Airlock IAM 8.0 - Features removed in this version

The following features have been removed in IAM 8.0 and are no longer supported. The deprecation of the features has been announced in previous IAM versions since 7.1 (see deprecation announcements of earlier versions).

Loginapp REST API

Removed or changed REST APIs may require adaptation of REST clients.

Topic	Removed feature and migration tips	Deprecated since
Password reset	Password reset: non-flow-based old REST endpoints The non-flow-based REST endpoints for the password reset self-service have been removed. Affected endpoints: `/public/users/userId/password/start-reset/` `/public/users/userId/password/verify-reset/` Use the corresponding public self-service endpoints: `/rest/public/self-service/flow/` See Password reset in the Loginapp REST API / UI for details	7.6
Password reset	Old flow-based password reset REST endpoints REST endpoints of the flow-based password reset REST API before it has been migrated to the public self-service flows. Affected REST endpoints: `/rest/public/password-reset/*` Similar or identical endpoints are available in: `/rest/public/self-service/flow/`	7.5
CAPTCHA	CAPTCHAs: non-flow-based old REST endpoints The CAPTCHA REST endpoints for the old user registration and password reset services have been. Affected end-point: `/public/captcha/` For information on CAPTCHAS in flows, see CAPTCHAs in the Loginapp REST API and the Loginapp UI.	7.6
Health/Live	Health and live end-point: State attribute The response attribute `state` is no more returned by Loginapp endpoints `/health/ready` and `/health/live`. Use the `status` attribute instead.	7.5
Email change	Email address change: old non-flow-based endpoints The following Loginapp REST endpoints have been removed: `/rest/protected/my/email/change/` `/rest/protected/my/email/verify-email-change/` Use the new REST endpoints in the protected self-service flows instead: `/rest/protected/self-service/data/edit/` `/rest/protected/self-service/email/verification/otp/check/` See Protected self-service REST APIs.	7.3
Self-registration	This table entry was added retrospectively in June 2024. Legacy self-registration endpoints The REST endpoints for password registration and deletion as well as for channel verification have been removed. Affected endpoints: `/public/user-self-registration/registration/password/` Affected calls: `POST` and `DELETE` Use the `data` self-registration endpoint instead, in combination with the `password` key: `/public/user-self-registration/registration/data/` To delete a password, set the `password` key to value null. `/public/users/{userId}/verify-registration/` Use the endpoints in `/public/user-self-registration/verification/` instead.	7.2
Self-registration	User self-registration: old non-flow-based endpoints The non-flow-based REST API for user self-registration has been removed. Affected endpoints: `/public/users/*` Please migrate clients to use the new flow-based REST API instead. Use the flow-based user registration REST API instead. See User self-registration REST API.	7.1
Flow Endpoints: GET	GET endpoints in Flow APIs Old REST GET endpoints in the authentication flow API have been replaced by corresponding POST endpoints. Both GET and POST were supported since IAM 7.0. As of IAM 8.0 only POST is supported. The following REST endpoints are affected: `/public/authentication/selection/options` `/public/authentication/cronto/challenge` `/public/authentication/device-token/{deviceTokenId}/challenge` `/public/authentication/matrix/challenge` `/public/authentication/mtan/tokens`	7.0
REST client authentication	Server-side authentication of REST clients This change does not result in any changes of the REST APIs. The Request Credential Policy to authenticate single requests in the Loginapp, Adminapp, and Transaction Approval modules will be removed in IAM 8.0. Affected configuration properties in IAM 7.6 and older: Loginapp >> REST Settings >> Request Credential Policy and Authenticator Adminapp >> REST API Configuration >> Request Credential Policy and Authenticator Transaction Approval >> Request Credential Policy and Authenticator Configuration migration ensures that older configurations still work in IAM 7.7 using a legacy adapter plugin. The legacy adapter plugin will be removed in IAM 8.0. Affected plugins in IAM 7.7: Loginapp >> REST Settings >> Request Authentication >> Legacy Request Authentication Adapter Adminapp >> REST API Configuration >> Request Authentication >>Legacy Request Authentication Adapter Transaction Approval >> Request Authentication >> Legacy Request Authentication Adapter Use the new request authentication plugins instead. They are configured where the Legacy Request Authentication Adapter is configured (see above). See Authentication of REST requests for further information.	7.7
REST extensions	Custom extensions: legacy authentication endpoints The following legacy authentication endpoints for custom authentication extensions have been removed: `/rest/public/<custom>/authentication/` Use the endpoints: `/rest/public/authentication/<custom>/`	7.4

