The following tables show the changes from Airlock IAM 7.7 to 8.0.
Airlock IAM 8.0.8
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-19765 AI-20172 | Invalid role names are now logged correctly, with the control characters masked. |
Bugfix | AI-19897 | The authentication timestamp in the one-shot authentication flow is now propagated correctly. |
Bugfix | AI-20063 | A bug was fixed where the Loginapp UI stopped polling the authentication status. This could occur in the case of a network failure or when the Loginapp UI was sent to the background on some mobile phones. |
Improvement | AI-20010 AI-20088 | Updated the Java JDK, Spring Framework, and Ubi images to the latest revision. |
Airlock IAM 8.0.7
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-19204 | Fixed a memory leak in plugin injection. |
Bugfix | AI-19188 | Roles provided through an LDAP Connector may now contain " |
Bugfix | AI-19257 | Fixed an issue that prevented representation of locked users after authentication. |
Bugfix | AI-19227 | Update Universal Minimal Image to version 8.10-896.1716497715 (mitigates CVE-2024-33599, CVE-2024-33600, CVE-2024-33602, CVE-2024-33601 and CVE-2024-2961). |
Airlock IAM 8.0.6
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-19020 | SAML2: Gateway session is now correctly terminated for SP in an IdP-initiated SLO (single logout). |
Bugfix | AI-19025 |
|
Airlock IAM 8.0.5
Bugfixes and improvements | ||
---|---|---|
New | AI-18437 | Support Airlock 2FA payload encryption (end-to-end encryption between IAM and Futurae service). |
Improvement | AI-18506 | SAML2 IDP: AuthnRequest IDs can now be up to 1000 characters long. |
Improvement | AI-18417 | Updating of the login statistics can now be disabled in the Default Authentication Processor configuration. |
Bugfix | AI-18715 | Loginapp UI forward locations may now also contain commas. |
Bugfix | AI-18004 | OpenId Connect ID Token expiry is now correctly calculated using the property ID Token Validity instead of Authorization Code Validity. |
Airlock IAM 8.0.4
Bugfixes and improvements | ||
---|---|---|
New | AI-18197 | Added Futurae-Session ID to logs to facilitate log correlation between the Airlock 2FA service and IAM. These log entries may change with a future release of Airlock IAM. |
Improvement | AI-18337 | Service Container Tasks will support use cases where source and destination directories are located in different filesystems. |
Bugfix | AI-16812 | Loginapp now considers a location query parameter in a URL even if accessing a target application using the application id ( |
Bugfix | AI-17446 | Self-registration with an initially locked user will now report the correct lock reason. |
Bugfix | AI-17510 | Fixed a crash in the Adminapp logviewer search, if the resulting log lines did not contain a valid timestamp. |
Bugfix | AI-17544 | Fixed renaming of Cronto devices without a name. |
Bugfix | AI-17863 | OAuth 2.0/OIDC correctly handles custom URIs for the |
Bugfix | AI-17771 | The HttpSession in Loginapp and Transaction Approval correctly enforces the configured session timeout. |
Bugfix | AI-18118 | Fixed a bug where the Login from new device-cookie was served without a path. |
Bugfix | AI-18149 | SAML2 IDP: AuthnRequest IDs can now be up to 150 characters long. |
Bugfix | AI-18156 | Reject forward URI containing a UserInfo part early in request processing. |
Bugfix | AI-18165 | Fix the presentation of Loginapp UIs for smaller screen sizes. This bugfix is potentially breaking and affected customers should consider using the "no-ui-fix" version from the download page. More information can be found on https://techzone.ergon.ch/airlock-iam-8.0.4-ui-fix. |
Bugfix | AI-18175 | Updated third-party libraries. |
Bugfix | AI-18200 | Tables with a large number of columns in the Adminapp UI are now scrollable and will no longer overflow. |
Bugfix | AI-18347 | Upgraded BouncyCastle library to prevent a potential DoS attack (CVE-2023-33202). |
Bugfix | AI-18358 | Tomcat upgrade to 9.0.83 to mitigate CVE-2023-46589. |
Airlock IAM 8.0.3
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-17254 | Corrected processing of OAuth URLs containing curly braces ("{" and “}"). |
Bugfix | AI-17545 | XML File Importer Task can be configured to continue processing after errors are encountered. |
Bugfix | AI-17853 | OIDC behavior is now specification-compliant for cases where "prompt=none" is requested by the client. |
Bugfix | AI-17942 | Fixed a bug where the logout disclaimer page was not shown when it was set as the default target in a parameter-based target URI plugin. |
Bugfix | AI-18005 | Verification calls to the CAPTCHA-Services (reCAPTCHA and hCaptcha) are now sent as Form-Parameters in the Body to comply with hCaptchas requirements. |
Bugfix | AI-18026 | Updated third-party dependency libraries. |
Bugfix | AI-18029 | Fixed a bug where Task Schedules with an interval of greater than 1 day would never execute. |
