Airlock IAM 7.3
Airlock IAM 7.3 is a "Long Term Support" (LTS) release and brings many new features.
IAM 7.3 focuses on the introduction of Airlock's own authentication factor Airlock 2FA. In addition to authentication, various self-services and transaction confirmation are supported - in the Loginapps as well as the REST interface. The Airlock 2FA app is available in the App Store and Google Play. Hardware tokens are available as well.
In addition to the Airlock 2FA support, the Loginapp REST UI has been enhanced with additional features. The mTAN functionality has been enhanced so that users can not only use mTAN tokens for authentication but also enroll them. There are new self-services to maintain user account data. In the area of operations and compliance, the display of maintenance messages and the acceptance of terms of services were implemented.
The administration of technical clients is now possible with Airlock IAM. API keys, plans, and rate limits can be managed.
Airlock 2FA is the new, strong authentication solution for Airlock IAM. Airlock 2FA enables 2-factor user authentication based on a smartphone application or hardware tokens and offers four different authentication methods.
Airlock 2FA is designed to be easy to use by the end-user and to be easy to integrate and configure by the IAM administrator.
The integration of Airlock 2FA with Airlock IAM is seamless, regardless of whether the classic Loginapp, the new Loginapp REST UI, or a proprietary development based on the Loginapp REST API is used.
The functional scope of Airlock 2FA covers all important use cases from onboarding of a user via self-registration, authentication, and transaction approval to self-services for the management of Airlock 2FA apps.
Airlock 2FA is also fully supported for the helpdesk, so that helpdesk staff can optimally support their customers in the use and administration of Airlock 2FA.
Loginapp REST UI (SPA)
The Loginapp REST UI as well as the Loginapp REST API is continuously extended. With the protected self-services IAM 7.2 brought a new class of REST APIs for already authenticated users. With IAM 7.3 these REST APIs are supported in the Loginapp REST UI and users can now manage the profile data of their user account and their Airlock 2FA apps in the self-services.
In addition, it is now not only possible to change mobile phone numbers and e-mail addresses in flows, but to also validate them. Furthermore, you can configure a confirmation for changes to data by means of a second factor.
The use of mTAN as an authentication factor has been supported for some time already. Self-enrollment functions are now available for users.
Maintenance messages are also displayed in the Loginapp REST UI and terms of services can be presented to the user for review and acceptance.
With the increasing use of REST interfaces and the associated technical clients, the management of these clients is becoming more and more important. Airlock IAM can manage technical clients and their API keys and control the use of the interfaces via rate limits and plans. Airlock Gateway uses IAM's API Policy Service to query and then enforce the rules.
API keys are an extension of the filtering capabilities in Airlock Gateway and an extension of the authentication capabilities in Airlock IAM.
The use of API key functions requires Airlock Gateway 7.4.
OIDC and OAuth 2.0
As part of the development of the PSD2 functions in Airlock IAM, a new implementation of the OpenID Connect and OAuth 2 component has been started. This implementation has now been consistently pursued and the new component supports the Authorization Code Grant, Dynamic Client Registration, and the Client Credentials Grant.
In addition to the modernized REST interfaces, functional enhancements were also implemented. Airlock IAM can now handle ACR (Authentication Context Class Reference) and thus manage the strength of authentication in OIDC flows. In the proprietary session management endpoint, clients can manage a users' tokens. Through the combination of ACR values and the new SSO tickets, it is also possible to configure second-factor confirmation with OIDC flows.
Thanks to a migration feature, an upgrade to the new implementation of the OAuth/OIDC component can be done without any noticeable impact on end-users. Authenticated users can simply use existing tokens (access- and refresh tokens) with a new OAuth client, and the first time they interact, all tokens are replaced with new tokens without requiring the user to log in again.
In addition to the new functions mentioned above, many extensions and improvements have been implemented. Among others these are:
- MS-OFBA - Microsoft Office form-based authentication allows users with a local installation of Microsoft Office to log in directly within the Office application and thus use company resources (SharePoint).
- The use of the searchForEntry() function and the search via memberOf attributes improves the performance in Microsoft Active Directory connections for customers with large and complex MS-AD setups.
- For compliance with the European Directive on PSD2, it is possible to display the failed login counter to the user or to read the counter using the REST API.
- IAM now provides a health-check endpoint for the Loginapp. Its purpose is to check whether IAM is ready to process authentication requests (e.g. in the Airlock Gateway).