The following tables show the changes from Airlock IAM 8.1 to 8.2.
Airlock IAM 8.2.3
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-19396 | Correctly set state repository locks after restoring the session from the session ticket. |
Bugfix | AI-19319 | In the Adminapp User Management, Generic Tokens can be used as an active authentication method even when the corresponding Generic Token Controller has no user interface configured. |
Airlock IAM 8.2.2
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-19210 | Prevent a null pointer exception during Cronto activation. |
Bugfix | AI-19209 | URIs are correctly generated without trailing slash when there is no path behind the host part. This only affects OAuth 2.0/OIDC redirect URIs and 2FA scheme overrides in Airlock 2FA Mobile Only Authentication Step and the 2FA approval steps in the self-services, and transaction approval. |
Bugfix | AI-19204 | Fixed a memory leak in plugin injection. |
Bugfix | AI-19188 | Roles provided through an LDAP Connector may now contain " |
Bugfix | AI-19229 | Fixed an issue in the Loginapp Design Kit: the Airlock2FA usernameless page was constantly refreshed. |
Bugfix | AI-19232 | Fixed user CSV download in Adminapp: do not limit to 500 users. |
Bugfix | AI-19257 | Fixed an issue that prevented representation of locked users after authentication. |
Bugfix | AI-19227 | Update Universal Minimal Image to version 8.10-896.1716497715 (mitigates CVE-2024-33599, CVE-2024-33600, CVE-2024-33602, CVE-2024-33601 and CVE-2024-2961). |
Bugfix | AI-19293 | Fixes an issue in the Loginapp Design Kit on Windows: the batch file contained wrong file endings which could lead to execution errors on some systems |
Airlock IAM 8.2.1
Bugfixes and improvements | ||
---|---|---|
Bugfix | AI-19020 | SAML2: Gateway session is now correctly terminated for SP in an IdP-initiated SLO (single logout). |
Bugfix | AI-19025 |
|
Bugfix | AI-19083 | Added missing key ID (
|
Bugfix | AI-18974 | mTLS client certificates can now be used in request authentication without Airlock Gateway settings. |
Airlock IAM 8.2.0
Airlock 2FA | ||
---|---|---|
New | AI-17151 | Support Airlock 2FA Online QR code login and approval. See Online QR code authentication. |
New | AI-16465 | Support Airlock 2FA Usernameless QR code login. See Usernameless QR code authentication. |
New | AI-18437 | Airlock 2FA now supports encryption of transaction data between Airlock IAM and the Futurae service. See Airlock 2FA Settings plugin – global shared Airlock 2FA configuration for further information. |
New | AI-17092 | IAM now supports Futurae's bypass mode in Airlock 2FA plugins. It bypasses all Airlock 2FA checks for users with bypass enabled in the Futurae admin portal. The feature is primarily used for automating tests. CAUTION: Use this feature with caution, as it disables Airlock 2FA checks and grants access without user interaction. |
New | AI-18526 | New username transformer plugin Airlock 2FA Username Transformer. It allows the user to log in using the Futurae account ID. |
New | AI-18530 | To support the seamless migration from an authenticator app such as the Airlock 2FA app to an app using the Futurae SDK, the scheme of the authentication URI returned by Futurae can be overridden in IAM's mobile-only 2FA authentication and approval steps. |
New | AI-18531 | The new auth flow Step Airlock 2FA Delete Authentication Device Step unenrolls the Airlock 2FA device that was used to authenticate the end-user in the current flow. If no Airlock 2FA authentication was used before the new step or if the user has only a single-app device registered no device is unenrolled. |
New | AI-18071 | The priority of Airlock 2FA authentication factors to use (One-Touch, Online/Offline QR code, and Passcode) can now be configured not only for the Airlock 2FA Authentication Step but for all Airlock 2FA steps (self-services, approval steps, authentication step). |
Improvement | AI-17769 | Added more information to most log statements concerning Airlock 2FA actions, especially communication to the Futurae cloud service. Added information includes the Futurae session and user ID and improves both auditing and log correlation. |
Bugfix | AI-18052 | Airlock 2FA: Prevent unnecessary device selection prompts if multiple OTP hardware tokens are used. |
Authentication and Loginapp | ||
---|---|---|
