and what log level to use.

Removed deprecated Java APIs from StepResult and StepResultFactory.

• The following log-related instance properties (instance.properties file) have been renamed to reduce confusion with new properties:
• iam.web-server.log.enabled >> iam.web-server.log.file.enabled
• iam.web-server.access-log.enabled >> iam.web-server.access-log.file.enabled
• iam.web-server.log.pattern >> iam.web-server.log.format.simple.pattern
• iam.web-server.access-log.pattern >> iam.web-server.access-log.format.simple.pattern

During configuration migration, these keys are automatically changed in the instance.properties file.

IAM can now only be started with the correct configuration file (medusa-configuration.xml) version. This prevents startup with an older, incompatible, configuration file.

Disabled browser spellcheck for Loginapp and Adminapp input fields.

When sending HTML emails triggered by a Loginapp or Adminapp event, all dynamic values are now correctly HTML-escaped.

Audit log files could be written to the wrong file and potentially overwrite existing log files.