Release Notes Archive - Orchestrator

Prev Next

v0.99.1

2025-02-24

Resolved an issue to allow reload to work successfully when an end session endpoint for an OIDC provider is defined.

v0.99.0

2025-02-24

The go-redis package in the orchestrator has been updated to version 9.7.1.

v0.97.0

2025-02-19

The build architecture of the macOS download artifact has been updated from AMD to ARM.

v0.96.0

2025-02-21

Added support for multiple secret paths in HashiCorp Vault secret provider

The orchestrator integration with HashiCorp Vault now supports multiple secret paths from the same secrets engine. If needed as part of your user flows, you can define secret paths for multiple secrets in the orchestrator configuration. For more details, see Secrets Management: HashiCorp Vault.

As part of this update, secret names cannot contain any forward slashes (/).

If you are currently using HashiCorp Vault as a secrets provider and your secret names include slashes, Strata advises you to remove the slashes or change the secret name before upgrading your orchestrator to v0.96.0.

Failing to do so might result in a connection failure to your Vault instance. To remediate this, change your secret name to remove slashes then restart orchestrator.

v0.94.0

2025-02-13

Orchestrator has been upgraded to Go v1.23.

Noteworthy changes include:

  • 3DES cipher suites are removed from the default list of secure ciphers that the Orchestrator uses. If required, these ciphers can be reenabled by using the enabledCiphers TLS config.
  • net/http Cookie implementation no longer strips double quotes from cookies when storing. This should not impact existing service extensions, but Strata is performing a further investigation to verify behaviours remain consistent.

For more information, see Go 1.23 Release Notes.

v0.93.0

2025-02-13

  • Browser based client apps now have access to DPoP-Nonce response headers.

v0.91.0

2025-02-10

  • The OIDC Provider now requires DPoP nonce validation.

v0.90.0

2025-01-31

  • When a previously issued access token is DPoP bound, DPoP proof and its corresponding access token are now validated at the userinfo endpoint.

v0.89.0

2025-01-31

  • Internal enhancements and improvements.
  • Maverics now supports DPoP bound refresh tokens.

v0.88.2

2025-01-29

  • A bug causing attribute providers to break in proxy apps was fixed.

v0.88.1

2025-01-29

  • Internal Only release: enhancements and improvements.

v0.88.0

2025-01-28

  • Maverics now supports opaque access tokens when using DPoP.

v0.80.0

2025-01-22

  • We have updated the metadata endpoint to return DPoP signing algorithms for OIDC providers.

v0.79.0

2025-01-22

  • Maverics now supports DPoP sender-bound access tokens for OIDC providers.

v0.69.1

2024-12-20

  • Maverics now uses Go's default implementation of system cert pool for Windows.

v0.65.1

2024-12-18

  • LDAP Provider validation log now correctly reflects associated errors.

v0.61.0

2024-12-16

  • CA cert is no longer a required field when setting up HashiCorp Vault as a secret provider.

v0.60.0

2024-12-13

  • The orchestrator now uses the configuration SDK to validate OIDC provider configuration.

v0.59.0

2024-12-10

  • The orchestrator now uses the configuration SDK to validate Single Logout (SLO) configuration.

v0.58.0

2024-12-10

  • Multiple OIDC callback URLs can now be configured for login and logout. The new style of OIDC connector syntax now supports use cases that require dynamic URLs for OIDC logins and logouts.

    With this change, an identity admin can define a single callback URL pattern and allow for the host of the callback URL to be dynamic. As a result, oauthRedirectURL and oidcLogoutCallbackURL syntax have been deprecated with this update. The new syntax is oauthLoginRedirect and oauthLogoutRedirect.

{{< callout type="info" >}}
Please note, you must use the new style OIDC connector syntax or the old style, but not both. If your configuration contains both the old style and new style OIDC connector syntax, orchestrator will return an error.
{{< /callout >}}

v0.56.0

2024-11-29

  • This release enables the re-use of http.Client across different service extensions instead of creating new ones repetitively.

v0.55.0

2024-11-29

  • The orchestrator now supports dynamic redirect URLs for logout for OIDC apps.

v0.54.1

2024-11-29

  • A bug was fixed to now allow authentication requests without the ACS URL defined.

v0.54.0

2024-11-27

  • Users can now use the ES256 key algorithm when signing JWT for use in OAUTH client authentication.

v0.53.0

2024-11-27

  • Adds enhancements to the HTTP Server to allow for configuration of HTTP endpoint
    timeouts. A conservative default value of 15 seconds is used which could impact
    existing deployments. For more info, please see the docs.

v0.52.0

2024-11-26

  • Adds enhancements to the HTTP Server to allow for configuration of connection
    timeouts. These changes include conservative default values for all timeouts which
    could impact existing deployments. For more info, please see
    the docs.
Configuration Default Value
http.readTimeoutSeconds 20 seconds
http.readHeaderTimeoutSeconds 5 seconds
http.writeTimeoutSeconds 20 seconds
http.idleTimeoutSeconds 60 seconds

v0.51.0

2024-11-21

  • Dynamic OIDC redirects are now supported in OIDC Connector.

v0.50.2

2024-11-21

  • Logging has been improved when JWT bearers are used for client authentication. A minor bug in terms of how tokens are validated has also been resolved.

v0.50.1

2024-11-20

  • Resolve CVE-2024-9143 by updating libssl3 and libcrypto3.

v0.50.0

2024-11-20

  • Enable use of JWT for client authentication with client_credentials grant.

v0.49.0

2024-11-19

  • Multiple ConsumerServiceURLs per SAML app are now supported.

v0.48.1

2024-11-15

  • Orchestrator uses a POST binding when available on SAML login.

v0.48.0

2024-11-15

  • You can now load Windows Store certs using Hashicorp Vault.

v0.47.0

2024-11-13

  • Log level settings are reloadable.

v0.46.0

2024-11-13

  • ECDH certs can now be loaded from Windows Cert Store.

v0.45.0

2024-11-08

  • CRL revocation is now supported for TLS. See docs.

v0.44.5

2024-11-08

  • Resolved issue where cached SAML requests were failing to be unmarshaled due to the POST binding not supporting compressed requests.

v0.44.2

2024-11-04

  • Service extensions can now be used in conjunction with attribute providers for SAML and OIDC.

v0.44.1

2024-10-31

  • SAML apps now successfully log errors if attempts to load attributes are not found or not defined.

v0.44.0

2024-10-30

  • Online Certificate Status Protocol (OCSP) is now supported to allow clients and servers to check the revocation status of their peer's certificate. See docs.

v0.43.0

2024-10-29

  • An error logger has been added to the HTTP server to make TLS handshake errors in Windows visible in the event viewer.

v0.42.0

2024-10-25

  • Only tokens issues with the openid scope can be used at the userinfo endpoint.

v0.41.0

2024-10-25

  • Support for mTLS cert authentication on HashiCorp Vault for Linux.

v0.40.0

2024-10-22

  • Minor internal improvements

v0.39.0

2024-10-22

  • As part of Orchestrator on Ubuntu, Debian artifacts are now included in Maverics releases.
  • The Orchestrator health configuration is now reloadable, facilitating changes in the UI being pushed down to Orchestrator without requiring a restart.

v0.38.0

2024-10-18

  • Minor internal improvements

v0.37.0

2024-10-17

  • Improvements to the generic SAML health check HTTP client.

v0.36.0

2024-10-17

  • TLS Unmarshalling has been reworked to simplify and combine multiple constructors.

v0.35.0

2024-10-17

  • OIDC Provider: sub and client_id claims can now be overwritten via service extension. ID token generation has also been updated to no longer include the client_id claim by default.

v0.33.0

2024-10-15

  • Debian package installer changes.
  • Consolidate connector 'Login' logic where duplicated: In a handful of connectors, Login logic was duplicated between the login requester and the connector object itself. In other connectors, the connector Login is a thin wrapper around the loginRequester. This PR consolidates logic in the remaining connectors

v0.32.0

2024-10-10

  • Debian package installer changes.
  • OIDC Provider User Info Handler: The userinfo handler now uses the claim mapping on the client to build the response. A token cache entry will need to have a clear mapping to the client_id associated with the token.

