What's new in this release

IBM® Security Access Manager provides new features and extended functions for Version 9.0.5.

Access Manager Platform

  • RACF support

    Security Access Manager supports RACF as a federated registry. You can use the password-attribute and racf-suffix stanza entries to configure RACF support.

  • Native OIDC RP support

    Native OIDC RP support has been added to the Web Reverse Proxy. See OIDC Authentication and OpenID Connect (OIDC) authentication.

  • Automated reload for Docker containers

    If an updated configuration is detected, the container will automatically reload the configuration data. You can set the frequency, in seconds, that the container will check to see if the configuration has been updated with the AUTO_RELOAD_FREQUENCY environment variable. See AUTO_RELOAD_FREQUENCY.

  • Database Connection Validation

    The Security Access Manager appliance and Docker edition now supports connection validation for the Configuration Database and Runtime Database before accepting the database configuration.

  • Enhancements to the health checking of junctioned Web servers:

    The Web Reverse Proxy server performs a periodic background ping of each junctioned Web server to determine whether the junctioned Web server is healthy. Use the ping-attempt-threshold and recovery-ping-attempt-threshold configuration entries to set the number of consecutive responses that need to be received to change the status of the junction between "running" and "not running". Set the ping-timeout configuration entry to control the time in which a junctioned web server must respond to the ping request.

  • Configurable swap space size

    By default, the appliance is allocated with 2Gb of swap space. You now have the ability to customize the amount of swap space through the Swap File Size administrator setting, available in the Administrator Settings page of the LMI.

  • New options in the Web Reverse Proxy request-log-format configuration entry

    The %J option can be used to set the length of time, in microseconds, that the junction server spent processing the request. The %M option can be used to set the time, in Common Log Format, at which the request was received with millisecond precision. See request-log-format.

  • Log File REST APIs in Runtime Containers

    The Application Log Files API is now supported on the Security Access Manager Docker Runtime Container to enable users to retrieve and list log files from that container. See Docker image for Security Access Manager.

  • Integration with IBM Cloud Identity (CI)
    Security Access Manager has extended the integration with Cloud Identity so that:
    • The Web Reverse Proxy can be easily configured to consume Cloud Identity credentials, which allows users to authenticate using Cloud Identity and then initiate Single Sign-On against ISAM.
    • Advanced Access Control can easily be configured to use Cloud Identity to provide additional authentication mechanisms.
  • XenServer/AWS: PV Mode Deprecation

Advanced Access Control

  • SCIM support for federated directories

    The SCIM component can now be configured to use the runtime component LDAP server as the SCIM LDAP server. There is also a new server connection type ISAM Runtime that is used to store the LDAP bind connection details for the configured ISAM Runtime LDAP server.

  • IBM Cloud Identity server connection support

    Security Access Manager now supports a new type of server connection to access IBM Cloud Identity. See Server connection properties and Managing server connections

  • Access policy for OAuth or OIDC

    The granted scope for an OAuth/OIDC grant can now be set via access policy. See Access policy for OAuth or OIDC.

  • IBM Cloud Identity (CI) API calls in Info Map mechanism instances

    Embed Cloud Identity (CI) API calls in Info Map mechanism instances with the new Cloud Identity (CI) client. See Embedded Cloud Identity API calls in an Info Map mechanism.

  • Knowledge Question lockout function

    You can configure the lockout functionality to lock a user out indefinitely. See Configuring a Knowledge Questions authentication mechanism

  • SCIM Password Policy on Password Update

    SCIM password updates can now be performed as the actual user or as the LDAP administrator. The two methods are differentiated by calling the SCIM

    modify web service with different attributes. See User profile.
  • IBM Cloud Identity integration

    Security Access Manager provides Cloud Identity integration. See Cloud Identity API Integration.

  • OIDC Dynamic Client

    OIDC Registration is now part of the OP support. See OIDC Dynamic Clients.

  • Authenticator selection validation

    The user selected authenticator is now validated during the MMFA transaction flow.

  • Configuring demo application

    You can now configure the demo application with advanced configuration. See the new advanced configuration property live.demos.settings in Advanced configuration properties.

  • OAuth device flow support

    Security Access Manager now supports the OAuth device workflow. See Device flow.

  • TLS 1.2 support for direct connection to SMTP

    Security Access Manager supports using TLS 1.2 for direct connection to SMTP when delivering one-time password through email. See Configuring one-time password delivery methods.

  • GUI for management of OAuth grants

    You can use the Secure: Access Control > Manage > Grants page in the LMI to search for a user name and then view the OAuth grants owned by that user.

  • Policy information point (PIP) caching parameters

    The LDAP, Database, RESTful web service, and Fiberlink Maas360 PIPs now support the configuration of the cache size and cache lifetime parameters.


  • Batch commands for grant association commands

    The OauthMappingExtUtils class is enhanced to allow several associated attributes to be managed at once. This class includes batch operations for create, retrieve, update, and delete. See the OauthMappingExtUtils class in the Javadoc that is embedded in the appliance for details.

  • ResponseLocation attribute in SAML 2.0

    The ResponseLocation attribute is supported for SingleLogoutService in Single Logout Profile and ManageNameIDService in Name Identifier Management Profile in SAML 2.0.

  • LDAP server connection tuning parameters

    Additional LDAP Server connection tuning parameters are added to LDAP server connections. See Server connection properties.

  • Auditing for SAML 2.0 runtime

    All SAML 2.0 runtime requests and responses are now audited under the IBM_SECURITY_RUNTIME event

  • SAML 1.1 federations

    You can create SAML 1.1 single sign-on federations. You can use either the local management interface or REST APIs to configure the federations. See SAML 1.1.

  • Enhanced Client or Proxy (ECP) single sign on profile

    Support added for SAML 2.0 Enhanced Client or Proxy (ECP) single sign on profile.

  • LocalSTSClient

    A new STS Client is available in JavaScript mapping rules, which is capable of local calls for significant performance increases, see the class LocalSTSClient in the Javadoc.