Airlock IAM 8.2 - Changelog

The following tables show the changes from Airlock IAM 8.1 to 8.2.

Airlock IAM 8.2.1

Bugfixes and improvements

Bugfix

AI-19020

SAML2: Gateway session is now correctly terminated for SP in an IdP-initiated SLO (single logout).

Bugfix

AI-19025

  • Library updates:
  • Updated crypto library BouncyCastle to 1.78: this update enforces the correct encoding of slashes (/) in X.509 certificate distinguished names (DNs). Unencoded slashes now lead to an exception for security reasons.
  • Updated Apache Tomcat to 9.0.88.
  • Updated JDK to 17.0.11+9.
  • Updated ubi-minimal (container base image) to 8.9-1161.
  • Various other library updates.

Bugfix

AI-19083

Added missing key ID (kid) in JWTs in key stores containing multiple keys with the same algorithms.

  • Affected plugins
  • JWT Access Token Private Key Signature
  • OIDC ID Token Private Key Signature
  • OpenID Connect Private Key JWT Client Authentication

Bugfix

AI-18974

mTLS client certificates can now be used in request authentication without Airlock Gateway settings.

Airlock IAM 8.2.0

Airlock 2FA

New

AI-17151

Support Airlock 2FA Online QR code login and approval. See Online QR code authentication.

New

AI-16465

Support Airlock 2FA Usernameless QR code login. See Usernameless QR code authentication.

New

AI-18437

Airlock 2FA now supports encryption of transaction data between Airlock IAM and the Futurae service.

See Airlock 2FA Settings plugin – global shared Airlock 2FA configuration for further information.

New

AI-17092

IAM now supports Futurae's bypass mode in Airlock 2FA plugins. It bypasses all Airlock 2FA checks for users with bypass enabled in the Futurae admin portal. The feature is primarily used for automating tests.

CAUTION: Use this feature with caution, as it disables Airlock 2FA checks and grants access without user interaction.

New

AI-18526

New username transformer plugin Airlock 2FA Username Transformer. It allows the user to log in using the Futurae account ID.

New

AI-18530

To support the seamless migration from an authenticator app such as the Airlock 2FA app to an app using the Futurae SDK, the scheme of the authentication URI returned by Futurae can be overridden in IAM's mobile-only 2FA authentication and approval steps.

New

AI-18531

The new auth flow Step Airlock 2FA Delete Authentication Device Step unenrolls the Airlock 2FA device that was used to authenticate the end-user in the current flow. If no Airlock 2FA authentication was used before the new step or if the user has only a single-app device registered no device is unenrolled.

New

AI-18071

The priority of Airlock 2FA authentication factors to use (One-Touch, Online/Offline QR code, and Passcode) can now be configured not only for the Airlock 2FA Authentication Step but for all Airlock 2FA steps (self-services, approval steps, authentication step).

Improvement

AI-17769

Added more information to most log statements concerning Airlock 2FA actions, especially communication to the Futurae cloud service. Added information includes the Futurae session and user ID and improves both auditing and log correlation.

Bugfix

AI-18052

Airlock 2FA: Prevent unnecessary device selection prompts if multiple OTP hardware tokens are used.

Authentication and Loginapp

New

AI-16561

The Loginapp Design Kit now works on plain Windows without WSL. Please refer to Installation of the Loginapp Design Kit for further information.

New

AI-18145

New Resource Sets feature in Loginapp UI:

New a property UI Resource Set Rules in the Loginapp >> UI Settings allows altering the complete Loginapp design customization based on the first matching rule. Currently, only a rule to match the Request URL Pattern is available.

See Customization with Resource Sets for further information.

New

AI-18239

New Custom CAPTCHA plugin that allows the usage of own custom CAPTCHA services (must be compatible with the reCAPTCHA API).

Note that the UI needs to be implemented using Loginapp Design Kit customization.

New

AI-18002

On the Cronto push challenge page in Loginapp: The display name of the Cronto device to which push messages have been sent.

New

AI-18362

"Push-to-all" option for Cronto in transaction approval flows. This feature allows to send a push message to all registered devices of a user.

New

AI-18375

Vasco OTP Public Self-Service Approval Step

The step to check a Vasco OTP can now be used to approve an operation in public self-service flows and protected self-service flows.

New

AI-17852

Support state externalization in RADIUS OTP Step.

For general information about state externalization, see Storing session state in an external Redis session repository.

New

AI-17691

Certificate Context Extractor can now be configured to work with Airlock Microgateway.

New

AI-18019

Support for Envoy XFCC HTTP header to extract the mTLS X.509 client certificate. The XFCC header must contain the certificate key as specified by Envoy including the URL-encoded PEM certificate.

The Airlock Microgateway (or other Envoy proxies) must be configured to pass the XFCC header as-is to IAM.

New

AI-18501

The plugins JWT Ticket EC Signer Settings and JWT Ticket RSA Signer Settings now add the certificate's kid by default into signed JWTs. The new property Include KID allows configuring to not add the kid if desired.

Improvement

AI-16812

Redirect the browser to the requested forward location even if the target application has been selected by application ID. To do so /ui/app/auth/application/access/<applicationId> URL now also accepts a Location parameter.

Improvement

AI-17757

Improved REST API naming consistency for the following calls:

  • The endpoint /public/authentication/username/identify is now also available as /public/authentication/user/identify.
  • The endpoint /public/self-service/username/identify is now also available as /public/self-service/user/identify.

The old endpoints may be removed in IAM 9.0.

Improvement

AI-17910

SAML2: Authentication instant attribute can now be configured to use a date format instead of milliseconds since epoch.

Improvement

AI-18169

In the Loginapp Design Kit, NodeJS is no longer downloaded per customization. An absolute path can be set in the SDK_NODE_BASE_FOLDER environment variable to define the location.

If no location is set, it is downloaded to <sdk base folder>/.internal/node-<version>

See also Installation of the Loginapp Design Kit.

Improvement

AI-18082

The provided username can be included in SSO tickets and thus made available to target applications (like the Airlock IAM Adminapp).

Improvement

AI-18198

The log output written during the renewal (on login) and the deletion of a remember-me cookie has been improved.

Improvement

AI-118417

Updating the login statistics can now be disabled in the Default Authentication Processor plugin. This may be useful in certain use cases such as user representation.

See also User representation – representee configuration in the Loginapp REST API.

Bugfix

AI-9385

The Target URI Resolver in the Loginapp's authentication UI settings now prevents too lax patterns from allowing open redirects.

Disallowed patterns (like .*) prevent the migration of the configuration to 8.2 and must be adapted before migrating to IAM 8.2.

Bugfix

AI-18156

Block forward URIs containing a user info part (e.g. username:pwd@www.host.com) earlier in request processing. This improves security and prevents the URI from being logged.

Bugfix

AI-17662

GSID (global session ID) is correctly read from Airlock Gateway environment cookie AL_ENV_SESSION_ID in the one-shot feature of the Loginapp.

Bugfix

AI-18118

Fixed a bug where the "Login from new device"-cookie was served without a path.

Bugfix

AI-18333

Fixed sporadic errors when skipping or disabling Cronto push activation.

Bugfix

AI-18263

The SAML relay state is now also propagated for SP- and the default application. Before this fix the default URL was propagated.

Bugfix

AI-18344

Fix parsing distinguished names (DNs): before the fix, strings parsed to DNs were parsed ignoring non-escaped (and thus invalid) delimiter characters (such as / or =). Non-escaped delimiters are no longer accepted.

Affected plugins: Certificate Authenticator, OAuth 2.0 Client Certificate (in static OAuth client configuration).

Bugfix

AI-18165

Various Loginapp UI fixes. See Loginapp UI Customizations Fix in 8.0.4 and 8.1.1 for further details.

Bugfix

AI-17359

Fixed bug when using the User Identity Map outside of authentication flows.

Bugfix

AI-18110

The Required Role Step has been removed. The configuration migration ensures that an equivalent Abort Step is automatically used instead.

Bugfix

AI-18476

Fixes a bug that caused Airlock IAM to ignore private IP addresses sent by Airlock Gateway or Airlock Microgateway via HTTP header.

Bugfix

AI-18715

Forward location URIs passed to the Loginapp may now contain commas.

Bugfix

AI-18690

Fixed rejection of previously used TOTPs in multi-instance setups.

Bugfix

AI-17222

Fixed bug in testlet for temporary locking.

Flows

New

AI-17896

The Username Password Authentication Step now supports CAPTCHAs.

New

AI-17638

Protected Self-Service Flows can now be used without a user data source (persistency-less). This may be helpful when users are authenticated by persistency-less authentication flows. Such users can now also use certain self-services, e.g. start user representation.

There are some limitations, e.g. self-services editing user data will work but cannot persist the changes. Please refer to the documentation of the corresponding plugins in the Config Editor.

New

AI-18525

  • New approval steps for FIDO/Passkeys in public and protected self-services:
  • FIDO Public Self-Service Approval Step
  • FIDO Self-Service Approval Step

Improvement

AI-18505

The Template-based String Provider now sports a JSON Encoder.

Bugfix

AI-18510

The Template-based String Provider now correctly supports templates with literal curly braces (which are not part of a variable).

Bugfix

AI-18387

Fixed handling of CAPTCHAs when using dynamic step activation.

Bugfix

AI-18189

Using the plugin Email Item Definition in a self-registration flow was never supported and resulted in REST error responses. Configuring this non-functional setup is now prevented in the Config Editor.

Bugfix

AI-18044

The Loginapp UI now appends query parameters and fragments to URLs in the correct order.

OAuth / OIDC / SAML

New

AI-7099

Support OIDC Hybrid Flow (IAM as Authorization Server/OpenID provider).

New

AI-18045

State externalization now also supports SAML.

See Storing session state in an external Redis session repository for further information.

New

AI-17864
AI-17989
AI-17991

New flow condition that matches when flows started using OpenID Connect with prompt=none.

See Non-interactive OIDC authentication in IAM flows for further information.

New

AI-13157

  • New claim config plugins that allow including the client ID and the session ID in JWT access tokens.
  • Client ID Token Claim
  • Session ID Token Claim
  • Custom Client ID Claim
  • Custom Session ID Claim

New

AI-17946

OpenID Connect relying parties (clients) can now send custom authentication request parameters such as idp_hint to the OpenID Provider (AuthorizationServer). The parameters' value can include context data and be represented as simple JSON data structures.

New

AI-17951

IAM used as OAuth Client or OIDC Relying Party now supports Pushed Authentication Requests (PAR).

New

AI-12130

OAuth/OIDC consents may now be persisted in the IAM database.

See OAuth 2.0 local consent and OAuth 2.0 OIDC consent persister configuration.

Improvement

AI-18605
AI-18149

SAML2 IDP: AuthnRequest IDs can now be up to 1000 characters long. They were limited to 50 characters before.

Improvement

AI-18587

Allow configuring two conditional claims with the same name (but exclusive conditions).

Improvement

AI-18604

Scopes on the Consent Step are now always displayed in the exact order as they were requested by the client (or if being replaced by the scope policy, the order used in the configuration of the client).

Bugfix

AI-17124

The plugin OAuth 2.0 Credential Context Data Map can now also be used in the same authentication flow as the OAuth 2.0 credential has been created.

Adminapp

New

AI-17836

Adminapp: Two new URL parameters allow dynamic change of the redirect addresses for the login page and the after-logout URL of the Adminapp at runtime.

See Adminapp UI configuration and access options for further information.

New

AI-17844

Option to display translated labels for roles in Adminapp user and admin management.

See Customizing text elements in the Adminapp UI for further information.

New

AI-17845

Adminapp - user management: It is now possible to directly open a tab by its identifier. The tab identifiers are visible as URL fragments.

See Adminapp UI configuration and access options for further information.

New

AI-18243

The configured Adminapp skin (background color) can now be overridden by passing a query parameter skin.

See Adminapp UI configuration and access options for further information.

Bugfix

AI-18200

Prevent screen overflows in the Adminapp UI.

Bugfix

AI-17930

Adminapp timeout now consistently results in a redirect to the login page.

Bugfix

AI-17984

For resources that support paging (such as the list of users), a globally applicable Default Page Size and a Max Page Size can now be configured (defaults are 500 and 5000). The Default Page Size applies if no page[limit] query parameter is transmitted. If that parameter is transmitted, it must not exceed Max Page Size.

Bugfix

AI-17455

Generic token tab is no longer shown while its UI is deactivated.

Miscellaneous

New

AI-10972

IAM provides JVM and process metrics in OpenMetrics text format, Prometheus text, and Protobuf format.

To enable the feature, the instance property iam.metrics.port has to be set to an unused port.

See Metrics (Prometheus, OpenMetrics).

New

AI-17741

Support AWS KMS to store secret keys used for password end-to-end encryption and password hash encryption.

See AWS KMS support for password encryption.

New

AI-17552

Support externalizing state for the transaction approval module.

See Storing session state in an external Redis session repository for further information.

New

AI-17208

Externalized session state stored in a REDIS repository can now be encrypted. To prevent session data loss, please read the documentation before enabling the feature in a running IAM cluster.

See Storing session state in an external Redis session repository for further information.

New

AI-18547

When storing the session state in Redis, a namespace can now be configured. This allows storing the state of multiple IAM instances in one Redis instance.

Redis keys now have a hierarchical format. The configuration option Use Legacy Key Format in the Redis State Repository configuration allows for backward compatibility with IAM 8.1.

New

AI-15982

The REST Client Config plugin now allows adding statically configured HTTP headers to REST requests. See config property Static Request Headers and Static REST Request Header Strategy.

New

AI-16962

The Password Batch Task and Credential Secret Batch Task in the Service Container can now be configured to delete the user's tokens (RememberMe and OAuth 2.0) when new credentials are generated.

Improvement

AI-18175

Security updates for Guava, Tomcat, and JDK.

Improvement

AI-17558

The Airlock IAM mapping templates in the IAM documentation have been updated from Airlock Gateway 7.6 to Gateway 8.0. This fixes some issues with trailing slashes, updates the deny rule exceptions, and updates the request header whitelist to use the native Gateway allow list feature.

Improvement

AI-17388

Added deny rule exceptions to Airlock Gateway mapping templates for SAML and OAuth 2.0 parameters.

Improvement

AI-17499

Improved configuration file handling: The .activated-configs directory location can now be configured or disabled completely using the instance property iam.activated-configs.dir.

Note that when it is disabled, the Config Editor does not show the activation states of the modules anymore.

See also Storage and volumes.

Improvement

AI-17932

The LDAP Connection Pool plugin (used for LDAP and MSAD connections) requires LDAP servers to support TLS 1.2 or TLS 1.3.

Older encrypted transport protocols such as SSL 3.0, TLS 1.0, and TLS 1.1 are no longer supported.

Improvement

AI-18278

Updates web dependencies to the latest versions, including major Angular updates for all applications.

Improvement

AI-18971

In mTAN (SMS) related events, all relevant mobile phone numbers are now available.

Bugfix

AI-18337

Fixed a bug in PDF rendering tasks that prevented the generated PDF documents from being moved from the "in-work" folder to the destination folder if the folders reside on different filesystems or volumes.

Bugfix

AI-18416

Config Editor: Overriding a plugin list in a non-default context with an explicit empty list could lead to exceptions.

Bugfix

AI-18474

Fix for database migration script from 7.7 to 8.0 on Oracle when using Sql*Plus.

Bugfix

AI-18206

  • Because of a bug, the following plugins did accidentally not require the license tag EndToEndPasswordEncryption in IAM 8.0 and 8.1:
  • Default End-To-End Encryption Password Repository
  • JWE Password Decryption

The license tag (and therefore usually the license bundle ENCRYPTION) is required again.

Bugfix

AI-18691

Fixed state restoration on multi-instance setups.

Bugfix

AI-18932

Fix Loginapp and Adminapp to work with some older browser versions, especially Safari 16.

Incubating features

New

AI-18153

The SSI Authentication Step and SSI Passwordless Authentication Step now allow the configuration of additional claims, that are verified in addition to the authentication information.

New

AI-17576

Allow to use Lua scripts in a new auth flow Scriptable Step.

See Scriptable step overview - an incubating feature.