Proxy app type editing improvements
- User flows have been completely phased out and will no longer appear in list views.
- All configuration for a Proxy app — upstream, route patterns, location access policies, and global request headers — now live in the app editor.
- Resources (formerly Dependencies) define the identity fabric and service extensions you reference in access policies and claims. Define your Resources first, and they’ll be available in the relevant drop-downs throughout the Proxy app editor.
Fixes
- Added a warning in the configuration inspector when
http.writeTimeoutSecondsis set for deployments using an MCP provider - Resolved an issue where SAML and OIDC claims mappings were omitted during a deployment
- Added WSO2 to the supported identity provider filters for the OIDC protocol
- Attribute providers can no longer be selected as authentication sources for OIDC and SAML apps
- Fixed an issue where long policy metadata values were not properly truncated
- Added support for multiple identity providers in authentication policies for OIDC and SAML apps
- Added a scopes field to the OAuth connector in the Identity Fabric
- Fixed the OIDC offline access toggle always showing as disabled in the edit form
- Fixed uploaded service extension assets not being included in deployment bundles for OIDC and SAML apps
- Fixed namespace handling for service extension claims in OIDC and SAML claims mapping
Token brokering for OIDC apps
OIDC apps can now broker tokens from an upstream provider. Configure token brokering directly in the OIDC app editor.Token brokering is experimental and may change in a future release.
Generic OAuth connector
A new Generic OAuth connector is available from the Identity Fabric. Use it to broker tokens against SaaS upstreams that expose OAuth but no OIDC discovery — for example, Databricks account-wide federation or GCP Workload Identity Federation.RFC 7638 key IDs for OIDC Provider JWKs
The OIDC Provider JWK editor now includes a toggle for RFC 7638-compliant key ID (KID) generation. Existing keys keep their current KID; new keys use the spec-compliant algorithm.Fixes
- Removing a Resource from a SAML or OIDC app no longer fails to save when an attribute provider still references it. Stale references now clear automatically, and the editor flags any that still need attention before you save.
- Fixed SAML v2 request verification certificate handling.
- Added URL validation to the Generic OAuth connector in the Identity Fabric.
SAML app type editing improvements
- User flows are being phased out and will no longer appear in list views.
- All configuration for a SAML app — service provider configuration, protocol & assertion settings, access policies, and attribute mappings — now live in the app editor.
- Resources (formerly Dependencies) define the identity fabric and service extensions you reference in access policies and claims. Define your Resources first, and they’ll be available in the relevant drop-downs throughout the SAML app editor.
OIDC app type editing improvements
- User flows are being phased out. All configuration for an OIDC app — client details, access policies, claims, and OAuth 2.0 scopes — now lives in a single view.
- Resources (formerly Dependencies) define the identity fabric and service extensions you reference in access policies and claims. Define your Resources first, and they’ll be available in the relevant drop-downs throughout the OIDC app editor.
Custom Telemetry Exporters for Metrics
Ship Orchestrator metrics to any OTLP-compatible backend directly from the Observability settings page — no external collector required.The Custom Telemetry Exporters section lets you add one or more metrics destinations alongside Maverics Cloud Telemetry. Each exporter is configured with a name, protocol (OTLP over HTTP or gRPC), endpoint, optional auth headers, and advanced tuning for compression, temporality, histogram aggregation, and export interval/timeout. See the metrics telemetry reference for the full field list.Exporter types- New Relic — preset tuned for New Relic’s OTLP ingest (
otlp.nr-data.net, delta temporality, base2 exponential histograms, gzip). - Generic OTel — works with any OTLP receiver. Point it at your own OpenTelemetry Collector or directly at a SaaS backend that accepts OTLP, including Datadog, Grafana Cloud, Honeycomb, Splunk Observability Cloud, Dynatrace, AWS CloudWatch (via ADOT), Microsoft Azure Monitor, Google Cloud Observability, and Chronosphere.
- Observability settings are now grouped under Orchestrator Settings.
- Each exporter runs independently — a slow or unreachable destination won’t block the others.
- Maverics Cloud Telemetry remains available and is unaffected by custom exporter configuration.
- Resolved an issue where SSO configuration changes were not applied
- Fixed sidebar navigation active state on Identity Fabric and Service Extension detail pages
- Dropdowns with 10+ items now include a search filter so you can quickly find what you need
- Fixed an issue where dropdown selections couldn’t be changed
- Added search and filter support to dropdown selectors
- Resolved issues preventing successful signup and user invitation flows
- The code editor for service extensions, OPA policies, and OpenAPI code has been upgraded to Monaco Editor for an improved editing experience
- Configure JSON output logging for deployments
- SAML apps now support configuring NameID element qualifiers
- The Console now validates Rego policy scripts for compilation errors when saving OPA policies
- The OIDC Identity Fabric connector now shows a detailed error view and validates that the connected Orchestrator meets the required minimum version
- Resolved an issue where account re-registration was blocked after deleting an account
- API App Type Moves to Service Extensions: API App Types have been relocated from the Applications area to the Service Extensions area in the Maverics Console, unifying the experience for managing APIs and service extensions under a single interface.
