Security Access Manager added support for OpenID Connect as a identity provider and as a relying party in version 9.0. These capabilities were introduced as part of the federation offering which was also added in version 9.0.

This OpenID connect solution was capable of satisfying the browser single sign on aspects of OpenID connect, however there were documented limitations with the solution.

In December 2017 version 9.0.4.0 was released, which brought a significant iteration on the OpenID Connect solution. This enhancement came in the form of the API protection features of ISAM having OpenID Connect capabilities added, making the feature a super set of both API protection and the existing OIDC federation offering. A new relying party was also written. In this release most of the known limitations were addressed.

The Federations UI in version 9.0.4.0 onwards. Identifying the legacy solution and indicating to the new provider should be used.


When the move to the new OpenID Connect implementation was undertaken, the API protection features were added to federation, such that only either one of the two advanced access control or federation offerings needed to be activated in order to make use of the OpenID Connect provider features. The new relying party remained as part of the federation offering. The version of OpenID Connect initially added in 9.0 was updated to be identified as ‘Legacy’ in both documentation and the user interface of the product.


The updated API protection definition creation panel, including the options for OpenID Connect.

In version 9.0.5.0, some new features were added to the OpenID Connect provider, most significantly of these being dynamic client registration, something I’ve written about earlier. Dynamic client registration was the last outstanding issue on the list of documented limitations.

You can find the technote which covers each of the topics and how they’re addressed in here.