Skip to main content

What's New

Ideas for new features can be submitted using the IBM Application Gateway Ideas Community.



  • IAG can now direct unauthenticated clients to a specific URL to perform authentication. (See auth-challenge-redirect)
  • Applications running on protected resource servers can now authenticate clients using the External Authentication Interface. (See External Authentication)


  • An authorization policy can now redirect clients to a specific URL when denying access. (See obligation/redirect_url)

Configuration YAML User Interface

  • A new browser based application which can be used to author and visualise the IAG configuration YAML has been made available at the following URL:


Session Sharing Between Containers

Kerberos Constrained Delegation Single Sign-On

OAuth Introspection


Kubernetes Operator

Username/Password Single Sign-on

LTPA Single Sign-on

  • IAG can now generate LTPA token for single sign-on to protected applications. (see identity_headers/ltpa)


  • A new "Hello World" topic which demonstrates the various IAG deployment models has been added to the Developer Portal (see Hello World in the sidebar)
  • A new demonstration resource server application has been created. This application can be used when exploring IAG deployment models or experimenting with configuration (see References/Demo Resource Server)

Preview Capability: OAuth Introspection

  • IAG can now perform OAuth introspection to authenticate clients. (see Current Preview Features)
    Note: This is a preview capability and may be changed in a future release.




  • IAG can now read obfuscated and encrypted entries from the configuration YAML (see: "Special Types" in Concepts/Configuration)
  • Certificate related entries can now be specified as an array of certificate and key entries and do not need to be concatenated into a single string (see: Tasks/Managing Certificates)


  • IAG can now directly reference data from Kubernetes Secrets by name and field in the configuration YAML (see: "Special Types Available in Kubernetes" in Concepts/Configuration)



  • Credentials from an IBM Security Verify Access or IBM Security Access Manager identity provider can be consumed, where IBM Application Gateway (IAG) acts as OpenID Connect (OIDC) Relying Party (see: Protecting Web Applications with IBM Security Verify Access);
  • The 'identity/ci_oidc' YAML configuration node is no longer the preferred way to configure IBM Security Verify as the Identity Provider. The new 'identity/oidc' YAML configuration node should be used instead (see: OIDC).


  • IAG can now be configured to listen on port 8080 for HTTP traffic (see: Server/Protocols)


v19.12 (Initial Release)


Application Protection: