IAM 8.5 - Changelog

Airlock IAM 8.5.0

The following tables show the changes from Airlock IAM 8.4 to 8.5.

Config automation features
New	AI-20195	A new CLI command `iam config check-license`, which checks the license coverage of a configuration. See Configuration CLIs
Improvement	AI-20652	The YAML config format now uses a short representation for the “type” field, replacing fully qualified class names. Configuration files can be migrated automatically using the config upgrade CLI. Scripts must be adapted manually. See IAM 8.5 - Required upgrade actions for more information.
Improvement	AI-19778	The `iam init` command now creates new instances with the YAML configuration by default. To create an XML-based instance, provide the `--xml` option.

Authentication and Loginapp
New	AI-17547	New domain events for a password change in public self-service flows and password letter orders (Loginapp self-service and Adminapp). See also Event producers.
New	AI-16000 AI-16087	The Airlock 2FA Activation Step now contains the new boolean property Provide Short Activation Code. If enabled, a 16-digit activation code is provided as an additional activation method. The Airlock 2FA 16-digit activation code can also be printed on the activation letters. See Token enrollment.
New	AI-20738	New plugin Username Password with FIDO Authentication Step. It allows users to log in using passkeys through a browser-integrated dialog, while offering a username/password fallback on the same page UI. CAPTCHAs are not supported. All other features of the Username Password Authentication Step and the FIDO Passwordless Authentication Step are supported. See Use case: FIDO passkeys as first auth factor in IAM.
New	AI-21263	New plugin User Identification with FIDO Authentication Step. It allows users to log in using passkeys through a browser-integrated dialog, while offering a “user identification” fallback. CAPTCHAs are not supported. All other features of the Username Identification Step and the FIDO Passwordless Authentication Step are supported. See Use case: FIDO passkeys as first auth factor in IAM.
New	AI-19121 AI-19027 AI-20624	The new Gateway Session Terminator event subscriber allows terminating Airlock Gateway sessions when certain events occur, such as the changing of a user's password. See Event subscribers and Gateway Session Terminator.
Improvement	AI-19061	The new plugin Phone Numbers from String Value Providers for the SMS Event Subscriber allows you to configure value providers to dynamically supply recipient phone numbers. See SMS Event Subscriber and Phone Numbers from String Value Providers - Use case.
Improvement	AI-20700	The INFO log messages include a new field showing the transport mode of Airlock 2FA messages to Futurae. Possible values are `jwe` or `plain_text_array`.
Improvement	AI-19574	For security reasons, the display name of an Airlock 2FA device can no longer consist of only whitespace characters.
Improvement	AI-20599	The mTAN authentication/approval steps now include the option to always prompt the end-user to select a number, even if only one end-user number is available.
Improvement	AI-20875	The Device Token Authentication Step now includes an option to give feedback if the requested device ID does not exist.
Improvement	AI-20820	Added an option to the OCSP Certificate Status Checker to disable nonce validation.
Improvement	AI-20510	SSI now includes functionality to communicate with the Public Beta of the Swiss E-ID (swiyu).
Improvement	AI-20701	Local deployments to the Procivis One core can now be configured as a service in SSI steps.
Improvement	AI-21211	Improved the stability of the Loginapp and the Design Kit UI.
Bugfix	AI-19514	Fixed a bug in the Remember-Me Identifying Step, where the step was skipped in the case of concurrent access. Now, the step fails.
Bugfix	AI-20762	Fixed an access issue that occurred when the state repository used encryption.
Bugfix	AI-20840	Fixed a bug where the JWKS endpoint did not return keys for keystores with empty passwords.

