The following tables show the changes from Airlock IAM 8.0 to 8.1.
Airlock IAM 8.1.6
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-19353 | Prevent a null pointer exception during Cronto activation. |
Airlock IAM 8.1.5
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-19204 | Fixed a memory leak in plugin injection. |
Bugfix | AI-19188 | Roles provided through an LDAP Connector may now contain " |
Bugfix | AI-19232 | Fixed user CSV download in Adminapp: do not limit to 500 users. |
Bugfix | AI-19257 | Fixed an issue that prevented representation of locked users after authentication. |
Bugfix | AI-19227 | Update Universal Minimal Image to version 8.10-896.1716497715 (mitigates CVE-2024-33599, CVE-2024-33600, CVE-2024-33602, CVE-2024-33601 and CVE-2024-2961). |
Airlock IAM 8.1.4
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-18974 | mTLS client certificates can now be used in request authentication without Airlock Gateway settings. |
Bugfix | AI-19020 | SAML2: Gateway session is now correctly terminated for SP in an IdP-initiated SLO (single logout). |
Bugfix | AI-19025 |
|
Airlock IAM 8.1.3
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-18932 | A problem in the Loginapp UI with the support of older browser versions has been fixed. |
Airlock IAM 8.1.2
Bugfixes and improvements | ||
---|---|---|
New | AI-18437 | Support Airlock 2FA payload encryption (end-to-end encryption between IAM and Futurae service). |
Improvement | AI-14943 | A new configuration option allows to prefer Offline QR code instead of One-Touch in Airlock 2FA approval steps (self services, transaction approval). |
Improvement | AI-18506 | SAML2 IDP: AuthnRequest IDs can now be up to 1000 characters long. |
Improvement | AI-18417 | Updating of the login statistics can now be disabled in the Default Authentication Processor configuration. |
Bugfix | AI-18715 | Loginapp UI forward locations may now also contain commas. |
Bugfix | AI-18004 | OpenId Connect ID Token expiry is now correctly calculated using the property ID Token Validity instead of Authorization Code Validity. |
Bugfix | AI-18710 | Private IP addresses sent by Airlock Gateway are no longer ignored. For Airlock Microgateway, it is now configurable whether private IP addresses should be ignored or not. |
Bugfix | AI-18691 | Fixed state restoration on multi-instance setups. |
Bugfix | AI-9385 | The Target URI Resolver in the Loginapp's Authentication UI Settings now prevents too lax patterns allowing open redirects. Existing configurations may not be activated if too open patterns are used (e.g. |
Airlock IAM 8.1.1
Bugfixes and improvements | ||
---|---|---|
New | AI-17864 | New Flow Condition that matches when flows are started using OIDC with prompt=none. |
New | AI-18197 | Added Futurae Session ID to logs to facilitate log correlation between the Airlock 2FA service and IAM. These log entries may change with a future release of Airlock IAM. |
Improvement | AI-17388 | Added deny rule exceptions to Gateway Mapping for SAML and OAuth 2.0 Parameters. |
Improvement | AI-18337 | Service Container Tasks will support use cases where source and destination directories are located in different filesystems. |
Bugfix | AI-16812 | Loginapp now considers location query parameter in a URL even if accessing a target application using the application id ( |
Bugfix | AI-17906 | OIDC behavior is now specification-compliant for cases where "prompt=none" is requested by the client. |
Bugfix | AI-17984 | The configurable globally applicable Default Page Size and a Max Page Size are now respected by all resources that support paging. |
Bugfix | AI-18108 | Fixed documentation of session timeout properties. |
Bugfix | AI-18118 | Fixed a bug where the Login from new device-cookie was served without a path. |
Bugfix | AI-18149 | SAML2 IDP: AuthnRequest IDs can now be up to 150 characters long. |
Bugfix | AI-18156 | Reject forward URI containing a UserInfo part early in request processing. |
Bugfix | AI-18165 | Fix the presentation of the Loginapp UI for smaller screen sizes. This bugfix is potentially breaking. See for https://techzone.ergon.ch/airlock-iam-8.0.4-ui-fix further information. |
Bugfix | AI-18175 | Updated third-party libraries. |
Bugfix | AI-18200 | List elements in Adminapp will no longer overflow. |
Bugfix | AI-18258 | Fixed missing configurations in the Start Configuration template. |
Bugfix | AI-18292 | Fixed paging in Adminapp. |
Bugfix | AI-18358 | Tomcat upgrade to 9.0.83 to mitigate CVE-2023-46589. |
Airlock IAM 8.1.0
Authentication and Loginapp | ||
---|---|---|
New | AI-16625 | Accepted SSO tickets may be stored in the database. This allows for improved security in setups with multiple active IAM instances. |
New | AI-17449 | Allow dynamic query parameters in the On Behalf Login Identity Propagation plugin. |
New | AI-17450 | The new plugin Additional Password Check Attribute Map allows the use of additional attributes provided in flow steps in value providers. Example: use additional user input in Username Password Step in a user transformer. |
New | AI-17659 | New password hash plugin Bcrypt Password Hash. It uses the BCrypt hash function according to https://www.openbsd.org/papers/bcrypt-paper.pdf. |
New | AI-17674 | The Loginapp UI now also supports configuring target locations with different schemes than just |
New | AI-17510 | The REST Client Config (used for outbound connections from Airlock IAM to REST APIs) now supports HTTP Basic Auth. |
Improvement | AI-16625 | Accepted SSO tickets are stored per tenant (and not per config context). |
Bugfix | AI-17544 | Fixed renaming of Cronto devices without a name in protected self-services. |
Bugfix | AI-17942 | The logout disclaimer page was not shown when it was set as the default target in a parameter-based target URI plugin. |
