Airlock IAM 8.0 - Changelog

The following tables show the changes from Airlock IAM 7.7 to 8.0.

Airlock IAM 8.0.5

Bugfixes and improvements:

New

AI-18437

Support Airlock 2FA payload encryption (end-to-end encryption between IAM and Futurae service).

Improvement

AI-18506

SAML2 IDP: AuthnRequest IDs can now be up to 1000 characters long.

Improvement

AI-18417

Updating of the login statistics can now be disabled in the Default Authentication Processor configuration.

Bugfix

AI-18715

Loginapp UI forward locations may now also contain commas.

Bugfix

AI-18004

OpenId Connect ID Token expiry is now correctly calculated using the property ID Token Validity instead of Authorization Code Validity.

Airlock IAM 8.0.4

Bugfixes and improvements:

New

AI-18197

Added Futurae-Session ID to logs to facilitate log correlation between the Airlock 2FA service and IAM. These log entries may change with a future release of Airlock IAM.

Improvement

AI-18337

Service Container Tasks will support use cases where source and destination directories are located in different filesystems.

Bugfix

AI-16812

Loginapp now considers a location query parameter in a URL even if accessing a target application using the application id (/ui/application/access/application-id).

Bugfix

AI-17446
AI-18182

Self-registration with an initially locked user will now report the correct lock reason.

Bugfix

AI-17510
AI-18178

Fixed a crash in the Adminapp logviewer search, if the resulting log lines did not contain a valid timestamp.

Bugfix

AI-17544
AI-18181

Fixed renaming of Cronto devices without a name.

Bugfix

AI-17863
AI-18184

OAuth 2.0/OIDC correctly handles custom URIs for the /oauth2/v3 authorize and check-session endpoints.

Bugfix

AI-17771
AI-18180

The HttpSession in Loginapp and Transaction Approval correctly enforces the configured session timeout.

Bugfix

AI-18118
AI-18179

Fixed a bug where the Login from new device-cookie was served without a path.

Bugfix

AI-18149
AI-18183

SAML2 IDP: AuthnRequest IDs can now be up to 150 characters long.

Bugfix

AI-18156

Reject forward URI containing a UserInfo part early in request processing.

Bugfix

AI-18165

Fix the presentation of Loginapp UIs for smaller screen sizes.

This bugfix is potentially breaking and affected customers should consider using the "no-ui-fix" version from the download page.

More information can be found on https://techzone.ergon.ch/airlock-iam-8.0.4-ui-fix.

Bugfix

AI-18175

Updated third-party libraries.

Bugfix

AI-18200

Tables with a large number of columns in the Adminapp UI are now scrollable and will no longer overflow.

Bugfix

AI-18347

Upgraded BouncyCastle library to prevent a potential DoS attack (CVE-2023-33202).

Bugfix

AI-18358

Tomcat upgrade to 9.0.83 to mitigate CVE-2023-46589.

Airlock IAM 8.0.3

Bugfixes and improvements:

Bugfix

AI-17254
AI-17994

Corrected processing of OAuth URLs containing curly braces ("{" and “}").

Bugfix

AI-17545
AI-17979

XML File Importer Task can be configured to continue processing after errors are encountered.

Bugfix

AI-17853
AI-17843

OIDC behavior is now specification-compliant for cases where "prompt=none" is requested by the client.

Bugfix

AI-17942

Fixed a bug where the logout disclaimer page was not shown when it was set as the default target in a parameter-based target URI plugin.

Bugfix

AI-18005

Verification calls to the CAPTCHA-Services (reCAPTCHA and hCaptcha) are now sent as Form-Parameters in the Body to comply with hCaptchas requirements.

Bugfix

AI-18026

Updated third-party dependency libraries.

Bugfix

AI-18029

Fixed a bug where Task Schedules with an interval of greater than 1 day would never execute.

Airlock IAM 8.0.2

Bugfixes and improvements:

Bugfix

AI-17362

Fixed client certificate authentication in HTTP client.

Bugfix

AI-17375

Fixed handling of HTTP responses without body.

Bugfix

AI-17398

Update JVM to 11.0.19

Bugfix

AI-17399

Updated third-party dependency libraries

Bugfix

AI-17401

Updated IAM docker base image

Bugfix

AI-17429

Fixed JSON parsing in JWT Ticket Decoder for "Claims Stored As JSON"

Airlock IAM 8.0.1

Bugfixes

Bugfix

AI-17363

Fixes a bug resulting in a license verification error if an OAuth/OIDC Authorization Server is configured and the token exchange feature is not licensed.

Airlock IAM 8.0.0

Authentication

New

AI-16109

Selection Password Repository for request authentication to select a password repository based on the username.