Flows
New	AI-19451	IAM now supports OATH OTP as an approval step in public self-services through the new Public Self-Service OATH OTP Approval Step. The Airlock 2FA Approval Step now supports passcodes as an approval factor in public and protected self-service flows, as well as in transaction approval flows.
New	AI-20539 AI-21066	Airlock One-Shot authentication is now possible with flows (not all credential types supported yet). See One-shot authentication with flows.
New	AI-17221	Added a new condition Login from new Device, which evaluates to `true` when the user logged in from a device for the first time.
New	AI-20909	The User Lock Step is now also available in public self-service and authentication flows. The User Locked events generated by the User Lock Step now contain the configured lock reason instead of a generic one.
Improvement	AI-20970	The Password Letter Order Step is now also available for protected self-service and authentication flows. Until now, it was only supported in public self-service flows. See Password letters.
Bugfix	AI-21278	Fixed an injection error that occurred when using the Edited Context Data Map in authentication flows.
Bugfix	AI-21106	Fixed a bug where entering an invalid date during user self-registration caused an unexpected error. Now date value validation on the user data registration page has been improved.

OAuth / OIDC / SAML
New	AI-20267 AI-20271	The new OAuth2 Access Token String Value Provider plugin now allows retrieving an access token via the Client Credential Grant. The access token is cached and can be used to authenticate IAM calls to external services. Basic Auth, Private Key JWT and mTLS authentication are supported.
New	AI-20594 AI-20597	The IAM OpenID Provider now supports OIDC back-channel logout. The property Delete Tokens on Logout of the OAuth 2.0/ OIDC Authorization Server plugin now provides three modes: None, Session and All. If this feature was previously enabled, we recommend selecting Session as the deletion strategy. See Support for OIDC back-channel logout and OAuth AS/OP configuration - Advanced settings.
New	AI-19879 AI-19675	During a SAML2 Single Logout (SLO), requests to `rest/public/authentication` and `/login-oneshot` are now blocked, preventing other users from logging in on the same Gateway session.
New	AI-6448	IAM as SP now supports multiple signing certificates in the same IDP metadata file - simply add the certificates to the file. IAM as IDP now supports multiple signing certificates in the same SP metadata file - simply add the certificates to the file. This new feature is especially useful during key renewal, since it allows both the old and new keys to remain active during the transition. See also Asynchronous renewal of the public key in the signing certificate.
Improvement	AI-20363	During OAuth 2.0 dynamic client registration, the client can now specify the client ID.
Improvement	AI-20519	In the OAuth 2.0 Token Exchange plugin, subject token validation is now configured per token exchange rule, in the Token Exchange Rules plugin. See also Token Exchange Configuration.
Improvement	AI-20673 AI-21204 AI-20751	Improved the efficiency of the Oracle cleanup tasks for OAuth 2.0 tokens and the User Trail log. The OAuth 2.0 Clean-up Task now deletes sessions in batches. This change reduces locks and long-running transactions in the `oauth2_session` table.
Improvement	AI-21266	Added deny rule exceptions for SQL injection to the mapping templates. This change allows Airlock IAM, when acting as OAuth 2.0 Client or OIDC Relying Party, to accept a wider variety of authorization codes.
Improvement	AI-20895	The OpenAPI specification of the Loginapp API Security now also contains protection for the OAuth2 endpoints. An update of the Gateway mappings is recommended.
Bugfix	AI-20870	Fixed a bug where the Session Context Retention policy did not support OIDC requests using `prompt=none`.
Bugfix	AI-21002 AI-21203	Fixed a bug where OAuth 2.0/OIDC client authentication with `private_key_jwt` incorrectly required the presence of a not-before (nbf) claim in the JWT. As stated in the specification, the nbf claim is not a required claim.