New | AI-16561 | The Loginapp Design Kit now works on plain Windows without WSL. Please refer to Installation of the Loginapp Design Kit for further information. |
New | AI-18145 | New Resource Sets feature in Loginapp UI: New a property UI Resource Set Rules in the Loginapp >> UI Settings allows altering the complete Loginapp design customization based on the first matching rule. Currently, only a rule to match the Request URL Pattern is available. See Customization with Resource Sets for further information. |
New | AI-18239 | New Custom CAPTCHA plugin that allows the usage of own custom CAPTCHA services (must be compatible with the reCAPTCHA API). Note that the UI needs to be implemented using Loginapp Design Kit customization. |
New | AI-18002 | On the Cronto push challenge page in Loginapp: The display name of the Cronto device to which push messages have been sent. |
New | AI-18362 | "Push-to-all" option for Cronto in transaction approval flows. This feature allows to send a push message to all registered devices of a user. |
New | AI-18375 | Vasco OTP Public Self-Service Approval Step The step to check a Vasco OTP can now be used to approve an operation in public self-service flows and protected self-service flows. |
New | AI-17852 | Support state externalization in RADIUS OTP Step. For general information about state externalization, see Storing session state in an external Redis session repository. |
New | AI-17691 | Certificate Context Extractor can now be configured to work with Airlock Microgateway. |
New | AI-18019 | Support for Envoy The Airlock Microgateway (or other Envoy proxies) must be configured to pass the XFCC header as-is to IAM. |
New | AI-18501 | The plugins JWT Ticket EC Signer Settings and JWT Ticket RSA Signer Settings now add the certificate's kid by default into signed JWTs. The new property Include KID allows configuring to not add the kid if desired. |
Improvement | AI-16812 | Redirect the browser to the requested forward location even if the target application has been selected by application ID. To do so |
Improvement | AI-17757 | Improved REST API naming consistency for the following calls:
The old endpoints may be removed in IAM 9.0. |
Improvement | AI-17910 | SAML2: Authentication instant attribute can now be configured to use a date format instead of milliseconds since epoch. |
Improvement | AI-18169 | In the Loginapp Design Kit, NodeJS is no longer downloaded per customization. An absolute path can be set in the If no location is set, it is downloaded to See also Installation of the Loginapp Design Kit. |
Improvement | AI-18082 | The provided username can be included in SSO tickets and thus made available to target applications (like the Airlock IAM Adminapp). |
Improvement | AI-18198 | The log output written during the renewal (on login) and the deletion of a remember-me cookie has been improved. |
Improvement | AI-118417 | Updating the login statistics can now be disabled in the Default Authentication Processor plugin. This may be useful in certain use cases such as user representation. See also User representation – representee configuration in the Loginapp REST API. |
Bugfix | AI-9385 | The Target URI Resolver in the Loginapp's authentication UI settings now prevents too lax patterns from allowing open redirects. Disallowed patterns (like .*) prevent the migration of the configuration to 8.2 and must be adapted before migrating to IAM 8.2. |
Bugfix | AI-18156 | Block forward URIs containing a user info part (e.g. username:pwd@www.host.com) earlier in request processing. This improves security and prevents the URI from being logged. |
Bugfix | AI-17662 | GSID (global session ID) is correctly read from Airlock Gateway environment cookie |
Bugfix | AI-18118 | Fixed a bug where the "Login from new device"-cookie was served without a path. |
Bugfix | AI-18333 | Fixed sporadic errors when skipping or disabling Cronto push activation. |
Bugfix | AI-18263 | The SAML relay state is now also propagated for SP- and the default application. Before this fix the default URL was propagated. |
Bugfix | AI-18344 | Fix parsing distinguished names (DNs): before the fix, strings parsed to DNs were parsed ignoring non-escaped (and thus invalid) delimiter characters (such as Affected plugins: Certificate Authenticator, OAuth 2.0 Client Certificate (in static OAuth client configuration). |
Bugfix | AI-18165 | Various Loginapp UI fixes. See Loginapp UI Customizations Fix in 8.0.4 and 8.1.1 for further details. |
