
Airlock IAM 8.5
Config Automation: smarter and a bit easier
With this release, we’re extending the Config Automation capabilities introduced in the previous release:
- Short plugin type names: In the YAML config format, they significantly improve readability and make processing much easier.
- Licence check via CLI: The config CLI now includes a command to verify licence coverage for configurations.
- YAML as the new default: All newly created IAM instances now automatically use the YAML config format and benefit from the config automation features. The XML format remains fully supported and can still be selected via a CLI option.
Ready for the E-ID
Airlock IAM is now ready to support E-ID solutions and offers full support for Proof-of-Concept (PoC) projects to help organizations prepare for the launch of the official E-ID and trusted infrastructure starting in 2026. The solution is designed to work in both Switzerland and the EU. In Switzerland, the Federal Public Beta serves as the technical foundation.
New modules in Airlock IAM allow issuing, verifying, and using verifiable digital credentials for secure authentication. A compelling showcase developed in collaboration with PXL Vision demonstrates how a person can be identified using an E-ID, including a liveness check that matches the live image of the person with the photo stored in the E-ID.
New REST API documentation: Clearer, smarter, more transparent
This release marks the completion of the OpenAPI specification overhaul, resulting in a completely redesigned REST API documentation. The new version features a clean, modern layout and introduces a range of enhancements to simplify integration.
Among the key improvements: developers can now send test requests directly from the documentation interface. Response examples provide practical guidance, and all REST APIs are clearly labeled as Experimental or Deprecated—ensuring greater clarity and future-proof planning.
Even more power for OIDC & OAuth 2.0
We have further enhanced the capabilities in the area of OIDC and OAuth 2.0:
With the introduction of OIDC Backchannel Logout, all affected clients that share a session are now automatically informed when a user logs out, and their sessions are terminated accordingly – ensuring greater security and consistency.
In Token Exchange, the subject_token is now also integrated into the rule definitions. This allows it to be processed individually within each rule, significantly increasing the flexibility of Token Exchange and simplifying the implementation of complex configurations.
To further improve compatibility with bLink, Dynamic Client Registration now allows clients to define their own name. This implementation deliberately deviates from the RFC standard to offer greater flexibility in specific use cases.
Licence Analytics: Now mandatory – driving customer value
With this release, Licence Analytics become mandatory. Any configuration that does not include the Licence and Usage Analytics plugin can no longer be activated. The purpose of this change is to gain deeper insights into how the product is used in real-world scenarios—allowing us to focus future development on the features and use cases that matter most to our customers.
As part of the migration process, all customers must make a one-time decision on whether optional usage analytics data should also be shared with Ergon in addition to the required licence information. This decision is part of the configuration migration and can be updated at any time if needed.
More possibilities and security in login and self-services
With the latest release, we’re making secure login and self-services even easier and more flexible for end users:
- Passkeys with Autofill (FIDO2): Thanks to “Conditional UI,” matching passkeys now appear directly in the username field – logging in has never been smoother.
- Transaction approval with FIDO keys: From now on, FIDO keys can be used not only for login but also to confirm transactions.
- QR code-free activation: Airlock 2FA devices can now also be activated via activation letters or in self-service flows without QR codes.
- More approval steps: Both Airlock 2FA passcodes (OTP) and OATH OTP codes can now be used as approval steps in public self-service flows – ideal for protecting critical actions.
- On-demand password letters: End users can now request password letters directly within authentication and self-service flows.
Various features: session termination, one-shot with flows, events, and more
Numerous improvements range from the termination of multiple active user sessions, to simplified certificate handling in SAML, greater flexibility in event processing, and enhancements to the User Sync Task.
As always, more new features and improvements are documented in the changelog.
Release video in English
Release video in German