Release notes

Maverics Release Notes

2024-02-23: Bug fixes

Resolved issues

  • You are no longer able to set an evaluation environment for Production use.
  • Proxy apps that contain rules in access policies can now be imported and displayed properly.

2024-02-20: Fix for environments and enhancements

In a proxy app user flow, you can now select a service extension in an access policy rule and use the claims defined in the service extension.
Instances of Azure AD have been updated to Entra ID (per Microsoft branding updates).
We've also improved consistency and clarity to identity fabric card names and descriptions.

Resolved issue

  • Fixed an issue that prevented users from being able to create or edit an existing environment

2024-02-15: Canary Bank and service extension deployment improvements

All five of our Learning Center recipes have been updated to use Canary Bank instead of Sonar. This update also includes clearer names of imported fabric, apps and user flows.

Service extension snapshots created when deploying user flow revisions

When you commit and deploy a user flow, a snapshot of the service extension code is saved with the revision. This enables you to roll back to that snapshot when you deploy a previous revision.
If you deploy multiple user flows that reference an updated service extension, all of them must be committed and showing a status of "Up-to-date" to get the updated SE.

Resolved issues

  • Attribute providers can now be more reliably be selected when creating an access policy rule in a proxy app type user flow.
  • On import, you are now required to add environment name when selecting local or eval environment.

2024-02-12: Resolved issue

The previous release included a change that moved service extensions into subdirectory in the deployed bundle. The deployed JSON config did not include this path and resulted in an error on Orchestrator startup where the service extension could not be found. We've introduced a fix to incorrect SE subdirectories in bundle and config paths. With this fix you can now re-commit/deploy user flows with service extensions.

2024-02-08: CyberArk now available in Identity Fabric

You can now add CyberArk as an IDP to your identity fabric. You can use a either a SAML or OIDC connection to CyberArk’s Workforce and B2B identity offerings with Maverics. Follow the new Learning Center guide to get started.
We've also updated descriptions in user flows to read more clearly.
We made some behind the scenes fixes so you can now import/export proxy app type user flows that contain location policies with rules. However when importing, they do not appear on the policy page.

2024-02-06: Bug fixes

  • We've resolved an import issue where bundles that contain a combination app types and service extensions would fail to import.
  • We've also resolved an issue where evaluation bundle content (for example, maverics.env) was malformed while an eval environment was being created asynchronously. Now, access to certain actions are safely disabled while the eval environment is being created, and a status is shown as “Creating environment.” Wait a few moments before refreshing the page, and the actions will be made available again.

2024-02-04: Regex bug fix

  • We've added a fix for regex location policy names with a backslash character.

2024-02-02: Fit and finish updates

  • Some error messages will be displayed to user due to environment misconfiguration when deploying configuration.
  • An additional inspection warning has been added to user flow configuration and deployments to catch some common configuration errors.
  • Applications can no longer be removed if they’re attached to a user flow.
  • All list views now use the updated design.

Resolved issue

  • Fixed a panic due to invalid configuration that resulted in a Cloudflare error page.

2024-01-29: New Learning Center lesson for Microsoft Entra ID and other improvements

Click the Learning Center icon in the upper right side of the Maverics screen to find our new lesson, Extend Microsoft Entra ID to Legacy, Non-Standard Apps. You will need access to an Entra ID tenant to integrate and create a test user for the login flows.
Learning Center

New list views

List views have a new easily selectable and sortable look and feel.
New list views

Updated default list for access policies

Previously, new location policies would default to an invalid policy that would cause an orchestrator to error and fail to start up. Now, when a new policy is added you must select a valid authentication (allow unauthenticated, require auth by IDP, or service extension) and authorization policy (allow all access, use a rule, or service extension).

Evaluation environment improvements

  • Users can now only have one evaluation environment at a time.
  • Creating an evaluation environment is now faster.
  • Using port :443 for Linux eval was a problem because it was a reserved port. Now the default port for evaluation content and lessons has changed from :443 to :8443.
    • maverics.env file has been updated to use :8443
    • Learning Center demo urls and identity fabric definitions have been updated to 8443

2024-01-19: Single Sign On (SSO) for accounts

Account owners can now secure access to their Maverics accounts with single sign on! View our documentation here.

User flow deployments

When you deploy a user flow you now have the ability to preview everything in a deployment bundle. This includes other user flows deployed to the environment, orchestrator configuration specific to that environment and any service extensions.
User flow deployments

Resolved issues

  • You can no longer mark an evaluation environment for production.