v0.31.0

2024-10-09

  • [OIDC Provider] Add association from token cache to userinfo cache - #2592

v0.30.0

2024-10-07

  • [OIDC Provider] Store userinfo data only once - #2589

v0.29.1

2024-10-02

  • [Connectors] Infer correct protocol binding from SAML metadata - #2588

v0.29.0

2024-10-01

  • Expose 'jose.ContentType' in service extensions - #2587

v0.28.0

2024-10-01

  • [Connectors] Add support for login hint via subject in PingFed SAML - #2586

v0.27.124

2024-09-27

  • [Tests] Use dynamically allocated free port - #2584

v0.27.123

2024-09-26

  • Update github PR template - #2582
  • [Connectors] Implement login_hint in query for Azure SAML - #2583

v0.27.122

2024-09-23

  • [SE] Add 'postLogoutSEV2' service extension - #2580

v0.27.121

2024-09-19

  • Ensure mTLS can not be bypassed by spoofing the Host header. - #2578

v0.27.120

2024-09-19

  • [Connectors] Restore SAML login in PingFed - #2579

v0.27.119

2024-09-19

  • [Connectors] Add login hint to OIDC connectors - #2577

v0.27.118

2024-09-17

  • [Proxy apps] Allow secrets loading in policy locations - #2576

v0.27.117

2024-09-17

  • [SE] Introduce v2 service extension signature for 'evalIdleTimeoutSE' - #2574

v0.27.116

2024-09-17

  • Support retrieving AWS secrets via ARN - #2575

v0.27.115

2024-09-17

  • Update 'golang.org/x' to latest - #2564

v0.27.113

2024-09-16

  • [SE] Introduce v2 session evalMaxLifetime - #2562

v0.27.112

2024-09-13

  • [Service Extensions] Fix route registration issue - #2572

v0.27.111

2024-09-12

  • Add newline delimiter option in CCP as workaround for multi-line secrets. - #2570

v0.27.110

2024-09-09

  • Format the Hypr HTML to make it more readable - #2567

v0.27.109

2024-09-09

  • SAML App inherits signing cert from SAMLProvider - #2566

v0.27.105

2024-09-03

  • Fix OIDCProvider panic when claims mapping attribute does not use connector notation - #2560

v0.27.104

2024-08-29

  • [Bundle Validation] Improve error handling when loading public key - #2558

v0.27.103

2024-08-28

  • [TLS] Rename 'clientCAs' to 'clientCAFiles' in TLS config - #2554

v0.27.102

2024-08-28

  • [Continuity] Improve reload behavior - #2555

v0.27.101

2024-08-27

  • [Continuity] Check for duplicated status codes - #2549

v0.27.100

2024-08-27

  • [Continuity] Add health check to ADFS - #2545

v0.27.99

2024-08-27

  • [Connectors] Make cert and keys paths optional for ADFS - #2557

v0.27.97

2024-08-22

  • Fix custom endpoint test flake - #2553

v0.27.96

2024-08-22

  • Support LoadAttributesSE for OIDC Apps - #2551

v0.27.95

2024-08-22

  • Enable service extensions for oidc provider authorization - #2548

v0.27.94

2024-08-21

  • Support multiple secrets for OIDC client authentication - #2546

v0.27.93

2024-08-20

  • Add load attributes service extension to SAML apps - #2544

v0.27.92

2024-08-19

  • Ensure OIDC clients are unique by client ID - #2542

v0.27.91

2024-08-17

  • [SAML Apps] Support app level 'disableSignedAssertion' and 'disableSignedResponse' - #2540

v0.27.90

2024-08-15

  • Add authorization rules to OIDC apps - #2541

v0.27.89

2024-08-14

  • Sanitize routes registered in Service Extensions - #2539

v0.27.88

2024-08-13

  • [SAML Apps] Support app-specific signing certs - #2535

v0.27.87

2024-08-13

  • Support client defined grant types for OIDC apps - #2538

v0.27.86

2024-08-13

  • [Continuity] Remove body matching response logging - #2537

v0.27.85

2024-08-12

  • Update mitchellh/mapstructure to go-viper/mapstructure/v2 - #2533

v0.27.84

2024-08-12

  • [Apps] Validate 'name' uniqueness - #2531

v0.27.83

2024-08-09

  • Support ROPC flow for OIDC apps via backchannel authenticate SE - #2532

v0.27.82

2024-08-08

  • [Continuity] Increase state parameter length in generic OIDC health check - #2530

v0.27.81

2024-08-06

  • [Continuity] Add TLS to custom health check - #2527

v0.27.79

2024-07-31

  • Support IsAuthorizedSE in SAML apps - #2525

v0.27.78

2024-07-31

  • [Continuity] Add custom health check response body matching - #2522

v0.27.77

2024-07-29

  • Use the correct HTTP client for SAML health check - #2523

v0.27.76

2024-07-29

  • [Continuity] Add headers to custom health check endpoint - #2519

v0.27.75

2024-07-26

  • Add QR authentication mode for Hypr connector - #2518

v0.27.74

2024-07-25

  • [Continuity] Add ability to define custom health check - #2515

v0.27.73

2024-07-19

  • [Continuity] Change the default health check interval - #2512

v0.27.72

2024-07-19

  • [Continuity] Add un/healthy threshold - #2513

v0.27.71

2024-07-18

  • Enforce authorization rules in SAML Apps - #2514

v0.27.69

2024-07-17

  • Reimplement Cyberark Conjur Secret Provider - #2510

v0.27.68

2024-07-12

  • Update Yaegi to 16.1 - #2509

v0.27.66

2024-07-11

  • Remove legacy LDAP 'attrproviders' implementation - #2506

v0.27.64

2024-07-10

  • [SAML APP] Query for nameID attributeMapping attribute if not on session - #2503

v0.27.63

2024-07-09

  • Update log level to error when referenced secret is not found - #2505

v0.27.60

2024-07-02

  • Expose ldap.Control - #2498

v0.27.57

2024-06-27

  • Add AWS Secrets manager secret provider support - #2496

v0.27.56

2024-06-25

  • [Telemetry] Update OTel libraries to latest - #2495

v0.27.54

2024-06-24

  • [Telemetry] Update local Docker Compose telemetry environment for development - #2494

v0.27.53

2024-06-24

  • Support reload for single logout config - #2491

v0.27.49

2024-06-20

  • Protect session store with mutex and add session service to config reloader - #2490

v0.27.48

2024-06-19

  • Implement session config reload - #2487

v0.27.46

2024-06-18

  • [Service Extensions] Expose symbols for JWT encryption - #2485

v0.27.45

2024-06-18

  • Wrap session in service.Service - #2483

v0.27.43

2024-06-14

  • [MSI] Fix file contention issue - #2482

v0.27.42

2024-06-14

  • Re-evaluate policies based on decision lifetime - #2478

v0.27.38

2024-06-11

  • [Proxy apps] Remove legacy resilience implementation - #2475

v0.27.36

2024-06-06

  • Redirect SAML SSO error responses correctly - #2472

v0.27.33

2024-05-31

  • SAMLProvider support LogoutRequest via POST binding - #2470

v0.27.32

2024-05-30

  • [Connectors] Move SAML client initialization to constructor - #2469

v0.27.31

2024-05-29

  • [Connectors] Gracefully handle failure to retrieve OIDC well-known metadata - #2466

v0.27.30

2024-05-16

  • Verify Signed SAML Logout requests via Redirect binding - #2468

v0.27.29

2024-05-16

  • [Connectors] Refactor SAML pkg to better handle SP initialization - #2467

v0.27.28

2024-05-14

  • [SAML Apps] Store logout request in cache - #2465

v0.27.27

2024-05-14

  • Fix SAMLProvider cacheState storage when using multiple IDPs - #2464

v0.27.26

2024-05-13

  • Add support for namespace in HashiVault - #2460

v0.27.23-24

2024-05-10

  • Unregister SAMLProvider SLO endpoint during stop - #2463
  • [Connectors] Better handle logout errors - #2461

v0.27.20-21

2024-05-09

  • Update release pipeline to replace the old MSI installer with the new - #2458
  • Append query parameters to authn request during IDP Initiated SAML - #2459

v0.27.19

2024-05-08

  • Validate bundle file in MSI installer - #2457

v0.27.16-18

2024-05-07

  • [SAMLProvider] Add SingleLogoutService to metadata when sloEndpoint is defined - #2456
  • [SAMLProvider] Implement SP initiated SLO - #2441
  • [MSI] Fix service restart when change and add default remote configs. - #2442

v0.27.13-15

2024-05-06

  • [Service Extensions] Expose symbols to enable JWT generation - #2450
  • [Connectors] Set transport properties on health check HTTP client - #2449

v0.27.12

2024-05-03

  • [SAML Connectors] Fix panic observed when generating unsigned logout requests - #2452

v0.27.5

2024-04-23

  • [SAML Apps] Call BuildRelayState extension post-authentication

v0.27.2

2024-04-18

  • [SAML Apps] Expose NameID configuration

v0.27.1

2024-04-18

  • Include allowedProtectedPackages option for Service Extensions

v0.27.0

2024-04-16

  • Introduce cache to SAMLProvider

v0.26.108

2024-04-16

  • Expose BuildRelayState service extension for IDP-initiated login flow

v0.26.106

2024-04-12

  • Allow IDP-initiated 'relayStateURL' field to be optionally defined

v0.26.102-104

2024-04-11

  • Fix log key to have correct attrProvider name
  • Simplify IDP health check service

