New in v4.2.0.0

This section provides an overview of the new features, improvements and list of changes in version 4.2.0.5 relative to 4.1.12

New features and improvements

The summary below lists the new features and improvements which have been added to this release

Authentication

Adaptive authentication

Adaptive Authentication allows organizations to define complex authentication workflows which can take into account a variety of factors such as geo-location, Roles, device, etc. These factors can be used to determine the flow of authentication. Adaptive authentication can be utilized with MFA devices and in cases where the MFA device requires a network, the solution supports case where there is no signal or the user has forgotten their device.

Social login and registration

Social login allows end-users to authenticate using their social identities from services such as Facebook, Google and LinkedIn. Social registration provides for dynamic registration where the configured attributes can be dynamically obtained from the social site and stored in OpenIAM.

Mobile MFA with push notification

As part of this release, OpenIAM introduces a mobile app on iOS and Droid which enable MFA with push notification and T-OTP.

Device registration and management

The OpenIAM Access control model has been extended to include support for devices. This is an initial step to support IoT within OpenIAM. Users can register N devices to their user profile and administrators can manage these devices

Credential providers for Windows and MAC

Credential providers are available for Microsoft Windows and Apple MAC. The credential providers replace the default authentication screen on each OS. It supports authentication against AD or the OpenIAM API which can be configured to authenticate to variety of applications using the OpenIAM application connectors. End users can also leverage the forgot password functionality in OpenIAM from the operating system login screen.

Audit and Compliance

Provisioning and life cycle management

Group provisioning

Organizations deploying OpenIAM 4.2.0.+ can provision and de-provision groups from target systems. They can also use the self-service portal to request the creation of new groups. Once approved, the system will automaticallly provision the group.

Orphan management

The OpenIAM user interface supports viewing discovered orphaned accounts in each application which is managed through OpenIAM. Using the orphan managements tools, authorized users can either:

  • Associate these accounts to the correct user profile
  • Remove these accounts from the end applications if appropriate
  • Create a new account in OpenIAM

Define resource provisioning order

When provisioning a number of systems together, there are times when some operations need to be performed before others. With this enhancement, its possible to control the order in which resources are provisioned as well as perform activities after the completion of certain activities.

Connector monitoring

The connector health-check has been extended to send out alerts if a particular connector stops working. These cases, failed operations can also be retrieved to allow for re-processing.

Request / approval for privileged accounts

The request-approval functionality has been extended to support privileged accounts. Admins can now request privileged access for their accounts for a period of time. After the alloted time has expired, access will be revoked. In environments where Admins have a "pool" of admin accounts, admins can request to "checkout" an account for a period of time. If approved, the account will be enabled and operational only for the alloted time.

Position change workflows

New business rule has been implemented such the both the position and supervisor must change to trigger a position change workflow. This rule is configurable to support other business requirements.

SLAs for Workflows

The out of the box workflows in OpenIAM have been extended to support SLA's. Organizations can define:

  • Time frame by which a task should be completed
  • When reminders should be sent and how frequently
  • User or groups of users to whom escalations should be raised to if SLAs are not met.

Delay when trying to open a request

In some cases, users are unable to open a request and they receive a message telling them to wait. This problem will not arise for requests created with the 4.2.0.5 release and beyond.

User search

Search performance has been improved to prevent errors while searching on certain attributes.

Architectural changes

Performance improvements

Performance in v4.2 has been significantly improved from previous versions and many operations are now 2 to 10 times faster.

Stack upgrade

Core infrastructure components, listed below, have been upgraded to the latest stable release:

  • Elasticsearch
  • Java 11
  • RabbitMQ
  • Redis

Kubernetes support

Kubernetes support has been added in v4.2.0 and customers can now deploy OpenIAM on their Kubernetes clusters which can be on AWS, Google cloud or a custom Kubernetes cluster.

Terraform

Terraform scripts are part of the Docker on Kubernetes distribution to simplify the deployment of OpenIAM on both single node and multi-node Kubernetes clusters on-premise or in the cloud

Vault

Hashicorp's Vault has been introduced into the platform architecture to store sensitive keys and improve security

Flyway

Flyway has been introduced into the platform archiecture to simplify the effort of upgrading from one version to the next. Flyway detects the current version that is being used and then apply the necessary scripts needed to upgrade the instance to the desired version.

Monitoring

Kibana has been integrated into the stack to provide out of the box monitoring. This integration allows you to see details such as CPU and Memory utilization both at the application and container levels. Filebeats is used to allow viewing of the low level system logs in a Kubernetes deployment through the monitoring interface.