Airlock IAM 8.2 - Changelog

Correctly set state repository locks after restoring the session from the session ticket.

Prevent a null pointer exception during Cronto activation.

Fixed a memory leak in plugin injection.

Fixed an issue in the Loginapp Design Kit: the Airlock2FA usernameless page was constantly refreshed.

Fixed an issue that prevented representation of locked users after authentication.

SAML2: Gateway session is now correctly terminated for SP in an IdP-initiated SLO (single logout).

Added missing key ID (kid) in JWTs in key stores containing multiple keys with the same algorithms.

• Affected plugins
• JWT Access Token Private Key Signature
• OIDC ID Token Private Key Signature
• OpenID Connect Private Key JWT Client Authentication

Support Airlock 2FA Online QR code login and approval. See Online QR code authentication.

Airlock 2FA now supports encryption of transaction data between Airlock IAM and the Futurae service.

See Airlock 2FA Settings plugin – global shared Airlock 2FA configuration for further information.

New username transformer plugin Airlock 2FA Username Transformer. It allows the user to log in using the Futurae account ID.

The new auth flow Step Airlock 2FA Delete Authentication Device Step unenrolls the Airlock 2FA device that was used to authenticate the end-user in the current flow. If no Airlock 2FA authentication was used before the new step or if the user has only a single-app device registered no device is unenrolled.

Added more information to most log statements concerning Airlock 2FA actions, especially communication to the Futurae cloud service. Added information includes the Futurae session and user ID and improves both auditing and log correlation.

The Loginapp Design Kit now works on plain Windows without WSL. Please refer to Installation of the Loginapp Design Kit for further information.

New Custom CAPTCHA plugin that allows the usage of own custom CAPTCHA services (must be compatible with the reCAPTCHA API).

Note that the UI needs to be implemented using Loginapp Design Kit customization.

"Push-to-all" option for Cronto in transaction approval flows. This feature allows to send a push message to all registered devices of a user.

Support state externalization in RADIUS OTP Step.

For general information about state externalization, see Storing session state in an external Redis session repository.

Support for Envoy XFCC HTTP header to extract the mTLS X.509 client certificate. The XFCC header must contain the certificate key as specified by Envoy including the URL-encoded PEM certificate.

The Airlock Microgateway (or other Envoy proxies) must be configured to pass the XFCC header as-is to IAM.

Redirect the browser to the requested forward location even if the target application has been selected by application ID. To do so /ui/app/auth/application/access/<applicationId> URL now also accepts a Location parameter.

SAML2: Authentication instant attribute can now be configured to use a date format instead of milliseconds since epoch.

The provided username can be included in SSO tickets and thus made available to target applications (like the Airlock IAM Adminapp).

Updating the login statistics can now be disabled in the Default Authentication Processor plugin. This may be useful in certain use cases such as user representation.

See also User representation – representee configuration in the Loginapp REST API.

Block forward URIs containing a user info part (e.g. username:pwd@www.host.com) earlier in request processing. This improves security and prevents the URI from being logged.

Fixed a bug where the "Login from new device"-cookie was served without a path.

The SAML relay state is now also propagated for SP- and the default application. Before this fix the default URL was propagated.

Various Loginapp UI fixes. See Loginapp UI Customizations Fix in 8.0.4 and 8.1.1 for further details.

The Required Role Step has been removed. The configuration migration ensures that an equivalent Abort Step is automatically used instead.

Forward location URIs passed to the Loginapp may now contain commas.

The Username Password Authentication Step now supports CAPTCHAs.

• New approval steps for FIDO/Passkeys in public and protected self-services:
• FIDO Public Self-Service Approval Step
• FIDO Self-Service Approval Step

The Template-based String Provider now correctly supports templates with literal curly braces (which are not part of a variable).

Using the plugin Email Item Definition in a self-registration flow was never supported and resulted in REST error responses. Configuring this non-functional setup is now prevented in the Config Editor.

Support OIDC Hybrid Flow (IAM as Authorization Server/OpenID provider).

New flow condition that matches when flows started using OpenID Connect with prompt=none.

See Non-interactive OIDC authentication in IAM flows for further information.

OpenID Connect relying parties (clients) can now send custom authentication request parameters such as idp_hint to the OpenID Provider (AuthorizationServer). The parameters' value can include context data and be represented as simple JSON data structures.

OAuth/OIDC consents may now be persisted in the IAM database.

See OAuth 2.0 local consent and OAuth 2.0 OIDC consent persister configuration.

Allow configuring two conditional claims with the same name (but exclusive conditions).

Adminapp: Two new URL parameters allow dynamic change of the redirect addresses for the login page and the after-logout URL of the Adminapp at runtime.

See Adminapp UI configuration and access options for further information.

Adminapp - user management: It is now possible to directly open a tab by its identifier. The tab identifiers are visible as URL fragments.

See Adminapp UI configuration and access options for further information.

Prevent screen overflows in the Adminapp UI.

For resources that support paging (such as the list of users), a globally applicable Default Page Size and a Max Page Size can now be configured (defaults are 500 and 5000). The Default Page Size applies if no page[limit] query parameter is transmitted. If that parameter is transmitted, it must not exceed Max Page Size.

IAM provides JVM and process metrics in OpenMetrics text format, Prometheus text, and Protobuf format.

To enable the feature, the instance property iam.metrics.port has to be set to an unused port.

See Metrics (Prometheus, OpenMetrics).

Support externalizing state for the transaction approval module.

See Storing session state in an external Redis session repository for further information.

When storing the session state in Redis, a namespace can now be configured. This allows storing the state of multiple IAM instances in one Redis instance.

Redis keys now have a hierarchical format. The configuration option Use Legacy Key Format in the Redis State Repository configuration allows for backward compatibility with IAM 8.1.

The Password Batch Task and Credential Secret Batch Task in the Service Container can now be configured to delete the user's tokens (RememberMe and OAuth 2.0) when new credentials are generated.

The Airlock IAM mapping templates in the IAM documentation have been updated from Airlock Gateway 7.6 to Gateway 8.0. This fixes some issues with trailing slashes, updates the deny rule exceptions, and updates the request header whitelist to use the native Gateway allow list feature.

Improved configuration file handling: The .activated-configs directory location can now be configured or disabled completely using the instance property iam.activated-configs.dir.

Note that when it is disabled, the Config Editor does not show the activation states of the modules anymore.

See also Storage and volumes.

Updates web dependencies to the latest versions, including major Angular updates for all applications.

Fixed a bug in PDF rendering tasks that prevented the generated PDF documents from being moved from the "in-work" folder to the destination folder if the folders reside on different filesystems or volumes.

Fix for database migration script from 7.7 to 8.0 on Oracle when using Sql*Plus.

Fixed state restoration on multi-instance setups.

The SSI Authentication Step and SSI Passwordless Authentication Step now allow the configuration of additional claims, that are verified in addition to the authentication information.