Airlock IAM 7.1
Airlock IAM 7.1 is a general availability Release with long term support and it provides many new features.
The release focus is on the implementation of the Payment Services Directive (PSD2) for the German and French speaking market and on a new, structured reporting solution, which supports the use of SIEM systems more easily. In addition, the existing REST interfaces are extended to make flows even more powerful and flexible. The „Login REST UI“ additionally provides a modern login web application based on the REST API.
Dynamic Client Registration is a new feature in IAM 7.1 that optimizes operating costs for PSD2 because Trusted Third Parties can automatically register themselves based on OAuth standards. For the users of Docker as an operating environment, improvements have been implemented to reduce the docker image resource requirements and to make integration with Docker even more seamless and easier.
PSD2
For PSD2, IAM was extended to support both the implementation for NextGen PSD2 (Berlin Group) and the implementation of the PSD2 variant of STET. The functional scope includes the dynamic registration of technical clients and the enforcement of roles and consents for access to the exposed PSD2 API. IAM has also been extended to support remote consents in addition to local consents. Using remote consent, the bank can finely granular obtain and enforce the consent of the bank's customers.
Reporting
IAM 7.1 offers a new, optional reporting component. For the implementation, great value was placed on backward compatibility and customers can run the current logging solution in parallel with the new reporting.
The optional reporting component includes the following functionality:
- New reporting messages that are optimized for creating dashboards on authentication and the use of authentication factors.
- All log and reporting messages are JSON structured and all semantically equivalent attributes are used identically for IAM and WAF.
- Built-in support for Elasticsearch and Kibana incl. ES index templates and Kibana dashboards.
Flows
The extension of the REST interfaces for the Loginapp have been continued and the following functional extensions have been implemented:
- Password Reset is now available as flow
- Selection of the authentication flow based on the forward location
- Role dependent conditions can be used in aurthentication flows.
- Enhancements in self registration
- Several different self registration flows can be offered.
- Consent to terms of services may be requested within the scope of the flow.
Dynamic Client Registration for OAuth 2.0
Dynamic Client Registration can now also be used as part of the Authorization Server for OAuth 2.0, so that clients can register themselves via a new REST interface. The REST endpoint can be protected by client certificate authentication so that only authorized parties can register new clients.
For NextGen PSD2, Dynamic Client Registration has been implemented so that a previously unknown client is registered on-the-fly and no separate REST endpoint has to be used. This registration requires that a trusted X.509 certificate be used by the client.
For the administration of dynamically registered clients an administrative REST API is offered as part of the admin application.
Docker improvements
Support for Docker Deployments is constantly being improved. With IAM 7.1 the Docker Images of IAM are also available for download at Docker Hub. To improve the integration in Docker IAM offers a health check endpoint and also the logging integration is now realized by default via stdout. Another improvement is the substantial reduction of space needed by IAM containers.
Further innovations
Beside the mentioned new functions many extensions and improvements have been implemented. E.g.:
- Transaction approval for Kobil TMS and matrix cards
- Content Security Policy (CSP) for Loginapp HTML
- OpenAPI specification for IAM including WAF templates
- Performance optimization in Active Directory usage
- Login REST UI - modern login web application based on REST API