New

AI-16115

JWT signature verification using JWKS (JSON web key sets).

New

AI-16323

New flow step Airlock 2FA Activation Step to enroll additional Airlock 2FA devices in authentication flows.

New

AI-16323

New flow step Airlock 2FA Delete Old Devices Step that deletes all Airlock 2FA devices except the one newly enrolled in the same auth flow session.

Improvement

AI-16958

Airlock 2FA - The display name may no longer contain certain special characters. The IAM REST API still accepts all characters as before this improvement. Special characters may be sanitized in the Futurae service.

Bugfix

AI-16597

The Set Context Data Step no longer uses the name Non-Interactive User Data Registration Step in the log files.

Bugfix

AI-16612

Fixed UI handling of OAuth 2.0 or SAML 2.0 flows starting with Kerberos authentication.

Bugfix

AI-16820

RADIUS Client does not support infinite timeout anymore. Such configs are migrated to a timeout of 60s.

Loginapp

New

AI-16231

Loginapp UI automatically handles timeouts on the first flow step (e.g. password page).

New

AI-16249

OAuth 2.0 Token Exchange (RFC 8693). See Token Exchange Overview.

New

AI-16420

An event is published upon registration of a new device token.

New

AI-16550

UI Tenant ID for the Loginapp UI can be determined based on the request URL.

Improvement

AI-16440

Custom flow steps can now use product pages of the Loginapp UI.

Improvement

AI-16523

Use Bootstrap 5 (instead of 4). jQuery is no longer bundled with the Loginapp.

Improvement

AI-16682

OAuth 2.0: Static Clients now support client certificates.

Improvement

AI-16925

Airlock IAM's login UI SDK is now referred to as Loginapp Design Kit (instead of Loginapp REST UI SDK).

Improvement

AI-16748,
AI-16832

Email address changes in Loginapp and Adminapp publish events.

Improvement

AI-17123

Add support for all configurable UI elements to display initial data.

Bugfix

AI-17105

Relaxed property value validation of Customizable Step UI elements to be more compatible with context-data names. Some context data names could not be used before.

Bugfix

AI-17102

AI-16819

Fixed a bug in Customizable Step UI: Forms without an input field can be used correctly.

Bugfix

AI-16969

Handle multiple OAuth handshakes in the same session correctly.

Bugfix

AI-16659

Fix for Password Authentication Step and Username Password Authentication Step steps that incorrectly logged success logs in case of failed password checks.

Bugfix

AI-15798

Avoid exceptions for certain invalid Cronto OTPs.

Bugfix

AI-16141

Lock Self-Service Step now also publishes a user locked event.

Bugfix

AI-16327

Fixed logging of provided username during OAuth 2.0 account linking.

Bugfix

AI-16584

Enabled handling of language codes with country variants (e.g. de_CH).

Bugfix

AI-16594

Loginapp UI validation considers the case sensitivity of string items in User Data Edit Step.

Adminapp

New

AI-14849

AI-16661

User management extensions (UME) allow adding custom user management features.

See User Management Extension in the IAM Adminapp.

New

AI-16748,
AI-16832

Email address changes in Loginapp and Adminapp publish events.

New

AI-16826

AI-16792

Introduced Content Security Policy (CSP) for Adminapp. The CSP is enabled by default and disables the rich-text editor for maintenance messages.

See Adminapp Content Security Policy (CSP).

New

AI-16424

AI-16346

The Activities tab in the user details now only displays log entries if a user trail log repository has been configured for the Adminapp module. Log entries are read from the corresponding database.

The Activities tab in the User Details page now supports retrieving additional results with "next page" and "previous page" buttons.

See User trail logging.

New

AI-16355

Configuration option to make user search in the Adminapp more efficient by only searching in selected user attributes.

New

AI-16498

Configuration option whether returning to Adminapp user list page should trigger a new search.

Improvement

AI-16999

AI-17012

Brushup of the Adminapp UI to adhere to more modern UI concepts.

Improvement

AI-16506

Configuration selects the default log file in the log viewer.

Improvement

AI-14849

Simplified Generic Token Controller UI. See Generic Token Controller UI configuration.

Bugfix

AI-17044

The administrators' menu could not be accessed although access control was configured correctly.

Bugfix

AI-16478

Fixed Adminapp user search with locked user filter.

Bugfix

AI-16610

Fixed accounting of successful logins for authenticated requests to REST endpoints.

Database, Persisters

New

AI-9902

Support for PostgreSQL databases.

New

AI-16798
AI-16505
AI-16423
AI-16348
AI-10013

The user trail log is now stored in the database and is therefore shared among multiple IAM instances.

See User trail logging.

New

AI-16582

User change listener plugins can have a condition of whether they should handle a change or not.

