Airlock IAM 6.4
Digital transformation of business processes demands a lot from IT service operations: highly flexible authentication workflows extended with customer-specific modifications must be deployed automatically to various environments. The security of user accounts must be ensured – even if password databases are compromised. Mission impossible? Not with Airlock IAM 6.4.
Workflows for the Login REST API
Authentication workflows for digitized processes must be very flexible. Different user groups may require different authentication means and adaptive workflows must consider contextual information, such as time and location. Depending on the target application, strong or simple authentication may be required. Handling of failed logins must be secure to prevent the leakage of sensitive information. Last but not least, administrators must be able to easily manage the many options and steps towards getting access.
In order to meet these needs, the login REST API of Airlock IAM 6.4 is based on a new and powerful workflow layer, which allows easy definition of flexible workflows through configuration. Single steps of the authentication workflow can be composed freely, preconditions may be defined and switches included. Even in highly complex workflows, the administrator can easily make guarantees thanks to so-called "guards".
Configuration Environments for Staging and Multi-Tenancy
Airlock IAM is a central access management component and used in many different scenarios. Testing, acceptance and production environments are often run separately for individual tenants, which inflates the overall number of environments to be managed. Configuration management must be centralized and automated in order to cut operational complexity and costs.
Airlock IAM 6.4 supports the concept of «configuration environments» directly in the product and offers various features for configuration management. Different environments are managed centrally and common configuration elements are shared without introducing redundancy. Sensitive values, such as passwords, can be stored in an external key store or HSM and are merged with the configuration during deployment.
Dynamic UIs for Profile- and Token-Management
It is a strength of Airlock IAM to provide a standardized product and to still be able to meet individual customer needs. Businesses often demand the extension of user profiles with business specific information or the integration of new and innovative authentication means. At the same time, user experience for administrators and help desk employees should be seamless.
Airlock IAM 6.4 allows the definition of UIs and corresponding REST interfaces for managing non-standard profile data and authentication tokens. Since this is done without resorting to custom code, time-to-market for new services is substantially reduced.
HSM Support for Password- and Hash-Encryption
To prevent misuse in case of a breach, passwords must never be stored in cleartext . That’s common knowledge. However, even password hashes provide only limited protection against professional brute force attacks.
As a high-end security product, Airlock IAM now offers the option to encrypt password hashes with keys stored in a HSM. If that’s still not sufficient, passwords may be encrypted end-to-end, completely eliminating the need for intermediate storage. HSM integration is based on standards (PKCS#11, JCA), supporting most HSM models in the market.
In addition to the main new features, many extensions and continuous improvements have been made. As an example, the REST interface of the login application has been substantially extended. Furthermore, Airlock IAM’s OAuth2 implementation now supports PKCE (“pixy”), which is recommended for safely using the authorization code flow on mobile devices. For a complete overview of all changes, please consult the detailed release notes.