Airlock IAM 7.6
With Airlock IAM, security and user-friendliness do not have to be mutually exclusive: Thanks to the "Remember-Me" tokens, the user can skip the second factor or even the whole login.
This is only one of many extensions of the flow-based Loginapp in IAM 7.6 that enable a smooth replacement of the old JSP-Loginapp. Another substantial enhancement are the federation protocols for SAML IdP and OpenID Connect Provider. Airlock 2FA has been further extended to support additional 'mobile-only' use cases and to block the own account directly from the app.
SAML and OIDC in the Loginapp (REST UI + API)
SAML remains a widespread and often used federation protocol. With IAM 7.6, the SAML IdP has been updated and now also works with the new Loginapp. This allows IAM to be used as a SAML identity provider and at the same time benefit from the flexible possibilities of flow authentication.
The implementation of OAuth 2.0 and OpenID Connect in IAM is constantly evolving. The first step was the AS-centric implementation and the support of Dynamic Client Registration. In the second step, IAM was integrated as an OAuth 2.0 or OIDC client for the new Loginapp. With IAM 7.6, the third step follows: Authorisation Code Grant and Flow can now be used seamlessly with the new Loginapp. The implementation includes all functions already available, such as local and remote consent and ACR values. With the integration into the flows, it is now also possible to use OIDC features such as Prompt and Login Hints. Scopes can now be derived not only from roles but also from tags. Translations for scopes are also available for integration in the Loginapp REST UI.
Remember Me
The Remember-Me feature in the new Loginapp has been redesigned from the ground up to be even more powerful and convenient for end users. The proven "Keep me logged in" is still available and can be used to automatically log in a returning user.
Thanks to the flexibility of the flows, other use cases now also benefit from the Remember-Me cookie. For example, the second factor can be omitted if a strong authentication has already been successful in the same browser. It can be left up to the user whether to take this shortcut, e.g. with a corresponding checkbox "Trust this browser". In this case, the second factor is only required when a new browser is used, i.e. typically when logging in on an unknown device.
Airlock 2FA
Airlock 2FA is constantly being improved and new functions have also been added with IAM 7.6:
- The share of mobile usage continues to increase and in many cases there is only one smartphone. Now, the Airlock 2FA setup process can be performed on a single, mobile device. This can either happen during the authentication sequence or in a protected self-service.
- A new security feature is account blocking in the Airlock 2FA app. If a push message appears in the Airlock 2FA app that the user did not authorise and did not trigger, the user's account can be blocked in this situation.
Further innovations
- The concept of Logout Actions has been integrated into the flow architecture of IAM 7.6. During logout, User Representation, Remember-Me, OAuth and SAML Logout Actions are checked and executed if necessary.
- We have generalised the user-specific timeout of roles for the flow architecture. The inactivity timeout can now be set depending on the circumstance, e.g. with tags based on the authentication strength.
As always, you can find a complete list of changes in the release notes.
Updating is easy
Airlock IAM 7.6 is published on Docker Hub and the Airlock Techzone. The update to this minor version does not require any manual adjustments: Your existing configuration can be activated without any problems.
Airlock IAM 7.6 is expected to be supported until 12/2023. If you are still using IAM 7.4 or older, we recommend you update as soon as possible.
Webinar Airlock IAM 7.6
The Airlock IAM 7.6 webinar will present all the main innovations in detail.