Authentication and self-services

Topic	Removed feature and migration tips	Deprecated since
Password check	Check password against configuration Checking passwords against a password that is part of the configuration is no longer supported.	7.7
Matrix cards	TAN list mode of matrix cards The TAN list mode in the Matrix Card Authentication Step is no longer supported. TAN lists were a simple form of a token list without an index challenge.	7.4
Matrix cards	Matrix card self-activation Activation of matrix cards during the login process is no longer supported. Affected settings in the JSP-Loginapp: Loginapp >> Self-Service Settings >> Matrix Card Self-Service	7.4
NTLM	Front-side NLTM Front-side NTLM allows authenticating in users based on an NTLM handshake between the web browser and Airlock IAM. This feature is no longer supported. The NTLM Identity Propagator is still supported. Use the front-side Kerberos feature instead. See Front-Side Kerberos configuration in the Loginapp REST API.	7.4
Client certificates	Webservice Cert Auth Settings The feature verifies the validity of client certificates using a list of configured certificate attributes. Affected settings in the JSP-Loginapp: Loginapp >> Authentication Settings >> Webservice Cert Auth. This feature is no longer supported. Use client certificate authentication instead in: Loginapp >> One-Shot Authentication	7.4
Client certificates	Webservice Cert Auth Settings Self-registration of X.509 client certificates with an initial activation letter (IAK) is no longer supported. Affected settings in the JSP-Loginapp: Loginapp >> Self-Service Settings >> Certificate Self Service	7.4
On-behalf Login	On-behalf Login Authenticator The authenticator plugin allowed checking username and password by filling out a login on a back-end system. This feature is no longer supported. Note that the On Behalf Login Identity Propagator is still supported.	7.6
mTAN/SMS	mTAN token self-management: Authenticate old phone number If the user changes the mobile phone number used for mTAN authentication, the old number could be authenticated by sending an OTP to it. This feature is no longer supported. Affected settings: MAIN SETTINGS >> MTAN/SMS Settings >> Authenticate Old Number Use the event notification feature to send an SMS about the number change to the old number. See Event notification settings in the Loginapp.	7.7
Contact-me	Contact-me self-service The contact-me form for logged-in users is no longer supported. Affected settings: Loginapp >> Self-Service Settings >> Contact Me Settings	7.4
Delete account	Account deletion self-service The account deletion self-service for logged-in users is no longer supported.	7.7
Self-registration	Self-registration flow with identity propagation The possibility to configure identity propagation and roles for the Airlock Gateway in a user self-registration flow have been removed. Removed configuration properties: Loginapp >> Self-Registration Flows >> affected flows: Identity Propagation and Airlock Gateway (WAF) Mapping Roles. Use the property Initialize Next Auth Flow in conjunction with a corresponding auth flow configuration instead and make sure the user is sent to the target application using that auth flow after successful self-registration. The latter can be configured in the UI Settings (if using the Loginapp UI).	7.7

3rd party authentication token support

Topic	Removed feature and migration tips	Deprecated since
Mobile ID	Mobile ID support removed The Mobile ID authentication solution (a Swisscom solution based on signing challenges with the SIM card of a mobile phone) is no longer supported.	7.4
Kobil AST/TWV	Kobil support removed The Kobil authentication solutions (AST/TMS and TVW) are no more supported in Airlock IAM. This affects Kobil-related authentication steps, self-services, token management, a letter generation task, transaction approval, and one-shot authentication. Limited support for Kobil features may be implemented using custom authentication steps and user management extensions (both as custom code).	7.4
ti&m Secure Mobile	ti&m Secure Mobile support removed The ti&m Secure Mobile feature (loginapp and adminapp) has been removed and is no more supported.	7.5
Cronto	Special Cronto self-service Special Cronto self-services (requiring the license tag CrontoSpecial) and address verification using Cronto have been removed. Affected settings in the JSP-Loginapp: Loginapp >> Self-Service Settings >> Cronto Self Services The following self-services are affected: SMS gateway, originator, etc. for sending an SMS with an app download link Enable Device Order: allow users to order a hardware device together with an activation letter. Address confirmation for device orders.	7.4
RSA SecurID	Native RSA integration The RSA SecurID server no longer supports the RSA-native "agent host" protocol. Affected plugin: RSA SecurID Authenticator Connect to the RSA server via RADIUS using the OTP Check via RADIUS Step authentication step plugin. See RSA SecurID authentication over RADIUS for further information.	7.3
RSA SecurID	Set new PIN for RSA SecurID Setting a new PIN during the first login for a SecurID token is no longer supported. Connect to the RSA server via RADIUS using the OTP Check via RADIUS Step authentication step plugin. See RSA SecurID authentication over RADIUS for further information.	7.4