Bugfix | AI-17359 | Fixed bug when using the User Identity Map outside of authentication flows. |
Bugfix | AI-18110 | The Required Role Step has been removed. The configuration migration ensures that an equivalent Abort Step is automatically used instead. |
Bugfix | AI-18476 | Fixes a bug that caused Airlock IAM to ignore private IP addresses sent by Airlock Gateway or Airlock Microgateway via HTTP header. |
Bugfix | AI-18715 | Forward location URIs passed to the Loginapp may now contain commas. |
Bugfix | AI-18690 | Fixed rejection of previously used TOTPs in multi-instance setups. |
Bugfix | AI-17222 | Fixed bug in testlet for temporary locking. |
Flows | ||
---|---|---|
New | AI-17896 | The Username Password Authentication Step now supports CAPTCHAs. |
New | AI-17638 | Protected Self-Service Flows can now be used without a user data source (persistency-less). This may be helpful when users are authenticated by persistency-less authentication flows. Such users can now also use certain self-services, e.g. start user representation. There are some limitations, e.g. self-services editing user data will work but cannot persist the changes. Please refer to the documentation of the corresponding plugins in the Config Editor. |
New | AI-18525 |
|
Improvement | AI-18505 | The Template-based String Provider now sports a JSON Encoder. |
Bugfix | AI-18510 | The Template-based String Provider now correctly supports templates with literal curly braces (which are not part of a variable). |
Bugfix | AI-18387 | Fixed handling of CAPTCHAs when using dynamic step activation. |
Bugfix | AI-18189 | Using the plugin Email Item Definition in a self-registration flow was never supported and resulted in REST error responses. Configuring this non-functional setup is now prevented in the Config Editor. |
Bugfix | AI-18044 | The Loginapp UI now appends query parameters and fragments to URLs in the correct order. |
OAuth / OIDC / SAML | ||
---|---|---|
New | AI-7099 | Support OIDC Hybrid Flow (IAM as Authorization Server/OpenID provider). |
New | AI-18045 | State externalization now also supports SAML. See Storing session state in an external Redis session repository for further information. |
New | AI-17864 | New flow condition that matches when flows started using OpenID Connect with See Non-interactive OIDC authentication in IAM flows for further information. |
New | AI-13157 |
|
New | AI-17946 | OpenID Connect relying parties (clients) can now send custom authentication request parameters such as idp_hint to the OpenID Provider (AuthorizationServer). The parameters' value can include context data and be represented as simple JSON data structures. |
New | AI-17951 | IAM used as OAuth Client or OIDC Relying Party now supports Pushed Authentication Requests (PAR). |
New | AI-12130 | OAuth/OIDC consents may now be persisted in the IAM database. See OAuth 2.0 local consent and OAuth 2.0 OIDC consent persister configuration. |
Improvement | AI-18605 | SAML2 IDP: AuthnRequest IDs can now be up to 1000 characters long. They were limited to 50 characters before. |
Improvement | AI-18587 | Allow configuring two conditional claims with the same name (but exclusive conditions). |
Improvement | AI-18604 | Scopes on the Consent Step are now always displayed in the exact order as they were requested by the client (or if being replaced by the scope policy, the order used in the configuration of the client). |
Bugfix | AI-17124 | The plugin OAuth 2.0 Credential Context Data Map can now also be used in the same authentication flow as the OAuth 2.0 credential has been created. |
Adminapp | ||
---|---|---|
New | AI-17836 | Adminapp: Two new URL parameters allow dynamic change of the redirect addresses for the login page and the after-logout URL of the Adminapp at runtime. See Adminapp UI configuration and access options for further information. |
New | AI-17844 | Option to display translated labels for roles in Adminapp user and admin management. See Customizing text elements in the Adminapp UI for further information. |
New | AI-17845 | Adminapp - user management: It is now possible to directly open a tab by its identifier. The tab identifiers are visible as URL fragments. See Adminapp UI configuration and access options for further information. |
