- Simplified Members list combining pending user invites and active members into one list
- Fixed an issue where proxy outbound TLS CA file path was not being properly saved or deployed
- When hosting multiple MCP Bridge apps in an AI Identity Gateway deployment, you can now assign unique namespaces to each app’s tools
- This prevents tool name conflicts across multiple MCP servers
- Introducing Server Name Indication (SNI) TLS configuration
- Configure TLS settings for individual host domains in addition to the global TLS settings
- Enhanced Token Lifecycle Control for AI Agent Operations
- Fine-grained control over token issuance and lifecycle for AI agent operations including:
- Delegation
- Refresh token lifetime
- Access token lifetime
- Enhancements to Rego and OpenAPI spec views and drag-n-drop
- MCP Bridge Provider now supports environment variables in URLs
- Bug fixes for SAML and OIDC authentication policies
- Drag N Drop OpenAPI specs and Rego policy definitions when defining a MCP Bridge app
- SAML Apps unauthorized page field no longer requires a full URL
- When defining the tools you want to expose in your MCP, you can now directly edit OpenAPI Spec as YAML or JSON format
- Note: supports v3.0 (v3.1 or higher not supported)
- The AI Identity Gateway: MCP Bridge is now available
- Enables teams to let AI agents interact with internal or external APIs safely, with identity, authorization, and policy enforcement
- Resolved an issue where the disable hashing option was not propagated in a deployment
- You can now disable the feature-specific prefix typically prepended to cache keys, enabling shared Redis cache for external data integration
- Requires Orchestrator v2025.11.1 or higher
- The LDAP provider and related LDAP service extensions are now generally available in the UI
- You no longer need to contact support to enable it
- Resolved an issue that prevented users from being able to accept account invitations
- Resolved an issue that prevented new users from being able to sign up
- Fixed config generation when multiple Continuity Strategies in a single deployment
- Improved how TLS certificates and TLS policies (e.g., min TLS version, enabled ciphers) are configured
- More flexibility and better security controls
- You can sort and name search for applications, identity fabric, and user flows from the dashboard
- Resolved issues in Identity Service Health Monitoring not generating correct config
- The proxy user flow editor now lets you attach a user flow to a deployment
- New list of deployments view
- Resolved an issue where proxy user flows failed with service extensions with null metadata
- New UI for the proxy application user flow editor with show view and edit slide out window
- Adopted new list experience for applications including:
- Search by name
- Create new
- View the associated user flow
- Fixed PKCE toggle in OIDC Identity Fabric
- When creating an OIDC based identity fabric, PKCE is enabled by default and the toggle now correctly shows enabled state
- Improved warning experience when trying to delete a service extension that is in use
- Added CORS configuration to OIDC applications
- You can now enter multiple login and logout redirect URLs for Microsoft Entra ID OIDC and other OIDC identity fabric services
- Updated look and feel of the Identity Fabric page
- Deployments now support Azure Government Cloud blob storage
- Requires Orchestrator version v2025.08.2 or higher
- In the LDAP authentication fabric settings you can now customize login flows by uploading custom HTML pages and localizations
- You can now perform a name search from the Identity Fabric list and on creation
- From the Deployment Manager you can now configure TLS settings for inbound connections on the orchestrator host
- Requires manual orchestrator restart
- Resolved an issue where metadata value edits were not deploying
- You can now add filters to suppress log messages from Observability Settings
- Each filter defines a function that tests potential log output
- In an OIDC app type definition you can now define a redirect URL fallback when an app’s authorization request does not include a redirect_uri parameter
- Improved user flow list view with search and filtering
- You can now set a file path on host to the SAML Private Key and SAML Public Key (Certificate)
- Requires Orchestrator version 2025.06.4 or higher
- Resolved an issue preventing users from switching accounts
- Updated the system to use the latest Orchestrator Telemetry configuration
- The new Deployments capability is now available in all accounts
- Includes:
- Deployments Workflow
- Deployment Manager
- Configuration Preview
- Attribute Provider definition in a user flow has been expanded and renamed to Dependencies
- You can now attach identity providers, service extensions, and attribute providers to a user flow
- You can now define multiple Entity IDs when defining a SAML application
- In an OIDC app you can now mark an app as a public client
- Public clients, such as SPAs, do not require a client secret
- Requires Orchestrator release v2025.05.2 or higher
- View the latest Orchestrator Release Version number, date, and go directly to the release notes
- Orchestrator Version Inspection to check compatibility
- Added support for editing metadata values for service extension points in Proxy User Flows
- You can now define an app specific unauthorized (403) URL for SAML apps
- Requires Orchestrator Release v0.113.0
- Publish Preview actions are now on each app in SAML and OIDC user flows
- SAML apps can define default and multiple Assertion Consumer Service (ACS) URLs
- OIDC Apps now support allowedAudiences
- Bug fixes for user flow metadata and SE function names
- New Deployments Workflow, Deployment Manager, Configuration Preview, and Enhanced SAML App Configuration
- Gradually rolling out to existing accounts
- Improved text formatting and layout of the deployment manager
- Resolved issues where a user could not accept an invitation to another account
- When defining an OIDC app you can now require demonstrating proof of possession (DPoP)
- App Centric Migrations to prepare for future UI updates
- New users can sign in with a passkey as an alternative to the HYPR app
- Each application is now restricted to one user flow to simplify application deployments