v0.26.94-100

2024-04-10

  • Implement generic SAML in 1Kosmos and add cache
  • Improve idphealthcheck test assertion
  • Manually validate timestamp assertions in SAML
  • Organize authprovider pkg and improve logging
  • Store cacheRequester on samlAuthProvider to simplify CreateClient method signature

v0.26.90

2024-04-04

  • Add proxy app support for HTTP request methods

v0.26.87-89

2024-04-03

  • Enable PingFederate connector to use SAML package and cache
  • Bug fix: Add 'Authorization' to list of 'Access-Control-Allow-Headers'

v0.26.86

2024-04-02

  • Set SAML CacheRequester at reload

v0.26.85

2024-04-01

  • Add cache for SAML connectors using generic implementation

v0.26.75-77

2024-03-25

  • Enhance SAML metadata parsing to support formatted certificates
  • Support api.App in IsAuthenticatedSE, AuthenticateSE and v2/BuildClaimsSE for saml apps
  • Support api.App in IsAuthenticatedSE, AuthenticatedSE, BuildAccessTokenClaimsSE, BuildIDTokenClaimsSE for oidc apps

v0.26.73-74

2024-03-22

  • Update Nancy CI action to use correct version of Go
  • Add support RP-initiated logout in OIDC provider

v0.26.66-71

2024-03-20

  • Add github.com/google/uuid support to Service Extensions.
  • Support api.App in loadAttrsSE for proxy apps
  • Support api.App in createHeaderSE for proxy apps
  • Support api.App in loginSE and isLoggedInSE for proxy apps
  • Allow CyberArk CCP to be configured with certificate authentication directly from Windows Cert Store. See docs here.

v0.26.64

2024-03-19

  • Add missing Cache WithTTL option to SE symbols

v0.26.63

2024-03-18

  • Add functions and structures from 'golang.org/x/net/html' to v2 SEs.

v0.26.54

2024-03-14

  • Update go-ntlm to the latest version

v0.26.22

2024-02-29

  • Update to latest go OTLP libraries

v0.26.17

2024-02-26

  • Upgrade Golang to 1.22

v0.26.13

2024-02-22

  • Parse the OIDC Auth request params to not only parse from the query but also from the request body

v0.26.4

2024-02-08

  • Add configuration options to MSI installer and fix upgrade behavior

v0.26.3

2024-02-08

  • Support loading service extension assets as a file system

v0.26.2

2024-02-06

  • Add offline_access to scopes_supported in OIDC well-known endpoint

v0.26.1

2024-02-02

  • Implement Context interface for service extensions

v0.26.0

2024-01-31

  • Support retrieving App name for Proxy Apps in some Service Extensions
  • Expose orchestrator cache to service extension (v0.25.39)
  • Add client_id to claims in access token (v0.25.38)
  • Support login options in service extensions (v0.25.37)
  • Fix refresh token length configuration (v0.25.35)
  • Close HTTP response body in connectors (v0.25.34)
  • Omit env var substitution if the line starts with '#' in YAML config (v0.25.33)
  • Close response body when making token request (v0.25.32)
  • Update crypto lib to v0.17.0 to handle CVE-2023-48795 (v0.25.31)
  • Fix panic when cert not found in Windows cert store (v0.25.30)
  • Correctly set RelayState during IDP initiated login (v0.25.29)
  • Add env vars for Windows Certificate Store (v0.25.28)
  • Improve error handling in OIDC connectors (v0.25.27)
  • Add support for reloadable cache (v0.25.26)

v0.25.25

2023-12-14

  • Allow SAML client to support both IDP initiated login and verified SP login
  • Rename go-jose exported name from v3 to jose (v0.25.24)
  • Add Windows Client Authenticator connector to orchestrator (v0.25.23)

v.0.25.5

2023-11-24

  • Register SAML endpoints as case insensitive
  • Register OIDC endpoints as case insensitive (v0.25.4)
  • Fix typo in telemetry logs (v0.25.3)
  • Implement TAIProvider interface for Service Extensions (v0.25.2)
  • Fix panic observed when running in Windows console as non-admin (v0.25.1)

v0.25.0

2023-11-09

  • Rotate refresh tokens on use per OAuth security best practices
  • Implement token revocation for JWT tokens (v0.24.35)
  • Store JWT tokens in the cache (v0.24.34)