2024-01-02: OIDC app refresh token settings

When defining a OIDC app type you can now specify refresh token options.
OIDC refresh token

Orchestrator builds


  • Add configuration options to MSI installer and fix upgrade behavior


  • Support loading service extension assets as a file system


  • Add offline_access to scopes_supported in OIDC well-known endpoint


  • Implement Context interface for service extensions


  • Support retrieving App name for Proxy Apps in some Service Extensions
  • Expose orchestrator cache to service extension (v0.25.39)
  • Add client_id to claims in access token (v0.25.38)
  • Support login options in service extensions (v0.25.37)
  • Fix refresh token length configuration (v0.25.35)
  • Close HTTP response body in connectors (v0.25.34)
  • Omit env var substitution if the line starts with '#' in YAML config (v0.25.33)
  • Close response body when making token request (v0.25.32)
  • Update crypto lib to v0.17.0 to handle CVE-2023-48795 (v0.25.31)
  • Fix panic when cert not found in Windows cert store (v0.25.30)
  • Correctly set RelayState during IDP initiated login (v0.25.29)
  • Add env vars for Windows Certificate Store (v0.25.28)
  • Improve error handling in OIDC connectors (v0.25.27)
  • Add support for reloadable cache (v0.25.26)


  • Allow SAML client to support both IDP initiated login and verified SP login
  • Rename go-jose exported name from v3 to jose (v0.25.24)
  • Add Windows Client Authenticator connector to orchestrator (v0.25.23)


  • Register SAML endpoints as case insensitive
  • Register OIDC endpoints as case insensitive (v0.25.4)
  • Fix typo in telemetry logs (v0.25.3)
  • Implement TAIProvider interface for Service Extensions (v0.25.2)
  • Fix panic observed when running in Windows console as non-admin (v0.25.1)


  • Rotate refresh tokens on use per OAuth security best practices
  • Implement token revocation for JWT tokens (v0.24.35)
  • Store JWT tokens in the cache (v0.24.34)


  • Update to fix indirect GRPC vulnerabilities
  • Expose GetBytes, GetAny, and SetBytes on Service Extension session provider implementations (v0.24.32)
  • SAMLProvider validates signed authn requests received via HTTP-Redirect binding (v0.24.29)
  • Implement v2.Session API for Service Extensions for OIDC Provider (v0.24.28)
  • Add post logout redirect URL to proxy apps (v0.24.27)
  • Return all claims for opaque access token (v0.24.26)
  • Add logout to proxy apps (v0.24.25)
  • Add clock skew leeway for SAML Authn requests (v0.24.23)
  • Stop Maverics process on failure to bind to a port (v0.24.22)


  • Add support for IDP initiated login for app of type SAML
  • Add support for HTTP Redirect binding in the SAML auth provider (v0.24.20)
  • Improve attribute loading error handling in proxy apps (v0.24.18)
  • Add query params matching in proxy apps policies (v0.24.17)
  • Add handleUnauthorizedSE to proxy apps (v0.24.16)


  • Add upstream login extension to proxy apps
  • Add support for IDP initiated login for the SAML provider (v0.24.14)
  • Add ModifyRequest and ModifyResponse Service Extensions to proxy apps (v0.24.13)
  • Add LoadAttrsSE to proxy apps (v0.24.12)
  • Expose 'goPath' on v2 Service Extensions (v0.24.11)
  • Add CreateHeader service extension to proxy apps (v0.24.10)
  • Add IsAuthorized service extension to proxy apps (v0.24.9)
  • Add IsAuthenticated and Authenticate extensions to proxy apps (v0.24.8)
  • Update goxmldsig library to fix signature validation bug (v0.24.7)
  • Add TLS to proxy apps (v0.24.4)
  • Patch CVE-2023-45683 (SAML XSS bug) (v0.24.2)
  • Support multiple route patterns on a proxy app (v0.24.1)
  • Add Orchestrator Groups cache support (v0.24.0)
  • Add regexp policy matching to proxyapps (v0.23.75)
  • Add attribute provider to proxy apps (v0.24.74)


  • Update to the latest to address CVE-2023-39325
  • Upgrade Yaegi to 15.1 (v0.23.72)
  • Support policy-level header definitions on proxy apps (v0.23.71)
  • Implement revoke endpoint support for OIDC refresh tokens (v0.23.70)
  • Add unauthorized page to proxy apps (v0.23.68)
  • Add headers to proxy apps (v0.23.67)
  • Improve authorization and authentication policy validation for proxy apps (v0.23.66)
  • Add authorization to proxy apps (v0.23.65)


  • Add basic authentication to proxy apps in new app-centric configuration format
  • Allow fabric consumer (RP Orchestrator) to define and use unauthorizedPage (v0.23.61)


  • Update OIDCProvider service extensions to work with cache
  • Fix OIDCProvider userinfo endpoint to reject ID Bearer tokens (v0.23.59)
  • Support the refresh token flow using the cache (v0.23.58)
  • OIDCProvider uses cache to build user claims (v0.23.56)

Known issues


  • We made some behind the scenes fixes so you can now import/export proxy app type user flows that contain location policies with rules. However when importing, they do not appear on the policy page.


  • Telemetry graphs are not appearing in Production.


  • If you have ever included a service extension in a user flow commit, it will always deploy. In some cases it may cause errors during orchestrator start-up where there is conflicting endpoints. The team is working to refactor how service extensions are referenced in deployed to correct this issue. In the meantime, to work around this issue and remove the service extension, you will need to recreate the user flow.


  • Updates to metadata on a service extension do not go out with an updated deploy. Workaround: Edit your SE with the new metadata, remove its association with the user flow, commit, and then add the SE back in. After that, commit and deploy a user flow, and your updates will appear.


  • On User Flow list views, the last commit date/time does not appear. No data has been lost. We are experiencing an issue with the SQL query.
  • Duplicate accounts: Some customers are experiencing issues with the new user sign up. We have a partial fix in place. Please contact support for more information.


  • Headers are still missing or not properly generated for header-based apps.