Discontinued JSP-Loginapp features

Topic	Removed feature and migration tips	Deprecated since
JSP-Loginapp	JSP-Loginapp removed The JSP-Loginapp is no longer part of Airlock IAM. Plugins that could exclusively be used with the JSP-Loginapp have also been removed. Use the flow-based Loginapp UI instead.	7.4
Password	Password frequency checker The password frequency checker feature is no longer supported in IAM. Affected setting in the JSP-Loginapp: Loginapp >> Security Settings >> Attack Detector Settings.	7.7
	Group-dependent password settings Group-dependent password settings are longer more supported. Affected setting in the JSP-Loginapp: Loginapp >> Password Settings >> Group Settings. Check out the User Based Selection Password Repository plugin for similar features. It is used in flow steps checking or changing the password.	7.4
	Headless password change The headless password change HTTP interface has been removed. Use the Loginapp REST API instead.	7.1
Context extraction	Forward Location Context Extractors The following context extractors are not compatible with the concepts of the Loginapp REST API and are no longer available in IAM. Affected plugins are: Forward Location Context Extractor URL and Forward Location Context Extractor See Planning configuration contexts for more information.	7.7
IAK Authentication	IAK Authentication Authentication of users using an initial activation key (IAK) is no longer supported as a separate independent authentication step. IAKs are (typically long) one-time codes printed on a letter. IAKs are still supported as part of the mobile phone number registration for mTAN authentication. Refer to the documentation of plugin mTAN Verification Step for further information. See also Mobile number registration self-service.	7.4
IP restrictions	IP restrictions Client IP address restrictions (global and per user) are no more supported. Non-user-dependent IP restrictions can be implemented on the Airlock Gateway.	7.4
Self-services	GDPR Consent Features GDPR-related features in the Loginapp are no more supported. Affected features: Accepting consents in self-registration. Consent self-management. Consent enforcement to access target applications.	7.7
Session management	Multiple sessions per user: use existing session In case of multiple parallel user sessions are detected, the user has the choice to keep the existing session instead of creating a new session. This feature is no longer supported.	7.4

Open ID Connect and OAuth

Topic	Removed feature and migration tips	Deprecated since
Token format	OAuth/OIDC legacy token format The IAM-internal legacy format for OAuth tokens (`username.randomstring`) is no more supported. The format has never been an API but clients may rely on it. The legacy format could be issued until IAM 7.0 or older.	7.5
Implicit flow	OAuth Implicit flow The client-centric OAuth AS / OIDC OP has been removed (see separate entry). With it, the OAuth implicit flow is no longer supported.	7.5
Client-centric AS	Client-centric OAuth AS / OIDC OP The client-centric OAuth AS / OIDC OP has been removed. Migrate to the AS-centric variant. See OAuth / OIDC documentation for further information. To do a seamless migration, use an IAM version supporting both the AS-centric and the client-centric AS (e.g. IAM 7.7). See Seamless migration to AS-centric AS in IAM 7.7 documentation for further details.	7.3

Miscellaneous

Topic	Removed feature and migration tips	Deprecated since
User/Token management	Generic Token Controller UI The Adminapp's Generic Token Controller's UI plugins Default Token Controller UI and Customizable Token Controller UI have been replaced by simpler and less flexible UI configuration plugins. The UI configuration of the Generic Token Controller has to be reconfigured manually. UI settings that are no more supported (e.g. calls to custom REST APIs) must be re-implemented using a new custom extension mechanism. See User Management Extension in the IAM Adminapp for details.	7.7
User/Token management	User Importer Task The User Importer Task plugin has been removed. Use the User Sync Task instead. There is no automatic configuration migration, i.e. the new task must be configured manually based on the configuration of the removed task.	7.3
Transaction approval	Message providers for transaction approval The following transaction approval message provider plugins have been removed: mTAN Message Provider (Transaction Approval only) Airlock 2FA Transaction Approval Message Provider Transaction Approval Cronto Message Provider Use the following replacement plugins (requires manual re-configuration): mTAN Message Provider Airlock 2FA Message Provider Cronto Message Provider	7.6
Deployment	IAM on Gateway (WAF) Airlock Gateway 8.0 no more supports the Docker host. Airlock IAM can therefore no longer be deployed on Airlock Gateway. IAM support for the installation on Airlock Gateway will end with IAM 8.0. This also includes the plugins AirlockAssertionIdentityPropagator and AirlockAssertionTicketDecoder.	7.6
Session tracking	Session Binding with Header token The setting Session Binding With Header Token (was in Loginapp >> Authentication Flows) is no longer supported. As of Airlock Gateway 7.4, the feature can be enabled directly in the Gateway configuration and no longer has to be configured in Airlock IAM. To enable header-based session tracking in Airlock Gateway, consider the following example (expert settings in a mapping): Session.Tracking.HeaderToken.Enable "TRUE" Session.Tracking.HeaderToken.Response.Header.Name "Access-Token" Session.Tracking.HeaderToken.Request.Header.Name "Authorization" Session.Tracking.HeaderToken.Request.Header.Value.Pattern "^Bearer ([[:graph:]]+)$" Session.Tracking.HeaderToken.Request.Header.Value.IgnoreCase "TRUE" Session.Tracking.HeaderToken.Request.Header.Value.Template "$1"	7.4
Adminapp	Statistics Module The statistics module has been removed. Use the reporting module introduced in IAM 7.1 instead.	7.1