Adminapp and Config Editor
New	AI-20736 AI-19447	The new Adminapp property Admin Cannot Delete User With Same Name prevents admin users from deleting end-users with the same username. It ensures that administrators do not accidently delete their own accounts. See The User Details dialog in the Adminapp.
New	AI-21129	License and Usage Analytics is now a mandatory property in the Adminapp configuration. During `iam init` and `iam reset` (in certain scenarios also `iam upgrade`), one must now decide whether to enable License Analytics or Usage Analytics. See License and usage analytics.
New	AI-20233	Usage Analytics now uses a sanitized version of the IAM configuration with all sensitive data removed.
Improvement	AI-21050	There are new value providers, transforming strings: Date From String Value Provider Date-Time From String Value Provider The Set Context Data Step can now also set a Date Context Data item (for example, a birthday).
Improvement	AI-20947	Subscribers of user-created events can now filter for specific context data values. See Event filtering.
Improvement	AI-21384	The `Start Configuration` configuration template has been improved: All plugins now have meaningful names instead of random IDs. This provides a better basis for config automation. The password check authentication step now uses the default policy for “on-login” policy checks. The template now includes config variables for the properties configuring the connection to the database.
Improvement	AI-20940	The Vasco Cronto Handler plugin now includes a new property: Account Token Usages Threshold. This property ensures that Vasco account tokens assigned to new users have not already been used too often.
Improvement	AI-18846	Updated the IAM demo helm chart to support parameterization of additional volumes.
Bugfix	AI-18056	All administrators, regardless of their permissions, can now choose how many user activities are shown in the user's Activities tab in the Adminapp. Previously, this setting's radio buttons were disabled.
Bugfix	AI-19591	Fixed a bug in the Adminapp SPA where selection values were sent as strings to the backend instead of booleans and numbers.
Bugfix	AI-19659	Fixed some UIs issues in the Vasco OTP dialog that lists available tokens in the Adminapp.
Bugfix	AI-20486	The Vasco tokens screens in the Adminapp (both for Vasco Cronto and Vasco OTP) now allow importing new licenses while the token statistics are still loading.
Bugfix	AI-20774	Fixed a bug in the Adminapp that caused an exception when displaying Airlock 2FA activation letters generated by IAM versions <= 8.3. These letters contained a nullable `Airlock2FAActivationCodeShort`, which triggered the error.
Bugfix	AI-20790	Fixed an issue where plugin dependencies from Loginapp or Adminapp modules could no longer be used in the Service Container.
Bugfix	AI-20890	Fixed a bug that could cause a null pointer exception when rolling back to the last successfully activated configuration after an activation failure.
Bugfix	AI-21033	Fixed a bug that caused the XML import to fail on certain input.
Bugfix	AI-21200	Fixed a bug that caused user management extensions to occasionally catch outdated user IDs.