v0.24.32

2023-11-03

  • Update google.golang.org/api to fix indirect GRPC vulnerabilities
  • Expose GetBytes, GetAny, and SetBytes on Service Extension session provider implementations (v0.24.32)
  • SAMLProvider validates signed authn requests received via HTTP-Redirect binding (v0.24.29)
  • Implement v2.Session API for Service Extensions for OIDC Provider (v0.24.28)
  • Add post logout redirect URL to proxy apps (v0.24.27)
  • Return all claims for opaque access token (v0.24.26)
  • Add logout to proxy apps (v0.24.25)
  • Add clock skew leeway for SAML Authn requests (v0.24.23)
  • Stop Maverics process on failure to bind to a port (v0.24.22)

v0.24.21

2023-10-26

  • Add support for IDP initiated login for app of type SAML
  • Add support for HTTP Redirect binding in the SAML auth provider (v0.24.20)
  • Improve attribute loading error handling in proxy apps (v0.24.18)
  • Add query params matching in proxy apps policies (v0.24.17)
  • Add handleUnauthorizedSE to proxy apps (v0.24.16)

v0.24.15

2023-10-20

  • Add upstream login extension to proxy apps
  • Add support for IDP initiated login for the SAML provider (v0.24.14)
  • Add ModifyRequest and ModifyResponse Service Extensions to proxy apps (v0.24.13)
  • Add LoadAttrsSE to proxy apps (v0.24.12)
  • Expose 'goPath' on v2 Service Extensions (v0.24.11)
  • Add CreateHeader service extension to proxy apps (v0.24.10)
  • Add IsAuthorized service extension to proxy apps (v0.24.9)
  • Add IsAuthenticated and Authenticate extensions to proxy apps (v0.24.8)
  • Update goxmldsig library to fix signature validation bug (v0.24.7)
  • Add TLS to proxy apps (v0.24.4)
  • Patch CVE-2023-45683 (SAML XSS bug) (v0.24.2)
  • Support multiple route patterns on a proxy app (v0.24.1)
  • Add Orchestrator Groups cache support (v0.24.0)
  • Add regexp policy matching to proxyapps (v0.23.75)
  • Add attribute provider to proxy apps (v0.24.74)

v0.23.73

2023-10-13

  • Update golang.org/x/net to the latest to address CVE-2023-39325
  • Upgrade Yaegi to 15.1 (v0.23.72)
  • Support policy-level header definitions on proxy apps (v0.23.71)
  • Implement revoke endpoint support for OIDC refresh tokens (v0.23.70)
  • Add unauthorized page to proxy apps (v0.23.68)
  • Add headers to proxy apps (v0.23.67)
  • Improve authorization and authentication policy validation for proxy apps (v0.23.66)
  • Add authorization to proxy apps (v0.23.65)

v0.23.62

2023-09-29

  • Add basic authentication to proxy apps in new app-centric configuration format
  • Allow fabric consumer (RP Orchestrator) to define and use unauthorizedPage (v0.23.61)

v0.23.60

2023-09-25

  • Update OIDCProvider service extensions to work with cache
  • Fix OIDCProvider userinfo endpoint to reject ID Bearer tokens (v0.23.59)
  • Support the refresh token flow using the cache (v0.23.58)
  • OIDCProvider uses cache to build user claims (v0.23.56)

v0.23.55

2023-09-15

  • Support AuthCode w/ PKCE using cache implementation

v0.23.54

2023-09-15

  • Make logging more verbose in Azure connector

v0.23.53

2023-09-11

  • Remove logic that prevents 'ServeSE' from being defined with other AppGateway extensions
  • Set session cookie regardless of policy (v0.23.52)

v0.1.0 (Maverics TAI Module)

2023-09-07

  • Add support for verifying signed JWT headers to prevent impersonation via side channel requests.

