| | | IAM now requires Postgres version >= 12. Upgrade Postgres installation to a version >= 12. | |
| | | Because of the update to Tomcat 10, there have been changes to the access log format, defined by the instance property iam.web-server.access-log.format.simple.pattern . - The following two patterns now behave differently:
%D - The time taken to process the request is now logged in microseconds, instead of milliseconds.%T - The time taken to process the request was previously written with millisecond precision. Now, it logs only whole seconds, and the millisecond resolution is no longer written to the log. Please check if these patterns were used by your deployment, and adjust your logging parameters accordingly if necessary. The new pattern %{xxx}T can be used to specify other precisions, see https://tomcat.apache.org/tomcat-10.1-doc/config/valve.html#Access_Log_Valve for possible values.
| |
| | | To preserve backward compatibility, the correlation ID (new feature) is not present in the main log files by default. If the correlation ID should appear in the main log as well, then the following value needs to be added to the property iam.log.main.pattern : %e{mdc\:CORRELATION_ID}
Example: iam.log.main.pattern = %d{DEFAULT} %-5p [IAM - ${sys\:iam.instance.name} - ${applicationName} - SID\: %18e{mdc\:GSID\:0} - RID\: %18e{mdc\:REQUEST_ID\:0} - CORR_ID\: %e{mdc\:CORRELATION_ID}] | %e{header\:3}%c{1}\: %m%n
The Correlation ID is currently not supported for the Parsable Log Files (Adminapp Log Viewer). | |
| | | The default CORS Settings have become slightly stricter. The strict behavior can be activated in the CORS Settings by activating the flag Strict CORS Validation. Note that this may lead to connection issues in some setups. | |
| Gateway and Microgateway mapping templates | | The new mapping templates for the Adminapp for Airlock Gateway and Microgateway use security level STRICT (and no longer STANDARD). If this causes false positives when accessing the Adminapp, then resetting the Security Level on the Adminapp Deny Rule Groups to STANDARD may help reduce false positives. | |
| | | The translation text of user.failed-logins.one-shot-radius in the Adminapp has been changed to "Non-flow logins" (and analogous translations for French and German). It used to be "One-Shot/Radius". If you wish to retain 'One-Shot/Radius', the translation needs to be overridden. | |
| | | | |
| | | | |
| OAuth/OIDC custom claims in DB | | OAuth/OIDC access and ID token claims can now be persisted in the database so they are available for later identity propagation and during token refresh. If using this feature, a database schema upgrade is required. | |
| OAuth/OIDC and Airlock 2FA Approval and Mobile Only Steps | | In Airlock IAM 8.2.0, generated URLs could be wrong if there is no path part after the host: an unnecessary slash was added in some cases. This only affects OAuth 2.0/OIDC redirect URIs and 2FA Scheme Overrides in the Airlock 2FA Mobile Only Authentication Step and the 2FA Approval Steps in the self-services, and transaction approval. If relying on the wrong URIs that have been produced since 8.2.0, the consuming side might need to be adapted to expect the now fixed URIs without a trailing slash before the query or fragment part. | |
| Airlock 2FA event processing | | Note that the Airlock 2FA Delete Old Devices Step step now also produces the Airlock 2FA Device Deleted event. If already subscribing to this event when introducing the new step into flows, the (existing) event subscriber(s) may have to be adapted to either filter on the event source (step or flow) or make event handling more general. | |
| | | The plugin Cronto Push Notification Sender no longer supports property Android API Key since Google removed support for this method in June 2024. Remove the property Android API Key and configure Firebase Service Account JSON instead. | |
| | | The log entry "User identification failed, not checking password: USER_INVALID." was changed to "User validation failed, not checking password: USER_INVALID.". If the log is evaluated by tools, their configuration may need to be changed. | |
| | | Airlock Gateway 8.3 and newer no longer issue anomaly state "redeemed". Anomaly Shield State Risk Extractor configurations expecting this state should be reconfigured. | |