We Have Moved
The IBM Application Gateway has a new home - docs.verify.ibm.com/gateway
The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.
What's New
Ideas for new features can be submitted using the IBM Application Gateway Ideas Community.
v21.02
Identity:
- IAG can now direct unauthenticated clients to a specific URL to perform authentication. (See auth-challenge-redirect)
- Applications running on protected resource servers can now authenticate clients using the External Authentication Interface. (See External Authentication)
Policy:
- An authorization policy can now redirect clients to a specific URL when denying access. (See obligation/redirect_url)
Configuration YAML User Interface
- A new browser based application which can be used to author and visualise the IAG configuration YAML has been made available at the following URL: ibm.biz/ibm-app-gateway-yaml.
v20.12
Session Sharing Between Containers
- Session state can now be stored in an external Redis database and shared between multiple instances of IAG. (see Sharing Sessions Between Containers)
Kerberos Constrained Delegation Single Sign-On
- IAG can now perform single sign-on to Kerberos protected resource servers using Constrained Delegation. (see Passing Identity Information to Applications)
OAuth Introspection
- IAG can now perform OAuth introspection to authenticate clients. (see Protecting Applications with IBM Security Verify and Protecting Applications with IBM Security Verify Access)
v20.09
Kubernetes Operator
-
A new Kubernetes operator can be used to configure and manage IAG instances. (see Deployment/Kubernetes/Overview)
- The Kubernetes operator is available from OperatorHub.io. (See Deployment/Kubernetes/OperatorHub)
- The Kubernetes operator can produce combined configuration from multiple sources, including literal definitions, config maps and web-based sources. (See Deployment/Kubernetes/Operator)
- The Kubernetes operator can be used for sidecar injection when deploying applications in Kubernetes. (See Deployment/Kubernetes/Sidecar)
- The Kubernetes operator can perform dynamic OIDC client registration to register new OIDC clients for IAG instances with the identity provider. (See Deployment/Kubernetes/OIDC Dynamic Client)
Username/Password Single Sign-on
-
IAG can now retrieve credentials for use in single sign-on from an external credential service. (see Using a Credential service for single sign-on)
- Externally provided credentials can be used to perform basic authentication to protected applications. (see identity_headers#basic_auth)
- Externally provided credentials can be used to perform forms-based single sign-on to protected applications. (see forms_login)
LTPA Single Sign-on
- IAG can now generate LTPA token for single sign-on to protected applications. (see identity_headers/ltpa)
Demo
- A new "Hello World" topic which demonstrates the various IAG deployment models has been added to the Developer Portal (see Hello World in the sidebar)
- A new demonstration resource server application has been created. This application can be used when exploring IAG deployment models or experimenting with configuration (see References/Demo Resource Server)
Preview Capability: OAuth Introspection
- IAG can now perform OAuth introspection to authenticate clients. (see Current Preview Features)
Note: This is a preview capability and may be changed in a future release.
v20.07
Authentication:
- Authentication requirements can now be enforced as part of an authorization policy (see: Tasks/Authentication Requirements)
Configuration:
- IAG can now read obfuscated and encrypted entries from the configuration YAML (see: "Special Types" in Concepts/Configuration)
- Certificate related entries can now be specified as an array of certificate and key entries and do not need to be concatenated into a single string (see: Tasks/Managing Certificates)
Kubernetes:
- IAG can now directly reference data from Kubernetes Secrets by name and field in the configuration YAML (see: "Special Types Available in Kubernetes" in Concepts/Configuration)
v20.04
Identity:
- Credentials from an IBM Security Verify Access or IBM Security Access Manager 9.0.7.0+ identity provider can be consumed, where IBM Application Gateway (IAG) acts as OpenID Connect (OIDC) Relying Party (see: Protecting Web Applications with IBM Security Verify Access);
- The 'identity/ci_oidc' YAML configuration node is no longer the preferred way to configure IBM Security Verify as the Identity Provider. The new 'identity/oidc' YAML configuration node should be used instead (see: OIDC).
Server:
- IAG can now be configured to listen on port 8080 for HTTP traffic (see: Server/Protocols)
v20.01
- Signed JSON Web tokens (JWT) can now be generated and sent to resource servers (see: Passing Identity Information to Applications);
- Statistics information can now be sent to a remote statsd server for monitoring purposes (see: Enabling Statistics Gathering);
- The content injection capability now supports a partial line match (see Inserting Content into Responses).
v19.12 (Initial Release)
Identity:
- Credentials from an IBM Security Verify tenant can be consumed, where IBM Application Gateway (IAG) acts as OpenID Connect (OIDC) Relying Party (see: Protecting Web Applications with IBM Security Verify);
Application Protection:
- An application can be defined and identified using either a path or host header (see: Protecting an Application);
- An attribute/claims based authorization policy can be defined to control access to resources (see: Defining the Authorization Policy);
- Access to resources can be rate limited (see: Rate Limiting Requests);
- HTTP requests or responses can be modified using XSLT defined rules (see: Transforming Requests and Responses);
- Cross-Origin Resource Sharing (CORS) policies can be handled on behalf of the application (see: Defining the Cross-Origin Resource Sharing Policy);
Logging
- Tracing, statistics gathering and performance metrics can be used to help diagnose issues in the environment.