Miscellaneous
New	AI-20758	Loginapp/Adminapp: Browser support is now defined by the “widely available” support definition of Baseline (see also Baseline definition). This means that the following browsers are no longer supported: Android 137 Opera Mini 80 Opera 117 and 116 Samsung 28 and 27 See Browser compatibility
New	AI-17782	Added the following new value transformers to the User Sync Task plugin (Service Container module): Concatenating Data Transformer Concatenates a list of attributes to a string. Current Timestamp Transformer Sets the current timestamp. Default String Insertion Transformer Sets a static default value. Multiple Date Pattern Transformer Deals with mixed date/time formats. String Removal Transformer Removes a value if it matches a defined regular expression.
New	AI-19008	The old REST API documentation (Miredot) was removed from the IAM artifacts and replaced by a more modern version that is based on the OpenAPI specification.
Improvement	AI-20767	The HTTP Client Config plugin has been improved: The plugin can now configure the read timeout (the time to wait for a response on a successfully established connection). Existing configurations are migrated to use the previously set connect timeout. Infinite connect and read timeouts have been disabled. If an infinite timeout was configured previously, the plugin will now use a default timeout of one minute.
Improvement	AI-12251	`SEQUENCE`s are schema objects in Oracle databases that generate unique numeric values assigned to insertion operations. Oracle automatically increases these counters with each insertion. In IAM, these `SEQUENCE`s were historically created without cache (`NOCACHE` option). As of this release, we have changed the default for the 13 IAM `SEQUENCE` objects from `NOCACHE` to `CACHE 20`. This change will increase the performance of insertion operations substantially, especially in the case of many inserts, e.g., into the `Token` table. To implement this change in existing Oracle databases, a database migration is required. If you work with IAM 8.4, you can use the `iam-schema-migration-8_4-8_5.sql` file provided in Oracle as Airlock IAM database. For more information, see the following Techzone article: Performance Optimization for Oracle DB Sequences
Improvement	AI-20573	Introduced measures to reduce memory footprint and fragmentation when running Airlock IAM in Docker/Kubernetes: By default, the Airlock IAM docker image has the environment variable `MALLOC_ARENA_MAX` set to 2. This helps to reduce the memory footprint of the container. The feature can be disabled by setting the environment variable to the value 0. The default value of the instance property `iam.java.opts` has been extended with `-XX:TrimNativeHeapInterval=30000`, which can help reduce memory fragmentation. See also Reducing a large memory footprint.
Improvement	AI-19321	IAM now creates new systemd configurations with the service option `Restart=always`. IAM now sets the Java option `-XX:+ExitOnOutOfMemoryError` for new instances. This ensures that IAM will exit if an application thread runs into an out-of-memory situation. This allows IAM to be redeployed (for example, by systemd, as stated above, or by Kubernetes deployment).
Improvement	AI-20705	Plugin logics (`pluginLogics`) no longer need to be declared in custom application extensions. This means that: Explicit registration of logic classes in the `pluginLogics()` method of application extensions no longer has an effect. Explicit declaration of packages containing logic classes in the element `pluginLogics` of the `@RestApplicationConfiguration` annotation (on `ApplicationExtension` classes) no longer has an effect.
Improvement	AI-20437	Airlock Gateway supports Brute Force Protection starting with release GW 8.4. In the IAM Mapping Template for Gateway 8.4 and later, this feature is now enabled by default.
Improvement	AI-20867	Support for Airlock Gateway Version < 8.3 has been removed. Customers should update to Airlock Gateway >= 8.3 IAM mapping templates for Gateway 8.4 no longer contain dedicated mappings for REST.
Improvement	AI-20689 AI-20688	The RADIUS client and server are now protected against Blast-RADIUS attacks.
Improvement	AI-20495	Performed various Java dependency updates.
Improvement	AI-21206	Performed the following maintenance and security updates: Red Hat Universal Base Image 9 Minimal (UBI 9 Minimal) JDK version 21.0.8+9 Tomcat version 10.1.44 (+ various spring boot dependencies) Nimbus JOSE JWT version 10.4
Improvement	AI-19244	Airlock IAM's Docker image is now based on Red Hat UBI 9 Minimal.
Improvement	AI-20658	The minimum supported DB versions are now: MariaDB: 10.6 MySQL: 8.0 SQL Server: 2017 Postgres: 13 Oracle: 19c
Improvement	AI-20866	Added helm charts for Microgateway 4.6
Bugfix	AI-21276	Fixed an issue with reading domain-wide Active Directory “Fine Grained Password Policies” (FGPP) when the `pwdProperties` LDAP field contained another policy than `DOMAIN_PASSWORD_COMPLEX`.
Bugfix	AI-21205 AI-20157	Fixed a bug in the Active Directory Connector that prevented users from resetting expired passwords themselves.
Bugfix	AI-20918	Fixed an issue with the role filter in the LDAP Connector.
Bugfix	AI-21312	Gateway integration: Fixed an issue where the OpenAPI specification files contained wrong paths. Now, the OpenAPI specification files work out of the box with the mapping templates.
Bugfix	AI-20914	Fixed an issue where requests from technical clients were blocked by the “BOT detection in header value” deny rule. The Gateway mapping templates now include new deny rule exceptions to ensure that the respective requests are accepted.
Bugfix	AI-21224	Fixed an issue with the Design Kit: In dev mode, even one change in a source file could trigger two reloads.
Bugfix	AI-18817	Encrypted password hash now supports GCM and CBC as block cipher mode.
Bugfix	AI-21003	Updated Log4J libraries from 2.21.1 to 2.22.1. This removes a spring-test dependency that was unintentionally added to the bundle.
Bugfix	AI-21133 AI-21134 AI-21042	Fixed several issues with the Swissphone SMS Gateway plugin: Issue 1 SMS Delivery Status Responses from the Swissphone SMS Gateway caused internal server errors. Issue 2 SMS Delivery Status Messages were not properly extracted from the Swissphone SMS Gateway response. Issue 3 `POST` requests without a body were sent without the `Content-Length: 0` header, causing 411 error responses from Swissphone when using the Swissphone SMS Gateway. To solve the issue, HTTPCore5 was updated from 5.2.4 to 5.3.4.