Airlock IAM 8.2 - Actions required when upgrading

This section describes changes in Airlock IAM 8.2 that may require manual changes. Whether changes are necessary depends on the used features and/or custom extensions.

Upgrading an Airlock IAM version may require special actions. Consult the respective upgrade requirements:
Actions required when upgrading from IAM 8.0 to IAM 8.1
Actions required when upgrading from IAM 7.7 to IAM 8.0

Various

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
Loginapp	Target URI Resolver	AI-9385	The Target URI Resolver in the Authentication UI Settings now prevents too lax patterns allowing open redirects. Disallowed patterns, like `.*`, prevent the migration of the configuration to IAM 8.2 and must be adapted before upgrading to IAM 8.2	8.2
Loginapp	Self-registration flow	AI-18189	Using the plugin Email Item Definition in a self-registration flow was never supported and resulted in REST error responses. Configuring this non-functional setup is now prevented in the Config Editor. If your configuration contains an (unused/non-functional) self-registration flow with a User Data Registration Step containing an Email Item Definition, replace the latter with a String User Context Data Item with an Email Address Validator before migrating.	8.2
Loginapp	Client certificate DN parsing	AI-18344	Fix parsing distinguished names (DNs): before the fix, strings parsed to DNs were parsed ignoring non-escaped (and thus invalid) delimiter characters (such as `/` or `=`). Non-escaped delimiters are no longer accepted. If invalid DNs are configured plugin OAuth 2.0 Client Certificate the DNs must be corrected before migrating to IAM 8.2. The plugin is used in static clients within OAuth/OIDC authorization server settings: Loginapp >> OAuth 2.0/OIDC Authorization Servers >> <an AS> >> Static Clients >> <a client> >> Client Certificates.	8.2
Loginapp	UI fixes	AI-18165	Various Loginapp UI fixes that may require adaptations in existing UI customizations. See Loginapp UI Customizations Fix in 8.0.4 and 8.1.1 for further details.	8.2
Loginapp	Custom web.xml	AI-17906 AI-18146	If the Loginapp's `web.xml` has been customized, the following new filters have to be added manually: `OpenIdConnectPromptNoneServletForwardFilter` `RequestUrlPatternUiResourceSetRuleFilter` (must be inserted above, i.e., before the `UrlRewriteFilter`)	8.2
Loginapp	Airlock 2FA	AI-18071 AI-14943	Airlock 2FA factor preferences in approval steps: IAM 8.1.2 introduced a new configuration option to prefer Airlock 2FA Offline QR code over One Touch (Push) for approval steps. See AI-14943 in the IAM 8.1 changelog. If the feature was used with IAM 8.1, the configuration of the affected steps must be adapted manually: AI-18071 allows the configuration of an ordered list of authentication factors for all Airlock 2FA steps. If the feature introduced with 8.1.2 was used, remove the One-Touch factor from the list and make sure that the Offline QR Code factor is the first entry in the list.	8.2
Loginapp	OAuth Client, OIDC RP	AI-17951	IAM used as OAuth Client or OIDC Relying Party (RP) now supports Pushed Authentication Requests (PAR). Up to version 8.1, IAM - if using service discovery - ignored the authorization server's (AS) PAR requirements. If, for example, the AS strictly required PAR by setting the (`require_pushed_authorization_requests` metadata field set to `true`, IAM ignored that. As of IAM 8.2, PAR is supported by IAM (as RP/Client). Thus, if the AS strictly requires PAR, IAM will respect and require an involved web application (single-page application, SPA) to be adapted to support PAR: A new action `OAUTH2_CLIENT_AUTHORIZATION_URI_RETRIEVAL_REQUIRED` is returned by Airlock IAM, which requires the SPA to retrieve the authorization redirect URI via REST API instead of relying on the additional attributes. However, the situation with IAM 8.1 (or older) and the AS strictly requiring PAR, would not have functioned properly. Therefore, the above situation is irrelevant in practice and it can be assumed that no SPA needs to be adapted.	8.2
Loginapp Adminapp	OAuth AS, OIDC OP	AI-12130	The OAuth 2.0/OIDC Authorization Server can persist consents and reuse user-made decisions to optimize the consent-giving process. If all consents are already present, the interactive step will continue without presenting a UI to the end-user. Helpdesk users can see consents granted by the user in the Adminapp. They can also manage consents for the end-user by removing consents. To use this feature a database schema update is required. The required upgrade scripts can be found here Relational databases for IAM.
Adminapp	Page Sizes	AI-17984	For resources that support paging (such as the list of users), a globally applicable Default Page Size and a Max Page Size can now be configured (defaults are 500 and 5000). The Default Page Size applies if no `page[limit]` query parameter is transmitted. If that parameter is transmitted, it must not exceed Max Page Size. Applications that rely on resources returning all records if no `page[limit]` parameter is specified, need to be aware that the returned resources are now restricted to the Default Page Size. To fall back to the old behavior, the Default Page Size can be set to a sufficiently high value. Applications that query the resource with a `page[limit]` parameter that is larger than 5000, exceed the new default Max Page Size. Either reduce the parameter's value or increase the Max Page Size in the IAM configuration.	8.2
All	Password end-to-end encryption	AI-18206	Because of a bug, the following plugins accidentally did not require the license tag `EndToEndPasswordEncryption` in IAM 8.0 and 8.1: Default End-To-End Encryption Password Repository JWE Password Decryption The license tag (and therefore usually the license bundle `ENCRYPTION`) is required again. If either of the plugins has been used in IAM 8.0 or 8.1 with a license, not including the `EndToEndPasswordEncryption` tag, the license must be extended to include the tag.	8.2

Custom code

IAM Module	Affected Feature(s) (Relevant if using ...)	Issue(s)	Required Action	Version
Loginapp, Transaction Approval	Custom Flow Steps	AI-17702	The methods `nextAction`, `succeeded,` and `terminate` have been removed from the `Flow` interface. Custom code must be adjusted accordingly.	8.2
Loginapp, Transaction Approval	Custom Flow Steps	AI-18068	Custom implementations of `FlowAttribute` must ensure that the return for the `mergeWith` method (and for the `copyAttribute` of `UserSessionScopedFlowAttribute`) is now strictly the attribute type itself.	8.2
Loginapp, Transaction Approval	Custom Flow Steps	AI-18079	`UserSessionScopedFlowAttribute` must also implement `Mapifiable`, while the deprecated (de-)serialization methods can be removed.	8.2
Loginapp, Adminapp	Custom code handling session state.	AI-18031	All custom code classes that inherit the `Mapifiable` interface must now implement the `mapify` and `demapify` methods.	8.2

Further information and links

Upgrade Airlock IAM
Upgrading database schemas: Relational databases for IAM