Airlock IAM 8.1 - Changelog

The following tables show the changes from Airlock IAM 8.0 to 8.1.

Airlock IAM 8.1.1

Bugfixes and improvements:

New

AI-17864
AI-18171

New Flow Condition that matches when flows are started using OIDC with prompt=none.

New

AI-18197

Added Futurae Session ID to logs to facilitate log correlation between the Airlock 2FA service and IAM. These log entries may change with a future release of Airlock IAM.

Improvement

AI-17388

Added deny rule exceptions to Gateway Mapping for SAML and OAuth 2.0 Parameters.

Improvement

AI-18337

Service Container Tasks will support use cases where source and destination directories are located in different filesystems.

Bugfix

AI-16812

Loginapp now considers location query parameter in a URL even if accessing a target application using the application id (/ui/application/access/application-id).

Bugfix

AI-17906
AI-17989
AI-18172
AI-18174

OIDC behavior is now specification-compliant for cases where "prompt=none" is requested by the client.

Bugfix

AI-17984

The configurable globally applicable Default Page Size and a Max Page Size are now respected by all resources that support paging.

Bugfix

AI-18108
AI-18185

Fixed documentation of session timeout properties.

Bugfix

AI-18118
AI-18179

Fixed a bug where the Login from new device-cookie was served without a path.

Bugfix

AI-18149
AI-18183

SAML2 IDP: AuthnRequest IDs can now be up to 150 characters long.

Bugfix

AI-18156

Reject forward URI containing a UserInfo part early in request processing.

Bugfix

AI-18165

Fix the presentation of the Loginapp UI for smaller screen sizes.

This bugfix is potentially breaking. See for https://techzone.ergon.ch/airlock-iam-8.0.4-ui-fix further information.

Bugfix

AI-18175

Updated third-party libraries.

Bugfix

AI-18200

List elements in Adminapp will no longer overflow.

Bugfix

AI-18258

Fixed missing configurations in the Start Configuration template.

Bugfix

AI-18292

Fixed paging in Adminapp.

Bugfix

AI-18358

Tomcat upgrade to 9.0.83 to mitigate CVE-2023-46589.

Airlock IAM 8.1.0

Authentication and Loginapp

New

AI-16625

Accepted SSO tickets may be stored in the database. This allows for improved security in setups with multiple active IAM instances.

See SSO Ticket Authentication or User Representation.

New

AI-17449

Allow dynamic query parameters in the On Behalf Login Identity Propagation plugin.

New

AI-17450

The new plugin Additional Password Check Attribute Map allows the use of additional attributes provided in flow steps in value providers. Example: use additional user input in Username Password Step in a user transformer.

New

AI-17659

New password hash plugin Bcrypt Password Hash. It uses the BCrypt hash function according to https://www.openbsd.org/papers/bcrypt-paper.pdf.

New

AI-17674

The Loginapp UI now also supports configuring target locations with different schemes than just http:// and https://.

New

AI-17510

The REST Client Config (used for outbound connections from Airlock IAM to REST APIs) now supports HTTP Basic Auth.

Improvement

AI-16625

Accepted SSO tickets are stored per tenant (and not per config context).

Bugfix

AI-17544

Fixed renaming of Cronto devices without a name in protected self-services.

Bugfix

AI-17942

The logout disclaimer page was not shown when it was set as the default target in a parameter-based target URI plugin.

Flows

New

AI-16939

The new plugin Tag Removal Step allows removing tags from a flow session.

New

AI-16927

New plugin String Value Provider to select a value from a Value Map Provider.

New

AI-16954

The new value provider plugin HTTP Request Header Value Provider may provide HTTP headers from the current request. This allows the use of header values in selection step conditions.

New

AI-17033
AI-17034
AI-17035

The first usage of an Airlock 2FA device can now be stored in the IAM database. Using the new selection condition First Usage of Device, flows can depend on the first usage of a device (e.g. ask for a password if the device is used for the first time).

See Flow conditions on first device usage.

New

AI-17304

New self-registration flow step Set Authentication Method Migration Step: Sets the auth method to migrate to and optionally provides a migration deadline.

New

AI-17450

New user name transformer plugin Template-based Username Transformer. It allows including output from value providers in the transformed username.

New

AI-17607

The matrix card approval step is now also available for public and protected self-services. See plugins Matrix Public Self-Service Approval Step and Matrix Self-Service Approval Step.

See also Matrix card authentication.

Bugfix

AI-17446

Fixed a self-registration flow bug that resulted in using the lock reason of the default flow (instead of the current flow) for initially locked users.

Bugfix

AI-17787

Fixed a bug in the Loginapp UI where pressing the browser-back button on the password reset or self-registration public self-service pages would not properly reset the flow session state. This could cause errors when attempting to log in afterward.

Bugfix

AI-18005

Verification calls to the CAPTCHA services (reCAPTCHA and hCaptcha) are now sent as form parameters in the HTTP request body to comply with hCaptchas requirements.

OAuth / OIDC

New

AI-16806

Allowed OAuth scopes can now be specified individually per OAuth Client (and no longer only per Authorization Server).

See OAuth 2.0 scopes and claims.

New

AI-17023

AI-17500

The OAuth Authorization Server now supports scope policies to filter requested scopes against the client's allowed scopes.

See OAuth 2.0 scopes and claims.

New

AI-17346

The OAuth Authorization Server now supports conditional claims, i.e., claims that are only granted if a configurable condition is true.

See OAuth 2.0 scopes and claims.

Bugfix

AI-17863

OAuth 2.0/OpenId Connect does now honor custom URIs again for the /oauth2/v3 authorize and check-session endpoints.

Bugfix

AI-16970

Fixed OAuth 2.0 Basic Authentication (both as client and as authorization server): apply an additional URL-encoding/decoding on the OAuth client ID and secrets.

Bugfix

AI-17254

Corrected processing of OAuth URLs containing curly braces ("{" and “}").

CASE-34263

Bugfix

AI-17363

Corrected license tag for the OAuth 2.0 Issuer ID plugin to "OAuthServer". This may have prevented customers from configuring an OAuth issuer ID.

CASE-34007

Bugfix

AI-18004

The OIDC token expiry is now correctly calculated based on configuration property ID Token Validity instead of Authorization Code Validity.

Miscellaneous

New

AI-16829

Support active-active and Kubernetes setups by allowing to keep session state in external Redis cluster.

See Storing session state in an external Redis session repository.

New

AI-17148

Airlock IAM can now be used with Airlock Migrogateway 4.x. For a limited feature set, it does not depend on Airlock Gateway.

New

AI-17292

New life-cycle events User created and User deleted.

  • The new events are triggered in the following situations:
  • When a user is created in the Adminapp UI or REST API.
  • When a user self-registers.
  • When a user is deleted in the Adminapp UI or REST API.

The events are not triggered if users are created or deleted in the Service Container module. This may change in future releases.

The User created event is not triggered when using OAuth 2.0 Automated Account Registration (social registration). This may change in future releases.

See Event-based subscriber notification.

New

AI-17621

Report renderer plugins that produce PDFs based on Microsoft Word templates are now also able to produce the out in Word format (docx).

Improvement

AI-17545

The XML File Importer Task is now configurable regarding error handling. See new property General Error Handling.

Improvement

AI-17867

SDK now marks some Features (Pages) as Incubating. Such features may change or break in future releases.

Improvement

AI-17695

The LDAP Connector plugin can now explicitly list the attributes to request from the directory when loading a user (including + and * if the directory supports them). This allows the inclusion of operational attributes as context data. Also, binary values can be included as context data by base64-encoding them.

Improvement

AI-14083

Event subscribers now handle events asynchronously. This avoids blocking requests if event subscribers are slow or fail to respond.

Improvement

AI-17505

AI-17604

AI-17297

Updated Angular to 16.2.1 and bootstrap to 5.3.1 for the Loginapp UI and Adminapp UI.

Updated various web dependencies.

Improvement

AI-17506

Updated various Java libraries.

Improvement

AI-17398

Updated JVM to 17.0.7.

Bugfix

AI-17429

Fixed JSON parsing in JWT Ticket Decoder for claims stored as JSON.

Bugfix

AI-17362

Fixed a bug in the client certificate authentication for HTTP clients (for outgoing HTTP connections using mTLS).

Bugfix

AI-17375

Fixed handling of HTTP responses without body.

Bugfix

AI-17290

  • Fixed various webserver log-related bugs:
  • In the structured webserver log output, the priority now corresponds to the same levels as produced by the Log4J logs.
  • For the webserver log, the log threshold DEBUG now corresponds to the JUL Log level CONFIG instead of FINE. To get FINE level logs, the log level TRACE for the webserver log must be used in the instance configuration instance.properties.
  • Also fixes a bug where some log messages were not immediately written to the log files after startup.

Bugfix

AI-17771

The configuration property Session Idle Timeout in both the Loginapp and the Transaction Approval modules is now correctly interpreted in the web server. The property was ignored in earlier versions.

Bugfix

AI-17510

Fix a crash in the Adminapp log viewer search if the resulting log lines do not contain a valid timestamp.

Incubating features

New

AI-17492

Authentication flow step to verify SSI credentials.

See Self-Sovereign Identities (SSI) – an incubating feature.

New

AI-17494

Flow step to issue SSI credentials.

See Self-Sovereign Identities (SSI) – an incubating feature.