Flows | ||
---|---|---|
New | AI-16939 | The new plugin Tag Removal Step allows removing tags from a flow session. |
New | AI-16927 | New plugin String Value Provider to select a value from a Value Map Provider. |
New | AI-16954 | The new value provider plugin HTTP Request Header Value Provider may provide HTTP headers from the current request. This allows the use of header values in selection step conditions. |
New | AI-17033 | The first usage of an Airlock 2FA device can now be stored in the IAM database. Using the new selection condition First Usage of Device, flows can depend on the first usage of a device (e.g. ask for a password if the device is used for the first time). |
New | AI-17304 | New self-registration flow step Set Authentication Method Migration Step: Sets the auth method to migrate to and optionally provides a migration deadline. |
New | AI-17450 | New user name transformer plugin Template-based Username Transformer. It allows including output from value providers in the transformed username. |
New | AI-17607 | The matrix card approval step is now also available for public and protected self-services. See plugins Matrix Public Self-Service Approval Step and Matrix Self-Service Approval Step. See also Matrix card authentication. |
Bugfix | AI-17446 | Fixed a self-registration flow bug that resulted in using the lock reason of the default flow (instead of the current flow) for initially locked users. |
Bugfix | AI-17787 | Fixed a bug in the Loginapp UI where pressing the browser-back button on the password reset or self-registration public self-service pages would not properly reset the flow session state. This could cause errors when attempting to log in afterward. |
Bugfix | AI-18005 | Verification calls to the CAPTCHA services (reCAPTCHA and hCaptcha) are now sent as form parameters in the HTTP request body to comply with hCaptchas requirements. |
OAuth / OIDC | ||
---|---|---|
New | AI-16806 | Allowed OAuth scopes can now be specified individually per OAuth Client (and no longer only per Authorization Server). |
New | AI-17023 AI-17500 | The OAuth Authorization Server now supports scope policies to filter requested scopes against the client's allowed scopes. |
New | AI-17346 | The OAuth Authorization Server now supports conditional claims, i.e., claims that are only granted if a configurable condition is true. |
Bugfix | AI-17863 | OAuth 2.0/OpenId Connect does now honor custom URIs again for the |
Bugfix | AI-16970 | Fixed OAuth 2.0 Basic Authentication (both as client and as authorization server): apply an additional URL-encoding/decoding on the OAuth client ID and secrets. |
Bugfix | AI-17254 | Corrected processing of OAuth URLs containing curly braces ("{" and “}"). CASE-34263 |
Bugfix | AI-17363 | Corrected license tag for the OAuth 2.0 Issuer ID plugin to "OAuthServer". This may have prevented customers from configuring an OAuth issuer ID. CASE-34007 |
Bugfix | AI-18004 | The OIDC token expiry is now correctly calculated based on configuration property ID Token Validity instead of Authorization Code Validity. |
Miscellaneous | ||
---|---|---|
New | AI-16829 | Support active-active and Kubernetes setups by allowing to keep session state in external Redis cluster. See Storing session state in an external Redis session repository. |
New | AI-17148 | Airlock IAM can now be used with Airlock Migrogateway 4.x. For a limited feature set, it does not depend on Airlock Gateway. |
New | AI-17292 | New life-cycle events User created and User deleted.
The events are not triggered if users are created or deleted in the Service Container module. This may change in future releases. The User created event is not triggered when using OAuth 2.0 Automated Account Registration (social registration). This may change in future releases. |
New | AI-17621 | Report renderer plugins that produce PDFs based on Microsoft Word templates are now also able to produce the out in Word format (docx). |
Improvement | AI-17545 | The XML File Importer Task is now configurable regarding error handling. See new property General Error Handling. |
Improvement | AI-17867 | SDK now marks some Features (Pages) as Incubating. Such features may change or break in future releases. |
Improvement | AI-17695 | The LDAP Connector plugin can now explicitly list the attributes to request from the directory when loading a user (including |
Improvement | AI-14083 | Event subscribers now handle events asynchronously. This avoids blocking requests if event subscribers are slow or fail to respond. |
Improvement | AI-17505 AI-17604 AI-17297 | Updated Angular to 16.2.1 and bootstrap to 5.3.1 for the Loginapp UI and Adminapp UI. Updated various web dependencies. |
Improvement | AI-17506 | Updated various Java libraries. |
Improvement | AI-17398 | Updated JVM to 17.0.7. |
Bugfix | AI-17429 | Fixed JSON parsing in JWT Ticket Decoder for claims stored as JSON. |
Bugfix | AI-17362 | Fixed a bug in the client certificate authentication for HTTP clients (for outgoing HTTP connections using mTLS). |
Bugfix | AI-17375 | Fixed handling of HTTP responses without body. |
Bugfix | AI-17290 |
|
Bugfix | AI-17771 | The configuration property Session Idle Timeout in both the Loginapp and the Transaction Approval modules is now correctly interpreted in the web server. The property was ignored in earlier versions. |
Bugfix | AI-17510 | Fix a crash in the Adminapp log viewer search if the resulting log lines do not contain a valid timestamp. |
Incubating features | ||
---|---|---|
New | AI-17492 | Authentication flow step to verify SSI credentials. See Self-Sovereign Identities (SSI) – an incubating feature. |
New | AI-17494 | Flow step to issue SSI credentials. See Self-Sovereign Identities (SSI) – an incubating feature. |