v0.23.50

2023-09-07

  • Expose TAI pkg in Service Extensions to enable JWT generation
  • Fix decryption using older keys in AES256GCMEncryptor (v0.23.49)
  • Export go-jose JWT library v3 symbols (v0.23.48)
  • Export go-ldap library v3 symbols (v0.23.47)

v0.23.44

2023-08-29

  • Expose 'ldap.NewModifyRequest' in Service Extensions
  • Add metadata to V2 service extensions (v0.23.43)
  • Signed binaries for Maverics Evaluation bundle downloads (v0.23.42)
  • Fix Telemetry panic on SIGTERM (v0.23.38)
  • Update SAML Provider buildClaims v2 signature to match OIDC Provider. (v0.23.37)
  • Enable attribute loading in v2 Service Extensions (v0.23.34)
  • Make API Service Extensions reloadable (v0.23.31)
  • ServeSE v2 in APIs block (v0.23.28)
  • Add ldap.NewPasswordModifyRequest symbol (v0.23.27)
  • Add support for BuildUserInfoClaimsSE for OIDC apps (v0.23.25)

v0.23.34

2023-08-15

  • Enable attribute loading in v2 Service Extensions - #2147

v0.23.31

2023-08-11

  • Make API Service Extensions reloadable - #2140

v0.23.30

2023-08-11

  • Unregister HTTP endpoints when API Service Extensions are stopped - #2139

v0.23.29

2023-08-11

  • Restart session metrics on telemetry reload - #2119

v0.23.28

2023-08-11

  • ServeSE v2 in APIs block - #2134

v0.23.27

2023-08-10

  • Add ldap.NewPasswordModifyRequest symbol - #2136

v0.23.26

2023-08-10

  • Orchestrator metrics as service - #2122

v0.23.25

2023-08-10

  • Add support for BuildUserInfoClaimsSE for OIDC apps - #2135

v0.23.22

2023-08-03

  • Fixed issue preventing OIDC client creation with JWT access token - #2110

v0.23.20

2023-08-03

  • Return a non-nil action in the HYPR connector when Lookup is successful - #2130

v0.23.19

2023-08-03

  • Add BuildClaims SE to SAML apps - #2128

v0.23.18

2023-08-02

  • Move authn fields under new authenticationPolicy in policy struct - #2123

v0.23.15

2023-07-28

  • Add Authentication Service Extensions to SAML Apps - #2121

v0.23.14

2023-07-28

  • Add BuildIDTokenClaims and BuildAccessTokenClaims extensions to apps of type OIDC - #2120

v0.23.13

2023-07-28

  • Remove Public Signing Key from Auth Provider Config - #2117

v0.23.11

2023-07-26

  • Add IsAuthenticated and Authenticate SE to OIDC apps - #2118

v0.23.9

2023-07-25

  • Support subtree searching for LDAP connector as IDP - #2114

v0.23.8

2023-07-24

  • initialize metrics during orchestrator startup - #2115

v0.23.6

2023-07-19

  • Create v2 Service Extension package and expose parsing method - #2113

v0.23.2

2023-07-17

  • SAML AuthProvider: Ensure XML dateTime attributes use millisecond precision - #2111

v0.23.1

2023-07-13

  • Remove connector and app count logging - #2098

v0.23.0

2023-07-12

  • Enable NameID Format to be defined on SAML AuthProvider clients - #2103

v0.22.48

2023-07-12

  • Only set SameSite cookie attribute when cookie is Secure - #2101

v0.22.47

2023-07-12

  • Remove "reload count" metric - #2099

v0.22.46

2023-07-12

  • add config version to health - #2096

v0.22.41

2023-07-07

  • Ensure Lookup validation is successful before using connector as IdentityProvider - #2091

v0.22.40

2023-07-07

  • Refactor telemetry into a service and change the Reloader to reload telemetry based on new config. - #2093

v0.22.38

2023-07-05

  • Fix LDAP IDP login bug - #2085

v0.22.37

2023-06-28

  • SAML logout in Okta - #2075

v0.22.34

2023-06-27

  • Emit Orchestrator health to OTLP - #2065

v0.22.33

2023-06-26

  • Remove old HealthSvc - #2082

v0.22.32

2023-06-26

  • Prevent SAML auth provider from panic if no IDPs provided. - #2080

v0.22.29

2023-06-23

  • Add ldap.DialWithTLSConfig to Service Extension symbols - #2077

v0.22.26

2023-06-20

  • Add redirectScheme to consumer fabric - #2069

v0.22.22

2023-06-19

  • Organize and add Godoc for configuration fields in AppGateway - #2070

v0.22.19

2023-06-16

  • Fix issue where Fabric Consumer (RP Orchestrator) fails to load TLS config - #2064

v0.22.18

2023-06-16

  • Add os/exec to service extension symbols if enableOSLib:true - #2063

v0.22.17

2023-06-16

  • Return ErrMetricsInvalidExporter if exporter not specified in telemetry metrics configuration - #2066

