IBM Application Gateway

What's New


Requesting new features

Ideas for new features can be submitted using the IBM Application Gateway Ideas Community.


Authentication Flow Redirects


  • Additional Bug Fixes, Security Updates and behind the scenes improvements.


PROXY Protocol Support

OAuth Introspection

  • IAG can now include additional HTTP headers when making requests to OAuth introspection endpoints. (see oauth)

Resource Severs


  • IAG can now directly reference data from a Kubernetes ConfigMap by name and field in the configuration YAML (see: "Special Types Available in Kubernetes" in Concepts/Configuration)



  • IAG can now direct unauthenticated clients to a specific URL to perform authentication. (See auth_challenge_redirect)
  • Applications running on protected resource servers can now authenticate clients using the External Authentication Interface. (See External Authentication)


  • An authorization policy can now redirect clients to a specific URL when denying access. (See obligation/redirect_url)

Configuration YAML User Interface

  • A new browser based application which can be used to author and visualise the IAG configuration YAML has been made available at the following URL:


Session Sharing Between Containers

Kerberos Constrained Delegation Single Sign-On

OAuth Introspection


Kubernetes Operator

Username/Password Single Sign-on

LTPA Single Sign-on

  • IAG can now generate LTPA token for single sign-on to protected applications. (see identity_headers/ltpa)


  • A new "Hello World" topic which demonstrates the various IAG deployment models has been added to the Developer Portal (see Hello World in the sidebar)
  • A new demonstration resource server application has been created. This application can be used when exploring IAG deployment models or experimenting with configuration (see References/Demo Resource Server)

Preview Capability: OAuth Introspection

  • IAG can now perform OAuth introspection to authenticate clients. (see Current Preview Features)
    Note: This is a preview capability and may be changed in a future release.




  • IAG can now read obfuscated and encrypted entries from the configuration YAML (see: "Special Types" in Concepts/Configuration)
  • Certificate related entries can now be specified as an array of certificate and key entries and do not need to be concatenated into a single string (see: Tasks/Managing Certificates)


  • IAG can now directly reference data from Kubernetes Secrets by name and field in the configuration YAML (see: "Special Types Available in Kubernetes" in Concepts/Configuration)



  • Credentials from an IBM Security Verify Access or IBM Security Access Manager identity provider can be consumed, where IBM Application Gateway (IAG) acts as OpenID Connect (OIDC) Relying Party (see: Protecting Web Applications with IBM Security Verify Access);
  • The 'identity/ci_oidc' YAML configuration node is no longer the preferred way to configure IBM Security Verify as the Identity Provider. The new 'identity/oidc' YAML configuration node should be used instead (see: OIDC).


  • IAG can now be configured to listen on port 8080 for HTTP traffic (see: Server/Protocols)


Application Protection


v19.12 (Initial Release)


Application Protection


Updated 3 months ago

What's Next

Do you have an idea for a new feature? Learn about requesting new capabilities.


What's New

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.