Airlock IAM 8.0.2
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-17362 | Fixed client certificate authentication in HTTP client. |
Bugfix | AI-17375 | Fixed handling of HTTP responses without body. |
Bugfix | AI-17398 | Update JVM to 11.0.19 |
Bugfix | AI-17399 | Updated third-party dependency libraries |
Bugfix | AI-17401 | Updated IAM docker base image |
Bugfix | AI-17429 | Fixed JSON parsing in JWT Ticket Decoder for "Claims Stored As JSON" |
Airlock IAM 8.0.1
Bugfixes | ||
---|---|---|
Bugfix | AI-17363 | Fixes a bug resulting in a license verification error if an OAuth/OIDC Authorization Server is configured and the token exchange feature is not licensed. |
Airlock IAM 8.0.0
Authentication | ||
---|---|---|
New | AI-16109 | Selection Password Repository for request authentication to select a password repository based on the username. |
New | AI-16115 | JWT signature verification using JWKS (JSON web key sets). |
New | AI-16323 | New flow step Airlock 2FA Activation Step to enroll additional Airlock 2FA devices in authentication flows. |
New | AI-16323 | New flow step Airlock 2FA Delete Old Devices Step that deletes all Airlock 2FA devices except the one newly enrolled in the same auth flow session. |
Improvement | AI-16958 | Airlock 2FA - The display name may no longer contain certain special characters. The IAM REST API still accepts all characters as before this improvement. Special characters may be sanitized in the Futurae service. |
Bugfix | AI-16597 | The Set Context Data Step no longer uses the name Non-Interactive User Data Registration Step in the log files. |
Bugfix | AI-16612 | Fixed UI handling of OAuth 2.0 or SAML 2.0 flows starting with Kerberos authentication. |
Bugfix | AI-16820 | RADIUS Client does not support infinite timeout anymore. Such configs are migrated to a timeout of 60s. |
Loginapp | ||
---|---|---|
New | AI-16231 | Loginapp UI automatically handles timeouts on the first flow step (e.g. password page). |
New | AI-16249 | OAuth 2.0 Token Exchange (RFC 8693). See Token Exchange Overview. |
New | AI-16420 | An event is published upon registration of a new device token. |
New | AI-16550 | UI Tenant ID for the Loginapp UI can be determined based on the request URL. |
Improvement | AI-16440 | Custom flow steps can now use product pages of the Loginapp UI. |
Improvement | AI-16523 | Use Bootstrap 5 (instead of 4). jQuery is no longer bundled with the Loginapp. |
Improvement | AI-16682 | OAuth 2.0: Static Clients now support client certificates. |
Improvement | AI-16925 | Airlock IAM's login UI SDK is now referred to as Loginapp Design Kit (instead of Loginapp REST UI SDK). |
Improvement | AI-16748, | Email address changes in Loginapp and Adminapp publish events. |
Improvement | AI-17123 | Add support for all configurable UI elements to display initial data. |
Bugfix | AI-17105 | Relaxed property value validation of Customizable Step UI elements to be more compatible with context-data names. Some context data names could not be used before. |
Bugfix | AI-17102 AI-16819 | Fixed a bug in Customizable Step UI: Forms without an input field can be used correctly. |
Bugfix | AI-16969 | Handle multiple OAuth handshakes in the same session correctly. |
Bugfix | AI-16659 | Fix for Password Authentication Step and Username Password Authentication Step steps that incorrectly logged success logs in case of failed password checks. |
Bugfix | AI-15798 | Avoid exceptions for certain invalid Cronto OTPs. |
Bugfix | AI-16141 | Lock Self-Service Step now also publishes a user locked event. |
Bugfix | AI-16327 | Fixed logging of provided username during OAuth 2.0 account linking. |
Bugfix | AI-16584 | Enabled handling of language codes with country variants (e.g. |
Bugfix | AI-16594 | Loginapp UI validation considers the case sensitivity of string items in User Data Edit Step. |
Adminapp | ||
---|---|---|
New | AI-14849 AI-16661 | User management extensions (UME) allow adding custom user management features. |
New | AI-16748, | Email address changes in Loginapp and Adminapp publish events. |
New | AI-16826 AI-16792 | Introduced Content Security Policy (CSP) for Adminapp. The CSP is enabled by default and disables the rich-text editor for maintenance messages. |
New | AI-16424 AI-16346 | The Activities tab in the user details now only displays log entries if a user trail log repository has been configured for the Adminapp module. Log entries are read from the corresponding database. The Activities tab in the User Details page now supports retrieving additional results with "next page" and "previous page" buttons. See User trail logging. |
New | AI-16355 | Configuration option to make user search in the Adminapp more efficient by only searching in selected user attributes. |
New | AI-16498 | Configuration option whether returning to Adminapp user list page should trigger a new search. |
Improvement | AI-16999 AI-17012 | Brushup of the Adminapp UI to adhere to more modern UI concepts. |