v0.22.16

2023-06-15

  • Refactor telemetry config to allow multiple OTLP exporters; reference… - #2057

v0.22.14

2023-06-15

  • Improve error handling in Fabric Consumer when nonce is not found - #2060

v0.22.11

2023-06-14

  • Add ldap.NewSearchRequest to service extension symbols - #2052

v0.22.9

2023-06-14

  • Don't log message about metrics when telemetry not enabled. - #2050

v0.22.8

2023-06-13

  • Add support for domain hint in SAML SP - #2053

v0.22.7

2023-06-13

  • Support SAML login in Okta connector - #2051

v0.22.6

2023-06-13

  • Leave maverics.yaml untouched on uninstall - #2049

v0.22.5

2023-06-08

  • Support IDP-initiated SAML login in ADFS connector - #2047

v0.22.4

2023-06-08

  • Support IDP-initiated SAML login in Azure connector - #2048

v0.22.3

2023-06-08

  • Add default maverics.yaml on Windows installation - #2046

v0.19.17

2023-05-03

  • Ensure keys in JWKS have unique IDs - #1990

v0.19.16

2023-05-03

  • Add support for apps of type OIDC - #1987

v0.19.15

2023-05-03

  • fix cache timing logic - #1992

v0.19.14

2023-05-03

  • Describe Service Extension dependencies for AuthProviders - #1991

v0.19.13

2023-05-02

  • [OIDC Auth Provider] Inject unused cache.Cache - #1988

v0.19.12

2023-05-02

  • [OIDC Auth Provider] Move cache creation into NewOIDCProvider - #1984

v0.19.11

2023-05-02

  • add URLPath to otel http config - #1980

v0.19.10

2023-05-02

  • Add Orchestrator ID to metrics resources - #1976

v0.19.9

2023-05-01

  • Add username search key value to session for LDAP - #1985

v0.19.8

2023-05-01

  • Handle error from service extension panic recovery - #1986

v0.19.7

2023-05-01

  • Add source assets for the docker grafana quickstart in docs repo. - #1978
  • Serve discovery endpoints on app-centric OIDC Provider - #1983

v0.19.6

2023-04-27

  • Add ability to create clients on OIDC AuthProvider - #1982

v0.19.5

2023-04-27

  • add mock cache implementation - #1981

v0.19.4

2023-04-26

  • Removes the AuthProvider feature flag - #1979

v0.19.3

2023-04-26

  • add initial caching foundation - #1968

v0.19.2

2023-04-21

  • Add MAVERICS_CONFIG to multiple environment variable check - #1975

v0.18.48

2023-04-21

  • Distinguish between validation and unmarshalling in OIDCProvider by @patrick-strata in #1969
  • Remove undocumented and unused logical operators from OIDC AuthProvider authentication policy by @patrick-strata in #1970
  • Query escape configuration_file_object_key for GCP provider by @wfernandes in #1972
  • Decouple unmarshaling from construction in OIDC AuthProvider in support of OIDC apps by @eliasjf in #1973
  • Support configurationFilePath key in provider configs by @wfernandes in #1971
  • Implement bundle verification by @kewun in #1967
  • Organize tests into separate files for OIDC AuthProvider by @eliasjf in #1974

Full Changelog: https://github.com/strata-io/maverics/compare/v0.18.47...v0.18.48
## v0.19.1
2023-04-21

  • Distinguish between validation and unmarshalling in OIDCProvider by @patrick-strata in #1969
  • Remove undocumented and unused logical operators from OIDC AuthProvider authentication policy by @patrick-strata in #1970
  • Query escape configuration_file_object_key for GCP provider by @wfernandes in #1972
  • Decouple unmarshaling from construction in OIDC AuthProvider in support of OIDC apps by @eliasjf in #1973
  • Support configurationFilePath key in provider configs by @wfernandes in #1971
  • Implement bundle verification by @kewun in #1967
  • Organize tests into separate files for OIDC AuthProvider by @eliasjf in #1974

Full Changelog: https://github.com/strata-io/maverics/compare/v0.18.47...v0.19.1
## v0.18.47
2023-04-18

  • Simplify SAML Provider signature configuration - #1966

v0.18.46

2023-04-18

  • Add encryption to SAML Apps - #1965

v0.18.45

2023-04-17

  • Update Swarm to latest - #1964

v0.18.44

2023-04-17

  • Remove antiquated autogenerated LDAP test mock - #1962
  • Remove outdated telemetry docs - #1961
  • Enable encryption config to be defined on SAML AuthProvider client - #1963