IAM 8.6 - Changelog

Airlock 2FA display names are now checked for uniqueness by default. To ensure backward compatibility, this validation is automatically disabled for existing configurations during migration.

When logging in with Airlock 2FA using the Mobile Only authentication factor, end-users can now also use other authentication factors for transaction approval, e.g., One Touch.

The Cronto Letter Order Step (Loginapp) and the Cronto Token Controller (Adminapp) now trigger the new event Cronto Letter Ordered (CRONTO_LETTER_ORDERED event type).

The Resident Key property of the FIDO Settings plugin has been renamed and changed from a boolean (true or false) to an enum that accepts one of the following values: discouraged, preferred, or required.

FIDO settings now allow disabling double registration prevention. This can improve compatibility with old Android devices. See the new config property Prevent Double Registration in the FIDO Settings.

The plugins mTAN Registration Number Provider and mTAN Registration Label Provider have a new optional property, Mandatory. When enabled (which is the default), the provided value must not be null. If it is null, an error is returned.

Fixed an issue with Airlock 2FA payload encryption that caused failures with hardware tokens in Offline QR Code authentication and approval steps.

Using payload encryption with hardware tokens now gracefully fails instead of causing a technical error.

The new property Unencrypted Payload for Hardware Tokens in the Airlock 2FA Settings allows sending unencrypted data to hardware tokens even if payload encryption is enabled.

Fixed an issue with failure counter resets when the User Identification with FIDO Authentication step was used.

The step now correctly sets the Authentication Method ID to PASSWORD for username/password authentication and to FIDO for FIDO authentication.

Fixed a bug where additional JavaScript files were not bundled with iam-custom.js.

The following new value provider plugins are available:

They complement the existing String From Map Value Provider.

These value providers allow extracting individual values of the specified type from a Value Provider Map. They can also transform formatted strings into the type specified by the value provider.

The primary use case is extracting individual entries from the Script Execution Result Value Map Provider.

Improved performance of large Loginapp flows with many steps and plugins.

Fixed a bug where a Lua script used in a Scriptable Step could cause memory leaks.

Fixed a bug in the Scriptable Step where value maps containing entries with null values were passed to the Lua script as input. Null values should not be provided to the script, according to the plugin documentation.

The OAuth 2.0 Dynamic Client Registration plugin contains a new property, Return Technical Client ID. If enabled, the technical client ID is included in the dynamic client registration response.
See also Dynamic client registration (DCR) setup.

IAM no longer supports OAuth 2.0 and OpenID Connect tokens with unlimited validity.

Fixed a bug where unknown requests to UTLs under /oauth2/v3/ returned a 500 error instead of the correct 400 status code.

The OAuth 2.0 Scope Translations now work across all pages where scopes are displayed. Translations from both the backend and frontend are taken into account.

Significantly improved the performance of the Config Editor by up to 20×.

Performance when navigating longer and more complex configurations in strict validation mode has also improved, depending on the configuration’s complexity.

Fixed an Adminapp bug in the User Profile tab where a user role was not selectable if it was the only configured role. This issue only occurred in Chrome and Edge browsers.

When the number of users on the system is approaching the number of licensed users, the warning message currently displayed in the Adminapp is now also logged.

The Config Editor's History dialog now allows importing both XML and YAML configurations, regardless of the currently active format.

Added support for sending Airlock IAM event messages to Apache Kafka clusters. This integration allows for reliable, asynchronous event processing by streaming IAM events into Kafka topics with support for various authentication and encryption mechanisms.

The SMTP Email Server plugin now supports XOAUTH2 authentication using the OAuth 2.0 Client Credentials Grant as required by Office 365.

Added SMPP TON and NPI configuration options for the Swisscom REST SMS Gateway plugin.

The minimum supported DB versions are now:

Added target URI information to logs reporting “external service unavailable”.

The Elasticsearch integration now also supports HTTPS URLs in the iam.log.elasticsearch.url property.

Fixed a bug where the log message “Could not determine request URI from configured Gateway/Microgateway, using the URI from the request. Are Gateway settings configured without using a Gateway?” was logged at INFO level. The message is now logged at DEBUG level.

To improve compatibility, server certificates created with the iam init CLI command include localhost as subjectAlternativeName and strictly use positive numbers as serialNumber.

Fixed an issue where reporting log messages were forwarded to incorrect destinations, causing log files to fill up even when they were disabled in the instance.properties configuration file.

Fixed an issue where starting an IAM container in XML config mode failed if the instance directory did not already exist.