What's new in this release

IBM® Security Access Manager provides new features and extended functions for Version 9.0.6.

Access Manager Platform

  • Rate limiting

    Reverse proxies can now perform rate limiting on web requests. For more information, see Rate Limiting.

  • content-aware WebSEAL responses

    When you are generating a response, WebSEAL allows different response template files and response codes to be configured for different MIME sub-types. For more information, see default-response-type.

  • Forwarding requests to an ‘unavailable’ WebSEAL junction

    The Web Reverse Proxy can now be configured to return an error when HTTP requests are received for junctioned servers which are currently failing the 'ping' operation. See disable-on-ping-failure.

  • Packet Tracing
    Packet tracing can now be configured such that:
    • Packet capture does not stop once the log file is full.
    • The log file can be rotated to a defined number of rollover log files once it is full.
    • A snap length can be defined by specifying the maximum amount of data to be collected for each frame.

    For more information, see Manage Packet Tracing

  • Junction specific options

    Response headers can now be configured on a per junction basis. For more information, see [rsp-header-names] stanza.

  • Configuration file updates for HTTP transformation

    HTTP transformations can now be configured to match on a case insensitive basis. For more information see, Configuration file updates.

  • Runtime Server Threads

    The minimum and maximum threads associated with the runtime server can be configured as part of the runtime tuning parameters. For more information, see Tuning runtime application parameters and tracing specifications.

  • Adding microseconds to WebSEAL request logs

    The time, in micro-seconds, at which a request was processed by WebSEAL can now be added to the request log. For more information, see Customizing the HTTP request log.

  • Reverse Proxy Management
    When you are starting, stopping, or restarting reverse proxy instances, it is now possible to perform the task on:
    • A single instance
    • A multiple selection of instances simultaneously
    • All instances simultaneously

    For more information, see Stopping, starting, or restarting an instance.

  • Log File Management
    It is now possible to select multiple files and delete or clear all of them in a simultaneous operation. This includes:

Advanced Access Control

  • New Advanced Configuration parameters

    A new AAC Advanced Configuration parameter mmfa.devicePrompt.skipIfOneDevice is added. When the parameter is set to true and the user has only one authenticator registered, the device selection page in a Mobile Multi-Factor Authentication flow is skipped. For more information, see Advanced Configuration Properties.

    A new AAC Advanced Configuration parameter authsvc.stateMgmt.cookieless is added. When the parameter is set to true, the Authentication-based and Content-based access modules no longer require client side cookies to be set to perform authentication flows. For more information, see Advanced Configuration Properties.

    Read-only and Sensitive API Protection token attributes are now handled differently. For more information on the new advanced configuration parameter oauth.useLegacyAttributes, see Advanced Configuration Properties.

  • JavaScript Audit Logging

    JavaScript Mapping Rules can now audit events with IDMappingExtUtils.logAuditEvent (String username, String message, boolean result). For more information, see Auditing from Mapping Rules.

  • QR Code Authentication Mechanism

    You can configure the QR code authentication mechanism to scan a generated QR code to successfully authenticate as an alternative-to-password authentication technology. There are two new pre-defined policies that can be used to configure the QR code authentication mechanism- initiate and response. For more information, see Configuring a QR Code authentication mechanism

  • Mobile Multi-Factor (MMFA) Authenticator Mechanism
    The MMFA authenticator can now be figured to:
  • Updating and Deleting OIDC Dynamic Clients
    Dynamic clients can now be updated and deleted. This provides additional capability, such as resetting the client_secret. For more information, see:
  • Cloud Identity Verify (CIV) API Integration
    The following updates are made to the CIV StrongAuthenticaion/API Integration:
    • IBM Verify enrollment through CIV
    • Just-in-time enrollment
    • Updated the Cloud Identity Server Connection type to allow administrators to override the Cloud Identity endpoint paths
    • Redesign authentication flow pages
    • Added functions to mapping rules to enable administrators to easily modify usernames

    For more information, see Cloud Identity API Integration.

  • Mobile Multi-Factor Authentication Infomap Usability

    Additional context keys are made available in the Infomap. For more information, see Context attributes

  • isamcfg REST API

    The ISAM command line utility for configuring Advanced Access Control with a reverse proxy "isam aac config" is now deprecated. Use the Local Management Interface or REST API documented on the box to configure an instance for use with the authentication service and context based access. For more information, see Configuring advanced access control authentication on a reverse proxy.

  • Support for MaxMind Geolocation database v2

    The GeoLocation policy information point is updated to allow the use of both GeoIP and GeoIP2. The latest release of the GeoIP Database can now be used to enforce access control policies by using the predefined geoCity, geoCountryCode, geoLocation, and geoRegion attributes. For more information, see Updating location attributes

  • apiauthsvc headers

    The Accept header requirements for apiauthsvc have been relaxed. The request now succeed with no Accept header, application/json or */*.

  • Macro HTML encoding

    New sps.page configuration options for HTML encoding of macros have been added. For more information, see Advanced Configuration Properties.

  • SCIM support for LDAP failover

    SCIM calls, when using the ISAM Runtime type server connection, now automatically fail over between configured LDAP replicas. This is controlled by the 'replica' configuration entry within the [ldap] stanza in the ldap.conf file.

  • SCIM performance improvements

    SCIM calls to retrieve or update resources have significantly improved response times for direct LDAP and ISAM Runtime type server connections.

  • SCIM support for multi-valued and operational attributes

    SCIM User Profile Attribute Mappings now correctly handle multi-valued and operational attributes from the underlying user registry.

  • SCIM support for working with suffixes

    SCIM calls using the ISAM Runtime type server connection now honor the 'ignore-suffix' configuration entry within the [ldap] stanza in the ldap.conf file. This entry controls the defined suffixes to omit from searches which helps improve the user and group information searches.

    SCIM calls for both the direct LDAP and ISAM Runtime type server connections now allow the suffix under which resources are created to be specified using the 'registrySuffix' data in the request body. For example, "registrySuffix":"cn=user,o=ibm,c=us".


  • Improvements to the Distributed Session Cache Configuration.

    By default, the local cache of the Distributed Session Cache sessions within the Advanced Access Control or Federation runtime is now disabled. You can enable it by using the new advanced configuration parameter, distributedSessionCache.localCacheEnabled. For more information, see Advanced Configuration Properties.

  • Capability to add samlp:Extensions to SAML messages
    SAML Message extensions can now be included in SAML messages. For more information see the following topics:
  • Scalability improvements on the number of federations and partners

    Configuration and runtime operations of the federation module are improved to handle larger numbers of federations and partners.

  • New Advanced Configuration Parameter

    A new advanced configuration parameter, sps.illegalUrlSubstrings is added. Single sign-on service stops processing an incoming HTTP request if the request query parameters contain any of the strings defined in this parameter. For more information, see Advanced Configuration Properties.

  • Support for LDAP alias service database

    SAML 2.0 persistent nameid flows have the option to store alias information in high-volume runtime database by default or in an LDAP alias database. For more information, see Alias Service.