Airlock IAM 7.7
Highlights of Airlock IAM 7.7
In terms of functionality, the new Loginapp REST UI pulls even with the old JSP Loginapp and again offers the migrated features with greater flexibility and capabilities. IAM 7.7 is the ideal release for migrating to the new loginapp because it contains both loginapps for the last time.
The most important feature enhancements are the implementation of the SAML Service Provider, the support of Risk-based Authentication and the Kerberos protocol in the flows. In addition, many other smaller features complete the scope of the new Loginapp.
Replacing the Loginapp
With IAM 7.7 you will find all the important building blocks of the JSP Loginapp also in Loginapp REST. So there is nothing standing in the way of a migration to the new Loginapp.
The Loginapp REST UI has been extended by the following functions in particular:
- Password reset self-service with email links
- Front-side Kerberos in flows
- CAPTCHA support (reCaptcha and hCaptcha)
- End-to-End-Encryption for passwords
- Lockout self-service
- Client fingerprinting-based user account lockout
- On-Behalf Identity Propagator (SSO for legacy systems)
- SAML Service Provider
SAML Service Provider
SAML remains a widely and often used federation protocol. With IAM 7.7, the SAML SP has been updated to work with the new Loginapp. This allows IAM to be used both as a SAML service provider and as a SAML identity provider while benefiting from the flexible flow authentication capabilities.
Flow Visualization
Sometimes you can't see the forest for the trees. This can be the case when you need to understand an IAM configuration that you may not have touched for a long time (or have never touched at all).
This is where the new flow diagram comes to the rescue. The graphical display of an IAM flow ensures that even complicated processes become clear and comprehensible. The flow diagram can also be exported as a PNG or SVG graphic for documentation purposes.
Risk-based Authentication
Risk-based authentication has been enhanced to allow the feature to be used more widely and better.
IAM flows can now be controlled by Risk Extractors. These are implemented by IAM itself (IP Address Range, Geolocation, User Agent, Impossible Journey) or in cooperation with an upstream gateway (Anomaly Shield Status, Client Fingerprinting). With Risk Extractors, IAM can optimize the UX during an authentication flow by either performing or skipping a step based on the risk tags.
For example, the gateway can be instructed by third-party systems (like a Fraud Detection System) or via internal functions (e.g., Anomaly Shield) to remove an authorization from the running user session. IAM 7.7 reinterprets these so-called role drops in the flows and forces the user during the authentication flow to regain the lost roles. For example, it is possible to verify a suspicious session by re-authenticating with a second character.
Event Notifications
Event notifications were introduced with IAM 7.5 and are now improved again with IAM 7.7:
- Event notifications can now also be sent via SMS. If required, the notification is sent to all cell phone numbers that are stored in the user account.
- The User Locked Event is triggered when an account is locked. In this case, new different notifications can be sent, depending on the cause of the lock (Lock Reason). Both the message and the channel (email, SMS) can differ.
Further innovations
- Remember-Me self-service: Each user can view the list of all logged-in browsers and force a logout on another device if needed.
- Username and password can be entered on separate screens. This allows case distinctions to be made after the username is entered.
- Improved Email OTP Step: The specific phone number or email address can be displayed in the UI, masked if desired.
- Airlock 2FA device enrollment: A mobile device can be enrolled during the registration flow.
- Support for multiple transaction approval flows
- Additional provider for SMS sending: Support for Swisscom SMS Large Account REST Gateway
As always, a full list of changes can be found in the release notes.
Updating is easy
Airlock IAM 7.7 is published on Docker Hub and the Airlock Techzone since early October 2022. Updating to this minor version does not require any manual adjustments: Your existing configuration can be activated without any problems.
Airlock IAM 7.7 is expected to be supported until 06/2024. If you are still running IAM 7.5 or older, we recommend you update soon.