Improvement | AI-16506 | Configuration selects the default log file in the log viewer. |
Improvement | AI-14849 | Simplified Generic Token Controller UI. See Generic Token Controller UI configuration. |
Bugfix | AI-17044 | The administrators' menu could not be accessed although access control was configured correctly. |
Bugfix | AI-16478 | Fixed Adminapp user search with locked user filter. |
Bugfix | AI-16610 | Fixed accounting of successful logins for authenticated requests to REST endpoints. |
Database, Persisters | ||
---|---|---|
New | AI-9902 | Support for PostgreSQL databases. |
New | AI-16798 | The user trail log is now stored in the database and is therefore shared among multiple IAM instances. See User trail logging. |
New | AI-16582 | User change listener plugins can have a condition of whether they should handle a change or not. |
Improvement | AI-16936 | Migrated all |
Improvement | AI-16736 | MSSQL now uses |
Improvement | AI-16733 | Improved performance when searching users in the Adminapp. The Rowset Range Pattern property in the Database User Persister is no longer required to have the application optimize queries containing an offset and a limit when searching for user entries. |
Improvement | AI-16708 | Searching for unassigned OneSpan Cronto tokens uses now a more efficient query. |
Bugfix | AI-16110 | External Database Password Repository adds user roles configured in the user persister. |
Bugfix | AI-16622 | Fix user insertion in LDAP using LDAP Connector or Ldap User Persister when using a Special Date Time Pattern. |
Configuration and Config Editor | ||
---|---|---|
New | AI-16903 | New configuration variables concept allows using variables in the configuration and assigning values from environment variables when starting up IAM instances. |
Improvement | AI-16754 AI-16666 | Improved performance of the config editor for large configs. |
Improvement | AI-15615 | The shared environment (instead of the instance environment) is selected upon Config Editor start. |
Improvement | AI-17107 | Improved readability of the output of the CLI command |
Bugfix | AI-17070 | Config activation may falsely show a failed activation, even though all individual modules were activated successfully. |
Bugfix | AI-17053 | The instance environment could no longer be selected after reloading the plugin configuration or after loading a saved or template config. |
Bugfix | AI-16813 | The right-click delete option Delete all contained plugins in the Config Editor now only deletes contained and unused plugins recursively (and the right-click selected plugin itself of course). |
Miscellaneous | ||
---|---|---|
New | AI-16676 | New service task to import existing file-based user trail logs into the new user trail database table. The service task is intended to be run manually, either from the Adminapp user interface or the terminal client. |
New | AI-16750 | Remote event subscriber plugin to notify external systems via HTTP requests. |
New | AI-16799 | New event published if context data is changed. |
New | AI-12584 | New event published if a user logs in from a new device or browser. |
New | AI-16618 | New SMS gateway plugin to select an SMS gateway based on the phone number prefix. |
Improvement | AI-15385 | New properties in instance configuration (instance.properties) control whether the Tomcat web server and access logs are written to |
Improvement | AI-17142 | Versioning |
Improvement | AI-13140 | Removed deprecated Java APIs from |
Improvement | AI-8907 | Unified translation file encodings to UTF-8. |
Improvement | AI-17040 |
During configuration migration, these keys are automatically changed in the |
Improvement | AI-17042 | New IAM instances run in a Docker environment now automatically write the webserver log to standard output in structured JSON format. Existing instances are not affected. |
Improvement | AI-16671 | IAM can now only be started with the correct configuration file ( |
Improvement | AI-14896 | Loginapp Design Kit version number now corresponds to the IAM version. |
Improvement | AI-16416 | Disabled browser spellcheck for Loginapp and Adminapp input fields. |
Improvement | AI-16791 | The Tomcat web server log, as well as the access log, can now be output in structured JSON format. This is for now restricted to the console (standard output). |
Bugfix | AI-17063 | Event bus: |
Bugfix | AI-17228 | When sending HTML emails triggered by a Loginapp or Adminapp event, all dynamic values are now correctly HTML-escaped. |
Bugfix | AI-17028 | Event bus: |
Bugfix | AI-16993 | Audit log files could be written to the wrong file and potentially overwrite existing log files. |
Bugfix | AI-16950 | The user trail log no longer uses an empty string as configuration context. If no custom context is used, the value is now always |
Bugfix | AI-16489 | The With some username transformations, the provided_uid was not set correctly. |