This section describes changes in Airlock IAM 8.0 that require manual changes. Whether changes are necessary depends on the used features and/or custom extensions.
Check if using discontinued features. Further information can be found in Airlock IAM 8.0 - Features removed in this version.
IAM Module | Affected Feature(s) | Issue(s) | Required Action | Version |
|---|---|---|---|---|
All | Database schema (all features) | - | The database schema has to be migrated. | 8.0 |
All | Database minimum versions | - | The minimum database versions have been increased for several databases (compared to IAM 7.7): MariaDB (10.4), MSSQL (2016). See also System requirements. | 8.0 |
All | Logging (all features) | AI-16854 | The logging configuration may need to be updated manually. See Upgrading the Log4j™2 logging configuration for IAM 8.0. | 8.0 |
All | User trail logging | AI-16505 | User trail log is written to the database in IAM 8.0 and later. Manual steps are required for the migration. | 8.0 |
All | Logging (all features) | AI-15385 | The IAM web server log no longer uses the instance configuration property In rare cases, you may receive an error about invalid boolean values in the | 8.0 |
All | Logging (all features) | AI-17040 |
During configuration migration, these keys are automatically changed in the However, if environment variables are used to overwrite the properties, the corresponding environment variables need to be changed. | 8.0 |
All | Audit log | AI-16993 | Due to a bug in the Log4j library, audit log statements could be overwritten after log file rollover. In the fixed implementation, log statements are directly written to log files containing the date in the file name (e.g. The file External processes depending on the file must be adapted. Alternatively, a custom log configuration may be used to re-enable the file. | 8.0 |
All | Configuration changes | DOC-1108 | 8.0 | |
All | Custom text elements | AI-8907 | Custom text element files (strings_xx.properties) must be converted to UTF-8 encoding. | 8.0 |
All | Health check end-points | AI-14061 | The health check JSON response field Components still relying on the | 8.0 |
All | Legacy class names | AI-10227 | With IAM 7.1, package names of IAM Java classes have been renamed from Such class names may be referenced in some configuration files (e.g. Log4j configuration, shared secret configuration, or custom web.xml). The main IAM configuration (medusa-configuration.xml) is not affected. If still referring to IAM classes using | 8.0 |
All | Airlock 2FA text elements | AI-16675 | Up to IAM 7.7 the Airlock 2FA Settings allowed specifying a separate string resource file to look up translations (e.g. for push messages). This is no longer supported. If a separate string resources file (e.g. not
If using Airlock 2FA in the RADIUS server: the string resource file is now part of the Airlock 2FA Authenticator plugin. | 8.0 |
All | Airlock Gateway mapping templates | - | New Airlock Gateway mapping templates have been published for IAM 8.0. The new templates must be used to account for the removed JSP-Loginapp, new features, and stricter deny rules. Please refer to Configuration of IAM mappings for further information. | 8.0 |
IAM Module | Affected Feature(s) | Issue(s) | Required Action | Version |
|---|---|---|---|---|
Loginapp | Client-centric OAuth Authorization Server | AI-14166 | The client-centric OAuth 2.0 authorization server must be replaced with the AS-centric implementation. See Seamless migration to AS-centric AS in IAM 7.7 documentation. | 8.0 |
Loginapp | One-shot authentication with user-specific role timeouts | AI-16268 | If user-specific role timeouts are used in combination with one-shot authentication, the configuration needs to be adapted: the user-specific role timeouts need to be reconfigured in the one-shot settings (Loginapp >> One-Shot Authentication). | 8.0 |
Loginapp | MS-OFBA with custom location parameter name | AI-16268 | If a custom location parameter name is used for MS-OFBA, it must be reconfigured in the MS-OFBA One-Shot Target Application plugin (Loginapp >> One-Shot Authentication). | 8.0 |
Loginapp | OAuth 2.0 legacy token format | AI-16027 | The legacy OAuth 2.0 token format support (where the tokens started with the username) has been removed. Such tokens are no longer accepted. This results in the implicit invalidation of such tokens. The legacy tokens have only been issued up to IAM 7.1. If such tokens were still valid and in use, a new OAuth 2.0 Authorization is required. | 8.0 |
Loginapp | Custom look and feel (CSS) | AI-1653 | IAM 8.0 uses a newer version of Bootstrap (5 instead of 4). The prefixed CSS classes (i.e. Due to the update to Bootstrap 5, jQuery is no longer bundled with the Loginapp. | 8.0 |
Loginapp | Configurable UI elements (in self-services) | AI-17123 | The property HTML ID of Plugin Radio Buttons UI Element is now correctly used in the Loginapp UI. For this bugfix, it was necessary to add a new HTML element surrounding Loginapp UI customizations that rely on structural CSS selectors on these elements might need to be adjusted. Although we aim for a stable HTML structure, it is strongly discouraged to use CSS selectors that rely on this structure. It is recommended to create stylings based on CSS classes. | 8.0 |
Loginapp | Username filter | AI-9788 | All input of usernames in the Loginapp (flows and protected REST API) are validated against the Username Filter Pattern (configurable in Loginapp >> Security Settings). The pattern must be relaxed if existing usernames would be rejected. | 8.0 |
IAM Module | Affected Feature(s) | Issue(s) | Required Action | Version |
|---|---|---|---|---|
Adminapp | Adminapp CSP | AI-16826 | A content security policy (CSP) for the Adminapp has been introduced. The CSP is enabled by default and disables the rich-text editor for maintenance messages. See Adminapp Content Security Policy (CSP) for further information. Inline-style in maintenance messages will be ignored in the Loginapp and an error will be displayed in the browser console. | 8.0 |
Adminapp | Coloring rules in the log viewer. | AI-16482 | If coloring rules are configured in the Adminapp log viewer (Adminapp >> Log Viewer >> Color Scheme), the configuration needs to be adapted. Only predefined colors are allowed in IAM 8.0 and later because of restrictions arising from the newly introduced Adminapp CSP (see Adminapp Content Security Policy (CSP)). The properties Foreground Color, Background Color, and Foreground Color for Meta Data may use the following colors: If the configuration to be migrated contains other color values or color codes, the affected coloring rules are migrated without the colors, i.e., the patterns remain but the colors have to be set manually after migration. A message is printed to stdout during configuration migration in this case. | 8.0 |
Adminapp | Generic Token Controller UI | AI-14849 | The Generic Token Controller UI has been simplified and offers less flexibility compared to previous IAM versions. The Generic Token Controller UI has to be re-configured manually. If the offered features are not sufficient to meet the requirements, use the new User Management Extension feature. | 8.0 |
Adminapp | Legacy Adminapp URLs | AI-14143 | Legacy Adminapp URIs starting with External components relying on the legacy URIs must use the new URIs. | 8.0 |
IAM Module | Affected Feature(s) | Issue(s) | Required Action | Version |
|---|---|---|---|---|
Loginapp UI | Confirmation dialogs display larger close element | AI-16523 | With the upgrade of the underlying bootstrap library to version 5.0, the default styling of the close element in the upper right corner of modals has been made larger. Customers should check that their UI customizations of confirmation dialogs still meet their expectations. | 8.0 |
Loginapp UI | Custom static HTML pages using SCSS | - | In the JSP-Loginapp static HTML files (e.g. static error pages) could be styled using SCSS and the CLI tool With the removal of the JSP-Loginapp the | 8.0 |