| | | The Target URI Resolver in the Authentication UI Settings now prevents too lax patterns allowing open redirects. Disallowed patterns, like .* , prevent the migration of the configuration to IAM 8.2 and must be adapted before upgrading to IAM 8.2 | |
| | | Using the plugin Email Item Definition in a self-registration flow was never supported and resulted in REST error responses. Configuring this non-functional setup is now prevented in the Config Editor. If your configuration contains an (unused/non-functional) self-registration flow with a User Data Registration Step containing an Email Item Definition, replace the latter with a String User Context Data Item with an Email Address Validator before migrating. | |
| Client certificate DN parsing | | Fix parsing distinguished names (DNs): before the fix, strings parsed to DNs were parsed ignoring non-escaped (and thus invalid) delimiter characters (such as / or = ). Non-escaped delimiters are no longer accepted. If invalid DNs are configured plugin OAuth 2.0 Client Certificate the DNs must be corrected before migrating to IAM 8.2. The plugin is used in static clients within OAuth/OIDC authorization server settings: Loginapp >> OAuth 2.0/OIDC Authorization Servers >> <an AS> >> Static Clients >> <a client> >> Client Certificates. | |
| | | | |
| | | - If the Loginapp's
web.xml has been customized, the following new filters have to be added manually: OpenIdConnectPromptNoneServletForwardFilter RequestUrlPatternUiResourceSetRuleFilter (must be inserted above, i.e., before the UrlRewriteFilter )
| |
| | | Airlock 2FA factor preferences in approval steps: IAM 8.1.2 introduced a new configuration option to prefer Airlock 2FA Offline QR code over One Touch (Push) for approval steps. See AI-14943 in the IAM 8.1 changelog. If the feature was used with IAM 8.1, the configuration of the affected steps must be adapted manually: AI-18071 allows the configuration of an ordered list of authentication factors for all Airlock 2FA steps. If the feature introduced with 8.1.2 was used, remove the One-Touch factor from the list and make sure that the Offline QR Code factor is the first entry in the list. | |
| | | IAM used as OAuth Client or OIDC Relying Party (RP) now supports Pushed Authentication Requests (PAR). Up to version 8.1, IAM - if using service discovery - ignored the authorization server's (AS) PAR requirements. If, for example, the AS strictly required PAR by setting the (require_pushed_authorization_requests metadata field set to true , IAM ignored that. As of IAM 8.2, PAR is supported by IAM (as RP/Client). Thus, if the AS strictly requires PAR, IAM will respect and require an involved web application (single-page application, SPA) to be adapted to support PAR: A new action OAUTH2_CLIENT_AUTHORIZATION_URI_RETRIEVAL_REQUIRED is returned by Airlock IAM, which requires the SPA to retrieve the authorization redirect URI via REST API instead of relying on the additional attributes. However, the situation with IAM 8.1 (or older) and the AS strictly requiring PAR, would not have functioned properly. Therefore, the above situation is irrelevant in practice and it can be assumed that no SPA needs to be adapted. | |
| | | The OAuth 2.0/OIDC Authorization Server can persist consents and reuse user-made decisions to optimize the consent-giving process. If all consents are already present, the interactive step will continue without presenting a UI to the end-user. Helpdesk users can see consents granted by the user in the Adminapp. They can also manage consents for the end-user by removing consents. To use this feature a database schema update is required. The required upgrade scripts can be found here Relational databases for IAM. | |
| | | For resources that support paging (such as the list of users), a globally applicable Default Page Size and a Max Page Size can now be configured (defaults are 500 and 5000). The Default Page Size applies if no page[limit] query parameter is transmitted. If that parameter is transmitted, it must not exceed Max Page Size. Applications that rely on resources returning all records if no page[limit] parameter is specified, need to be aware that the returned resources are now restricted to the Default Page Size. To fall back to the old behavior, the Default Page Size can be set to a sufficiently high value. Applications that query the resource with a page[limit] parameter that is larger than 5000, exceed the new default Max Page Size. Either reduce the parameter's value or increase the Max Page Size in the IAM configuration. | |
| Password end-to-end encryption | | - Because of a bug, the following plugins accidentally did not require the license tag
EndToEndPasswordEncryption in IAM 8.0 and 8.1: - Default End-To-End Encryption Password Repository
- JWE Password Decryption
The license tag (and therefore usually the license bundle ENCRYPTION ) is required again. If either of the plugins has been used in IAM 8.0 or 8.1 with a license, not including the EndToEndPasswordEncryption tag, the license must be extended to include the tag. | |