- All existing API App Types automatically appear in the Service Extensions area alongside your other extensions.
- Creating a new API is straightforward — select “API” from the Service Extensions area and provide your configuration details.
- API App Types can now be attached to deployments directly.
- Existing deployments that already have APIs associated with them will find those APIs in a new dedicated APIs section within the deployment configuration. No migration or reconfiguration is required.
- Added OIDC callback error handling configuration for the Entra ID and Generic OIDC Identity Fabric connectors. Requires Orchestrator v2026.03.3 or higher.
- Service extension asset uploads now support files up to 5 MB
- Fixed an issue where dependencies and library settings were not deployed with API service extensions
- The Console will now validate the SAML certificate and key pair when uploading to a deployment. We recommend doing this only for testing purposes; for production, always use a secrets provider.
- LDAP configuration no longer shows a custom login file path option
- HTTP Server TLS configuration now supports
Noneas a client authentication type - Resolved issues when attaching service extensions to a deployment
- Resolved issues when typing spaces or enter the Rego policy editor
- Service Extensions list header is now properly titled
- Fixed an issue where service extensions were not working as a Name ID source in SAML user flows
- Authentication service extensions are no longer listed in the user flow dependency list
- Audit Log (Beta) is now available
- Resolved email case sensitivity issues when signing in and accepting user invitations
- Maverics Console no longer applies an automatic namespace prefix when a Service Extension is the source for a NameID attribute value. This resolves Orchestrator runtime errors that produced “connector does not exist” and “missing claim mapping” messages, which prevented SAML authentication from completing.
- Action Needed: SAML user flows that use a Service Extension to populate the NameID value may require a manual update to the NameID mapping field.
- You can now remove members who declined a team invitation
- Resolved an issue whereby screens refresh unexpectedly causing a loss of edits
- Audit logs now capture login and logout events
- Audit log events now include event type, category, and target metadata in the admin API
- Audit logs table now shows the target type alongside the target name
- Service extensions listed in user flow dependencies now show available metadata
- Audit Logs navigation item is pinned to the bottom of the sidebar
- Fixed sorting issues across listing views for consistent ordering
- Fixed an issue where dependency metadata was not preserved when updating a user flow
- Fixed the Service Extension editor shuffling metadata fields
- Audit log timestamps are now formatted for readability
- Session creation audit log events no longer include query parameters
- Configure the maximum TLS version for deployment TLS settings (requires Orchestrator v2026.02.3 or higher)
- Resolved an issue preventing login with Email OTP
- Added a Target Name column to the audit logs table for easier identification of affected resources
- User details are now included in membership audit log events
- Configure HTTP Server timeouts and access logging in Deployments
- Configure outbound authorization for MCP protocol operations (
initializeandtools/list) for MCP Proxy apps (requires Orchestrator v2026.02.2 or higher) - Improved UX when deploying HTTP Server settings, including default placeholders and endpoint timeout validation
- Resolved TLS configuration issues with client CA files, Windows certificate store persistence, and cipher suite persistence
- Your Console account is now linked to one sign-in method (the last one you used) — use that same method every time you log in
- Sign-in options: Maverics Account passwordless (Email OTP or HYPR), social sign-in (Google or Microsoft Account), or Enterprise SSO (bring your own IdP)
- GitHub sign-in has been removed as a login option
- If you try a different sign-in option, you’ll see a message that the email is already associated with another identity provider
- Redis Cache now supports enabling TLS configuration in the Console without having to set a CA file path
- A new toggle lets you enable or disable TLS for the Redis cache connection
- Set the minimum TLS version (1.2 or 1.3)
- Resolved an issue preventing SSO users from reliably signing into Maverics Console
- Resolved a critical issue where CA (Certificate Authority) and mutual TLS configuration was not persisting in proxy applications
- The system now properly saves and deploys the configuration
- Fixed an issue where the proxy outbound TLS CA file path was not being properly saved or deployed
- The sign up and sign in flows have been redesigned for a cleaner, more efficient user experience
- The Orchestrators Main Menu has been removed — all orchestrator settings are now accessible from the Deployment Manager
- You can now configure JWT client authentication for OIDC apps
- Requires Orchestrator v2026.01.3 or higher
- JWT Client Authentication Configuration for the Generic OIDC Connector
- Requires Orchestrator release v2026.01.3 or higher
- Resolved issues preventing the attachment of service extensions to OIDC, SAML, or Proxy app type user flows
- Resolved issues preventing deletion of applications or user flows that were not attached to a deployment
- MCP Proxy App Type is now available
- You can now create and configure MCP Proxy apps directly from the Maverics Console