Airlock IAM 8.2 - Actions required when upgrading

Various

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

Loginapp

Target URI Resolver

AI-9385

The Target URI Resolver in the Authentication UI Settings now prevents too lax patterns allowing open redirects.

Disallowed patterns, like .*, prevent the migration of the configuration to IAM 8.2 and must be adapted before upgrading to IAM 8.2

8.2

Loginapp

Self-registration flow

AI-18189

Using the plugin Email Item Definition in a self-registration flow was never supported and resulted in REST error responses. Configuring this non-functional setup is now prevented in the Config Editor.

If your configuration contains an (unused/non-functional) self-registration flow with a User Data Registration Step containing an Email Item Definition, replace the latter with a String User Context Data Item with an Email Address Validator before migrating.

8.2

Loginapp

Client certificate DN parsing

AI-18344

Fix parsing distinguished names (DNs): before the fix, strings parsed to DNs were parsed ignoring non-escaped (and thus invalid) delimiter characters (such as / or =). Non-escaped delimiters are no longer accepted.

If invalid DNs are configured plugin OAuth 2.0 Client Certificate the DNs must be corrected before migrating to IAM 8.2. The plugin is used in static clients within OAuth/OIDC authorization server settings: Loginapp >> OAuth 2.0/OIDC Authorization Servers >> <an AS> >> Static Clients >> <a client> >> Client Certificates.

8.2

Loginapp

UI fixes

AI-18165

Various Loginapp UI fixes that may require adaptations in existing UI customizations.

See Loginapp UI Customizations Fix in 8.0.4 and 8.1.1 for further details.

8.2

Loginapp

Custom web.xml

AI-17906

AI-18146

  • If the Loginapp's web.xml has been customized, the following new filters have to be added manually:
  • OpenIdConnectPromptNoneServletForwardFilter
  • RequestUrlPatternUiResourceSetRuleFilter (must be inserted above, i.e., before the UrlRewriteFilter)

8.2

Loginapp

Airlock 2FA

AI-18071

AI-14943

Airlock 2FA factor preferences in approval steps:

IAM 8.1.2 introduced a new configuration option to prefer Airlock 2FA Offline QR code over One Touch (Push) for approval steps. See AI-14943 in the IAM 8.1 changelog.

If the feature was used with IAM 8.1, the configuration of the affected steps must be adapted manually: AI-18071 allows the configuration of an ordered list of authentication factors for all Airlock 2FA steps.

If the feature introduced with 8.1.2 was used, remove the One-Touch factor from the list and make sure that the Offline QR Code factor is the first entry in the list.

8.2

Loginapp

OAuth Client,
OIDC RP

AI-17951

IAM used as OAuth Client or OIDC Relying Party (RP) now supports Pushed Authentication Requests (PAR).

Up to version 8.1, IAM - if using service discovery - ignored the authorization server's (AS) PAR requirements. If, for example, the AS strictly required PAR by setting the (require_pushed_authorization_requests metadata field set to true, IAM ignored that.

As of IAM 8.2, PAR is supported by IAM (as RP/Client). Thus, if the AS strictly requires PAR, IAM will respect and require an involved web application (single-page application, SPA) to be adapted to support PAR: A new action OAUTH2_CLIENT_AUTHORIZATION_URI_RETRIEVAL_REQUIRED is returned by Airlock IAM, which requires the SPA to retrieve the authorization redirect URI via REST API instead of relying on the additional attributes.

However, the situation with IAM 8.1 (or older) and the AS strictly requiring PAR, would not have functioned properly. Therefore, the above situation is irrelevant in practice and it can be assumed that no SPA needs to be adapted.

8.2

Loginapp
Adminapp

OAuth AS,
OIDC OP

AI-12130

The OAuth 2.0/OIDC Authorization Server can persist consents and reuse user-made decisions to optimize the consent-giving process. If all consents are already present, the interactive step will continue without presenting a UI to the end-user.

Helpdesk users can see consents granted by the user in the Adminapp. They can also manage consents for the end-user by removing consents.

To use this feature a database schema update is required. The required upgrade scripts can be found here Relational databases for IAM.

Adminapp

Page Sizes

AI-17984

For resources that support paging (such as the list of users), a globally applicable Default Page Size and a Max Page Size can now be configured (defaults are 500 and 5000). The Default Page Size applies if no page[limit] query parameter is transmitted. If that parameter is transmitted, it must not exceed Max Page Size.

Applications that rely on resources returning all records if no page[limit] parameter is specified, need to be aware that the returned resources are now restricted to the Default Page Size.

To fall back to the old behavior, the Default Page Size can be set to a sufficiently high value. Applications that query the resource with a page[limit] parameter that is larger than 5000, exceed the new default Max Page Size. Either reduce the parameter's value or increase the Max Page Size in the IAM configuration.

8.2

All

Password end-to-end encryption

AI-18206

  • Because of a bug, the following plugins accidentally did not require the license tag EndToEndPasswordEncryption in IAM 8.0 and 8.1:
  • Default End-To-End Encryption Password Repository
  • JWE Password Decryption

The license tag (and therefore usually the license bundle ENCRYPTION) is required again.

If either of the plugins has been used in IAM 8.0 or 8.1 with a license, not including the EndToEndPasswordEncryption tag, the license must be extended to include the tag.

8.2

Custom code

IAM Module

Affected Feature(s)
(Relevant if using ...)

Issue(s)

Required Action

Version

Loginapp,

Transaction Approval

Custom Flow Steps

AI-17702

The methods nextAction, succeeded, and terminate have been removed from the Flow interface.

Custom code must be adjusted accordingly.

8.2

Loginapp,

Transaction Approval

Custom Flow Steps

AI-18068

Custom implementations of FlowAttribute must ensure that the return for the mergeWith method (and for the copyAttribute of UserSessionScopedFlowAttribute) is now strictly the attribute type itself.

8.2

Loginapp,

Transaction Approval

Custom Flow Steps

AI-18079

UserSessionScopedFlowAttribute must also implement Mapifiable, while the deprecated (de-)serialization methods can be removed.

8.2

Loginapp, Adminapp

Custom code handling session state.

AI-18031

All custom code classes that inherit the Mapifiable interface must now implement the mapify and demapify methods.

8.2