New | AI-18243 | The configured Adminapp skin (background color) can now be overridden by passing a query parameter See Adminapp UI configuration and access options for further information. |
Bugfix | AI-18200 | Prevent screen overflows in the Adminapp UI. |
Bugfix | AI-17930 | Adminapp timeout now consistently results in a redirect to the login page. |
Bugfix | AI-17984 | For resources that support paging (such as the list of users), a globally applicable Default Page Size and a Max Page Size can now be configured (defaults are 500 and 5000). The Default Page Size applies if no |
Bugfix | AI-17455 | Generic token tab is no longer shown while its UI is deactivated. |
Miscellaneous | ||
---|---|---|
New | AI-10972 | IAM provides JVM and process metrics in OpenMetrics text format, Prometheus text, and Protobuf format. To enable the feature, the instance property |
New | AI-17741 | Support AWS KMS to store secret keys used for password end-to-end encryption and password hash encryption. |
New | AI-17552 | Support externalizing state for the transaction approval module. See Storing session state in an external Redis session repository for further information. |
New | AI-17208 | Externalized session state stored in a REDIS repository can now be encrypted. To prevent session data loss, please read the documentation before enabling the feature in a running IAM cluster. See Storing session state in an external Redis session repository for further information. |
New | AI-18547 | When storing the session state in Redis, a namespace can now be configured. This allows storing the state of multiple IAM instances in one Redis instance. Redis keys now have a hierarchical format. The configuration option Use Legacy Key Format in the Redis State Repository configuration allows for backward compatibility with IAM 8.1. |
New | AI-15982 | The REST Client Config plugin now allows adding statically configured HTTP headers to REST requests. See config property Static Request Headers and Static REST Request Header Strategy. |
New | AI-16962 | The Password Batch Task and Credential Secret Batch Task in the Service Container can now be configured to delete the user's tokens (RememberMe and OAuth 2.0) when new credentials are generated. |
Improvement | AI-18175 | Security updates for Guava, Tomcat, and JDK. |
Improvement | AI-17558 | The Airlock IAM mapping templates in the IAM documentation have been updated from Airlock Gateway 7.6 to Gateway 8.0. This fixes some issues with trailing slashes, updates the deny rule exceptions, and updates the request header whitelist to use the native Gateway allow list feature. |
Improvement | AI-17388 | Added deny rule exceptions to Airlock Gateway mapping templates for SAML and OAuth 2.0 parameters. |
Improvement | AI-17499 | Improved configuration file handling: The Note that when it is disabled, the Config Editor does not show the activation states of the modules anymore. See also Storage and volumes. |
Improvement | AI-17932 | The LDAP Connection Pool plugin (used for LDAP and MSAD connections) requires LDAP servers to support TLS 1.2 or TLS 1.3. Older encrypted transport protocols such as SSL 3.0, TLS 1.0, and TLS 1.1 are no longer supported. |
Improvement | AI-18278 | Updates web dependencies to the latest versions, including major Angular updates for all applications. |
Improvement | AI-18971 | In mTAN (SMS) related events, all relevant mobile phone numbers are now available. |
Bugfix | AI-18337 | Fixed a bug in PDF rendering tasks that prevented the generated PDF documents from being moved from the "in-work" folder to the destination folder if the folders reside on different filesystems or volumes. |
Bugfix | AI-18416 | Config Editor: Overriding a plugin list in a non-default context with an explicit empty list could lead to exceptions. |
Bugfix | AI-18474 | Fix for database migration script from 7.7 to 8.0 on Oracle when using Sql*Plus. |
Bugfix | AI-18206 |
The license tag (and therefore usually the license bundle |
Bugfix | AI-18691 | Fixed state restoration on multi-instance setups. |
Bugfix | AI-18932 | Fix Loginapp and Adminapp to work with some older browser versions, especially Safari 16. |
Incubating features | ||
---|---|---|
New | AI-18153 | The SSI Authentication Step and SSI Passwordless Authentication Step now allow the configuration of additional claims, that are verified in addition to the authentication information. |
New | AI-17576 | Allow to use Lua scripts in a new auth flow Scriptable Step. |