Airlock IAM 7 is a major release with major new features focusing on GDPR, Docker, social registration, device tokens and ease of use.
Airlock IAM assists in GDPR compliance by managing user consents regarding profile data and application access. Delivered as a Docker image or a self-contained application (SCA), it smoothly integrates into DevOps pipelines and bundles required components.
The ability to register new accounts based on social identities and link social logins with existing accounts gives you all the flexibility for customer access management. Biometric mobile phone technologies, such as Touch ID or Face ID, can be used to protect Airlock device tokens and hence be leveraged in user authentication. Last but not least, Airlock IAM's REST APIs have been extended substantially, including an adaptive workflow layer for self-registration services.
Airlock IAM 7 introduces two new delivery forms: a Docker image and a self-contained application (SCA). Modern DevOps pipelines are often based on container technologies and orchestration tools such as Kubernetes, requiring components to be shipped in containers for automatic deployments. The Airlock IAM Docker images support seamless configuration staging using instances, environments (introduced in 6.4) and profiles (new in 7.0). Besides Docker, Airlock IAM 7 is available as an SCA, including Java and Tomcat as bundled components. This facilitates handling, upgrading and automation of installations.
The General Data Protection Legislations (GDPR) aims to give EU citizens control over their personal data. In particular, explicit consent by users is required for specific data processing purposes. Airlock IAM 7 supports GDPR compliance by managing consents regarding user profile data and access to protected applications or APIs. For instance, Airlock IAM may prohibit accessing a specific application or propagating sensitive profile attributes until the required consents are given by the user. Using the consent management self-services, users can view and revoke their consents at any time.
Social Registration and OpenID Connect Discovery
Airlock IAM's OAuth and OpenID Connect (OIDC) capabilities have been extended significantly. As you may know, setting up OIDC can be tedious. That's why we implemented OIDC discovery, which largely automates the configuration of endpoints or cryptographic algorithms and dynamically adapts to changes. While logging in with a social account has been possible for a while, Airlock IAM 7 adds various options for linking social accounts with IAM accounts. For example, IAM accounts based on attributes of social profiles can be created automatically (social registration) or social logins can be extended with a local second factor for step-up authentication. The new user self-service for social profile management enables users to view, link and unlink social accounts at any time.
Adaptive Self-Registration Workflows (REST API)
Following our API-first strategy, the adaptive workflow layer for IAM's login REST API introduced in 6.4 is now extended to cover the self-registration REST APIs as well, enabling easy and flexible adaptation to custom onboarding processes. In addition, a new REST endpoint for obtaining end user approvals is introduced. This provides a simple and efficient manner to implement business processes that require explicit and strongly authenticated user approval (e.g., for a pending banking transaction or an application consent).
Airlock Device Tokens
Airlock device tokens uniquely identify a user's device (e.g., a mobile phone) and are cryptographically bound to the device. Biometric technologies, such as Touch ID or Face ID, can be used to protect the cryptographic device ID secrets on the mobile phone. Hence, it is now possible to use Touch ID or Face ID as an authentication factor by requiring a valid device ID.
In addition to the main new features, many extensions and improvements have been made, e.g., more flexible access policies or improved token management. A special feature preview is particularly interesting: we have included a prototype login application built as an SPA (single-page application), relying solely on IAM's REST APIs. Although the new SPA login application is still experimental, we are interested in valuable customer feedback. For a complete overview of all changes, please consult the detailed release notes.