What's new in this release

IBM® Security Access Manager provides new features and extended functions for Version 9.0.7.

Access Manager Platform

  • API Access Control

    A new API Access Control component has been added that provides a simple way to configure IBM Security Access Manager to protect a RESTful API. See API Access Control.

    This includes:
    • A simplified configuration of the existing components used when using IBM Security Access Manager to protect an API.
    • Allowing mapping of multiple URL aliases to the actual API path.
    • Enabling IBM Security Access Manager to serve documentation for the API.
    • Enhanced support for POP authorization using credential attribute matching. See Using Credential Attributes in Authorization Decisions.
  • OAuth Introspection

    The Web Reverse Proxy is now able to use an OAuth Introspection end point to validate an OAuth token. See OAuth Introspection.

  • HTTP Transformation Rules

    The XML representation of the HTTP Response object now makes available all of the elements of the HTTP Request object to be used in the response transformation. See HTTP Transformation Rules.

    HTTP Transformation Rules now supports regular expressions which can be used to match and replace strings. See XSL Transformation Rules.

    HTTP Transformation rules can now be used to specify the ACL bits which are used in the authorization decision for the request. See XSL Transformation Rules.

  • Internal Redirects

    WebSEAL can now use the location header in a 302 response to determine whether the redirect should be sent back to the client or handled internally. See follow-redirects-for.

  • ignore-svc-unavailable

    Use ignore-svc-unavailable to control whether WebSEAL handles a 503 'Service Unavailable' from a back-end server or returns it to the client. See ignore-svc-unavailable.

  • Configurable Login Banner

    Users can now customize the login page of the Local Management Interface (LMI) on the appliance. See Local management interface.

  • Rate limiting

    A rate limiting policy file can now contain multiple matching criteria. This allows a single rate limiting policy file to be used to rate limit multiple distinct resources. See Rate Limiting.

  • Web Content Protection

    The Web Content protection capability of the Web Reverse proxy is updated so that the user name and browser information fields can now be included in the audit record for dropped connections. See pam-fail-early. An option is now also provided to use a string representation of the time in the audit record. See pam-use-epoch-time.

  • Pending Changes

    A summary of pending changes for all users can now be viewed and managed using the Command Line Interface (CLI). See Command-line Interface.

  • Recursive Object Delete

    The 'object delete' pdadmin command, available through the CLI or the '/isam/pdadmin' Web Service, is now extended to allow a recursive delete of objects in the object space. See object delete.

  • Reverse Proxy Sessions

    The reverse proxy can now store non-cookie based sessions in a local session cache when the distributed session cache is enabled. See dsess-support-local-sessions.

  • Support for Transport Layer Security (TLS) version 1.3

    WebSEAL now provides the support for TLS v1.3 for SSL and junction connections. See [ssl] disable-tls-v13 and [junction] disable-tls-v13.

  • WebSEAL Password Update Callouts

    WebSEAL can now be configured to make a REST call before and after a user password is updated. See password-callouts.

  • Network Key Files (HSM device support)

    The SafeNet Luna Network HSM and nCipher nShield Connect driver files are no longer embedded within the IBM Security Access Manager firmware. The required files are now available for download as an appliance extension from the IBM Security App Exchange. See https://exchange.xforce.ibmcloud.com/hub/IdentityandAccess.

  • ISAM Docker Container

    The ISAM Docker container no longer needs to run as the root user. It will now be run as the 'isam' user (uid: 6000). See Docker Image for Security Access Manager.

  • ISAM Docker Container handling of log files

    Containers now store log files in container specific directories on the log volume. See the "Log files" section in Docker Image for Security Access Manager.

  • RedHat OpenShift support

    The ISAM Docker container is now supported on the RedHat OpenShift platform. See Kubernetes Support.

Advanced Access Control


  • Dynamic level MappingRules TraceString utilities

    Ability to set log level when using the IDExtMappingUtils traceString function. For more information, see the Javadoc. In the LMI, navigate to Manage System Settings > Secure Settings > File Downloads. Continue to federation > doc.

  • Customize AuthnContextClassRef values

    Customize the AuthnContextClassRef values using the mapping rule. See Customizing AuthnContext using identity mapping rule.

  • Support for Dynamic ACS URLs with regular expression

    A new configuration parameter saml20.idp.acsurlpattern is added. This parameter allows regular expression matching for the AssertionConsumerService URL and the protocol endpoint, so that a dynamic AssertionConsumerService URL that matches the regular expression can be provided in the AuthnRequest. See Advanced Configuration Properties.

  • Support for Kerberos STS Module

    The IBM Security Access Manager Federation component now supports the Kerberos STS module in Validate mode. See Kerberos Module.