Skip to main content

We Have Moved

The IBM Application Gateway has a new home -

The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.

What's New

Ideas for new features can be submitted using the IBM Application Gateway Ideas Community.



  • IAG can now direct unauthenticated clients to a specific URL to perform authentication. (See auth-challenge-redirect)
  • Applications running on protected resource servers can now authenticate clients using the External Authentication Interface. (See External Authentication)


  • An authorization policy can now redirect clients to a specific URL when denying access. (See obligation/redirect_url)

Configuration YAML User Interface

  • A new browser based application which can be used to author and visualise the IAG configuration YAML has been made available at the following URL:


Session Sharing Between Containers

Kerberos Constrained Delegation Single Sign-On

OAuth Introspection


Kubernetes Operator

Username/Password Single Sign-on

LTPA Single Sign-on

  • IAG can now generate LTPA token for single sign-on to protected applications. (see identity_headers/ltpa)


  • A new "Hello World" topic which demonstrates the various IAG deployment models has been added to the Developer Portal (see Hello World in the sidebar)
  • A new demonstration resource server application has been created. This application can be used when exploring IAG deployment models or experimenting with configuration (see References/Demo Resource Server)

Preview Capability: OAuth Introspection

  • IAG can now perform OAuth introspection to authenticate clients. (see Current Preview Features)
    Note: This is a preview capability and may be changed in a future release.




  • IAG can now read obfuscated and encrypted entries from the configuration YAML (see: "Special Types" in Concepts/Configuration)
  • Certificate related entries can now be specified as an array of certificate and key entries and do not need to be concatenated into a single string (see: Tasks/Managing Certificates)


  • IAG can now directly reference data from Kubernetes Secrets by name and field in the configuration YAML (see: "Special Types Available in Kubernetes" in Concepts/Configuration)



  • Credentials from an IBM Security Verify Access or IBM Security Access Manager identity provider can be consumed, where IBM Application Gateway (IAG) acts as OpenID Connect (OIDC) Relying Party (see: Protecting Web Applications with IBM Security Verify Access);
  • The 'identity/ci_oidc' YAML configuration node is no longer the preferred way to configure IBM Security Verify as the Identity Provider. The new 'identity/oidc' YAML configuration node should be used instead (see: OIDC).


  • IAG can now be configured to listen on port 8080 for HTTP traffic (see: Server/Protocols)


v19.12 (Initial Release)


Application Protection: