Airlock IAM 8.0
Moving full throttle to the cloud
Our main goal for version 8.0 was to take a big step towards full cloud capability with Airlock IAM, including horizontal scalability and improvements for running in Kubernetes.
We have also added support for PostgreSQL, a popular database in modern cloud environments. To better support multi-instance IAM deployments, the user trail log is now written to the database instead of traditional log files. To improve automation and support Infrastructure as Code, we have added config variables which can be initialized by scripts during the startup of an IAM instance. The underlying Apache webserver now logs to stdout to simplify the integration with cloud logging services. Last but not least we have given the Adminapp UI a brushup to make it more modern.
Zero Trust Segmentation with OAuth 2.0 Token Exchange
Complex web applications often consist of several servers with different tasks. For example, a frontend server may contact a backend server running in a different security zone on behalf of the user. If each zone has its own access tokens, the frontend server cannot simply forward the existing token. For this purpose, the OAuth 2.0 Token Exchange allows a valid token to be exchanged for a new token at the authorisation server. With this segmentation of the token domains, an attacker can be prevented from accessing other servers from a compromised system.
Improving the Adminapp
The Adminapp has been upgraded to the latest Angular release and a some notable features were added:
- User Management Extension: Using this new Javascript API, additional tabs can be added to the user management UI. These tabs typically contain external data and functionalities a helpdesk might need.
- The search performance in very large databases has been dramatically improved with a much more fine granular configuration of the search behavior. It is now possible to have the default search use entire word matching and take full advantage of specialized indexes.
- Validation speed: Our engineers have worked hard to speed up the validation and activation process, which is particularly welcome when working with large and complex configuration files.
Keeping your Users informed
Event notifications were extended with every release since IAM 7.5. This release also includes three new features:
- Login from a new device
If someone logs in from a previously unknown browser, the user can be notified about this. This SMS or email can contain the location or further browser information.
- Device token change events
Adding, modifying, and deleting device tokens will now also generate event notifications and an event subscriber can be configured to inform users about these events.
- Send event notifications to remote server
The last contribution is a new event subscriber that can send information about the configured event to a remote REST endpoint.
Security Improvements
True to its DNA, the security of Airlock IAM was improved in these areas:
- Tight WAF security rules
The mapping templates for Airlock Gateway have been updated to better protect the REST API of Airlock IAM. This requires a configuration change in Airlock Gateway after upgrading Airlock IAM.
- Hardened Content Security Policy
With the push to the cloud, we see much more use case scenarios where also the Adminapp is exposed to remote users. To support such scenarios more securely the Adminapp CSP has been strengthened.
- No misleading log4j warnings
log4j was patched by Ergon immediately after the log4shell vulnerability was communicated. With IAM 8.0 we have upgraded our code to use the latest release of log4j to ensure that scanners no longer report false positives about this library.
Benefit from the new Loginapp
No matter how complex your business or security requirements - with the IAM Loginapp, you can realize user-friendly login flows quickly and securely: Numerous standard modules can be flexibly arranged and adapted to support complex authentication and authorization scenarios and a wide range of self-services, from a simple password reset to managing 2nd factor devices.
The Loginapp Design Kit is a UI simulator that allows designers and front-end developers to easily adapt the look and feel of Loginapp to the corporate identity. They and customize all screens directly on their local workstation, without access to an IAM system.
Major Release
IAM 8.0 was published on Docker Hub and the Airlock Techzone in early April 2023. This major release includes a number of significant changes. Some deprecated features have definitely been removed, including the JSP Loginapp. In preparation for upgrading to IAM 8.0, we recommend reading the release notes including the upgrade instructions. Airlock IAM 8.0 is expected to be supported until 12/2024. If you are still using IAM 7.6 or older, we recommend you upgrade as soon as possible.