Airlock IAM 8.1 - Changelog

Fixed a memory leak in plugin injection.

Fixed user CSV download in Adminapp: do not limit to 500 users.

mTLS client certificates can now be used in request authentication without Airlock Gateway settings.

Support Airlock 2FA payload encryption (end-to-end encryption between IAM and Futurae service).

SAML2 IDP: AuthnRequest IDs can now be up to 1000 characters long.

Loginapp UI forward locations may now also contain commas.

Private IP addresses sent by Airlock Gateway are no longer ignored. For Airlock Microgateway, it is now configurable whether private IP addresses should be ignored or not.

New Flow Condition that matches when flows are started using OIDC with prompt=none.

Added deny rule exceptions to Gateway Mapping for SAML and OAuth 2.0 Parameters.

Loginapp now considers location query parameter in a URL even if accessing a target application using the application id (/ui/application/access/application-id).

The configurable globally applicable Default Page Size and a Max Page Size are now respected by all resources that support paging.

Fixed a bug where the Login from new device-cookie was served without a path.

Reject forward URI containing a UserInfo part early in request processing.

Updated third-party libraries.

Fixed missing configurations in the Start Configuration template.

Accepted SSO tickets may be stored in the database. This allows for improved security in setups with multiple active IAM instances.

See SSO Ticket Authentication or User Representation.

The new plugin Additional Password Check Attribute Map allows the use of additional attributes provided in flow steps in value providers. Example: use additional user input in Username Password Step in a user transformer.

The Loginapp UI now also supports configuring target locations with different schemes than just http:// and https://.

Accepted SSO tickets are stored per tenant (and not per config context).

The new plugin Tag Removal Step allows removing tags from a flow session.

The new value provider plugin HTTP Request Header Value Provider may provide HTTP headers from the current request. This allows the use of header values in selection step conditions.

New self-registration flow step Set Authentication Method Migration Step: Sets the auth method to migrate to and optionally provides a migration deadline.

The matrix card approval step is now also available for public and protected self-services. See plugins Matrix Public Self-Service Approval Step and Matrix Self-Service Approval Step.

See also Matrix card authentication.

Fixed a bug in the Loginapp UI where pressing the browser-back button on the password reset or self-registration public self-service pages would not properly reset the flow session state. This could cause errors when attempting to log in afterward.

Allowed OAuth scopes can now be specified individually per OAuth Client (and no longer only per Authorization Server).

See OAuth 2.0 scopes and claims.

The OAuth Authorization Server now supports conditional claims, i.e., claims that are only granted if a configurable condition is true.

See OAuth 2.0 scopes and claims.

OAuth 2.0/OpenId Connect does now honor custom URIs again for the /oauth2/v3 authorize and check-session endpoints.

Corrected processing of OAuth URLs containing curly braces ("{" and “}").

CASE-34263

Support active-active and Kubernetes setups by allowing to keep session state in external Redis cluster.

See Storing session state in an external Redis session repository.

New life-cycle events User created and User deleted.

• The new events are triggered in the following situations:
• When a user is created in the Adminapp UI or REST API.
• When a user self-registers.
• When a user is deleted in the Adminapp UI or REST API.

The events are not triggered if users are created or deleted in the Service Container module. This may change in future releases.

The User created event is not triggered when using OAuth 2.0 Automated Account Registration (social registration). This may change in future releases.

See Event-based subscriber notification.

The XML File Importer Task is now configurable regarding error handling. See new property General Error Handling.

The LDAP Connector plugin can now explicitly list the attributes to request from the directory when loading a user (including + and * if the directory supports them). This allows the inclusion of operational attributes as context data. Also, binary values can be included as context data by base64-encoding them.

Updated Angular to 16.2.1 and bootstrap to 5.3.1 for the Loginapp UI and Adminapp UI.

Updated various web dependencies.

Updated JVM to 17.0.7.

Fixed a bug in the client certificate authentication for HTTP clients (for outgoing HTTP connections using mTLS).

• Fixed various webserver log-related bugs:
• In the structured webserver log output, the priority now corresponds to the same levels as produced by the Log4J logs.
• For the webserver log, the log threshold DEBUG now corresponds to the JUL Log level CONFIG instead of FINE. To get FINE level logs, the log level TRACE for the webserver log must be used in the instance configuration instance.properties.
• Also fixes a bug where some log messages were not immediately written to the log files after startup.

Authentication flow step to verify SSI credentials.

See Self-Sovereign Identities (SSI) – an incubating feature.