Improvement

AI-16936

Migrated all DATETIME/TIMESTAMP fields in token and token_assignment to BIGINT/NUMBER(19) to properly support multiple time zones and DST changes.

Improvement

AI-16736

MSSQL now uses FETCH FIRST x ROWS ONLY instead of SELECT TOP to limit the number of search results

Improvement

AI-16733

Improved performance when searching users in the Adminapp. The Rowset Range Pattern property in the Database User Persister is no longer required to have the application optimize queries containing an offset and a limit when searching for user entries.

Improvement

AI-16708

Searching for unassigned OneSpan Cronto tokens uses now a more efficient query.

Bugfix

AI-16110

External Database Password Repository adds user roles configured in the user persister.

Bugfix

AI-16622

Fix user insertion in LDAP using LDAP Connector or Ldap User Persister when using a Special Date Time Pattern.

Configuration and Config Editor

New

AI-16903

New configuration variables concept allows using variables in the configuration and assigning values from environment variables when starting up IAM instances.

See Using environment variables in the IAM configuration.

Improvement

AI-16754

AI-16666

Improved performance of the config editor for large configs.

Improvement

AI-15615

The shared environment (instead of the instance environment) is selected upon Config Editor start.

Improvement

AI-17107

Improved readability of the output of the CLI command iam upgrade.

Bugfix

AI-17070

Config activation may falsely show a failed activation, even though all individual modules were activated successfully.

Bugfix

AI-17053

The instance environment could no longer be selected after reloading the plugin configuration or after loading a saved or template config.

Bugfix

AI-16813

The right-click delete option Delete all contained plugins in the Config Editor now only deletes contained and unused plugins recursively (and the right-click selected plugin itself of course).

Miscellaneous

New

AI-16676

New service task to import existing file-based user trail logs into the new user trail database table. The service task is intended to be run manually, either from the Adminapp user interface or the terminal client.

New

AI-16750

Remote event subscriber plugin to notify external systems via HTTP requests.

New

AI-16799

New event published if context data is changed.

New

AI-12584

New event published if a user logs in from a new device or browser.

See Login from a new device - Loginapp Event.

New

AI-16618

New SMS gateway plugin to select an SMS gateway based on the phone number prefix.

Improvement

AI-15385

New properties in instance configuration (instance.properties) control whether the Tomcat web server and access logs are written to stdout and what log level to use.

Improvement

AI-17142

Versioning
All IAM releases are now described with semantic versioning. 8.0.0 is pinned to the release, while 8.0 points to the latest release 8.0.x.

Improvement

AI-13140

Removed deprecated Java APIs from StepResult and StepResultFactory.

Improvement

AI-8907

Unified translation file encodings to UTF-8.

Improvement

AI-17040

  • The following log-related instance properties (instance.properties file) have been renamed to reduce confusion with new properties:
  • iam.web-server.log.enabled >> iam.web-server.log.file.enabled
  • iam.web-server.access-log.enabled >> iam.web-server.access-log.file.enabled
  • iam.web-server.log.pattern >> iam.web-server.log.format.simple.pattern
  • iam.web-server.access-log.pattern >> iam.web-server.access-log.format.simple.pattern

During configuration migration, these keys are automatically changed in the instance.properties file.

Improvement

AI-17042

New IAM instances run in a Docker environment now automatically write the webserver log to standard output in structured JSON format. Existing instances are not affected.

Improvement

AI-16671

IAM can now only be started with the correct configuration file (medusa-configuration.xml) version. This prevents startup with an older, incompatible, configuration file.

Improvement

AI-14896

Loginapp Design Kit version number now corresponds to the IAM version.

Improvement

AI-16416

Disabled browser spellcheck for Loginapp and Adminapp input fields.

Improvement

AI-16791

The Tomcat web server log, as well as the access log, can now be output in structured JSON format. This is for now restricted to the console (standard output).

Bugfix

AI-17063

Event bus:
Notification SMS to old phone number could be sent in case of deleted phone number event.

Bugfix

AI-17228

When sending HTML emails triggered by a Loginapp or Adminapp event, all dynamic values are now correctly HTML-escaped.

Bugfix

AI-17028

Event bus:
Exceptions in domain event subscribers no longer disrupt the execution of event publishing code.

Bugfix

AI-16993

Audit log files could be written to the wrong file and potentially overwrite existing log files.

Bugfix

AI-16950

The user trail log no longer uses an empty string as configuration context. If no custom context is used, the value is now always [DEFAULT].

Bugfix

AI-16489

The provided_uid in the user trail log was not reset correctly when handling new authentication requests in RADIUS server tasks.

With some username transformations, the provided_uid was not set correctly.