Release notes

Maverics Release Notes

2023-09-14: Duo Single Sign-On is now available!

Using Duo and Maverics together has become even easier. You can now set up Duo Singe Sign-On (SSO) as part of your identity fabric, and use it for authentication in your user flows.

Other features

  • You can now sort user flows by the last commit date.

2023-09-12: Several feature enhancements


  • You can now specify TLS settings in header-based apps
    • Add a path to a CA cert
    • Skip TLS verification (enableSkipVerify):


  • Fabric now includes the logoutURL (for example, https://auth0tenantname/v2/logout) required by Auth0.
  • You can now specify scopes in OIDC providers.

Other features

  • Mac, Windows, and Linux now have the same easy 3-step experience. Our updated Linux evaluation bundle now includes a raw orchestrator Linux executable. There's no need to install an RPM enabling you to launch it from a command line.
  • Login and isLoggedIn service extensions are always used together and have now been combined into a single form called Upstream Application Login.

Resolved issues

  • Updated service extension names and descriptions

2023-09-11: Service Extension parity

We've now achieved 90% parity with the service extension points available via the YAML API.
Proxied apps use the the service extension format currently documented for YAML configuration, while SAML apps, OIDC apps, and API endpoints (aka ServeSE) require a new format. The new format is available for internal preview, and public documentation for the new service extensions will be released soon.

Introducing API application type (ServeSE), isLoggedIn, and Login

Develop an API app to facilitate identity flows by creating custom HTTP endpoints, serving HTML pages, or executing custom scripts.
To use it:
  1. 1.
    Go to Applications and select API from the application type column.
  2. 2.
    Enter a name, description, and function name (for example, Serve).
  3. 3.
    Add your Go code in the code editor and click Create.
  4. 4.
    Create a new user flow and select the app you created in step 3.
  5. 5.
    Commit and deploy. You can now deploy user flows that can integrate with these APIs.
You can also add Login service extension points to your header-based app user flows.
Service extension
Select from Service Extensions.
Service extension
Add to your header-based app's user flow.
When a service extension code has been modified, any user flows that reference them will be updated with the status of 'Uncommitted changes.' This will signify that you need to commit and deploy to have the changes take effect.
Finally, in order to simplify the experience, the identity fabric code view has been removed. You can still see the code on the user flow deploy step.

2023-09-05: Improved Windows evaluation bundle

The Windows evaluation experience has been improved. You no longer have to:
  • Run an installer
  • Delete system environment variables (e.g. default yaml config and license files)
  • Edit registry values
  • Edit maverics.env - all paths to certs and keys just work
To use it:
  1. 1.
    Download the zip file and right click and select “Extract all…”
  2. 2.
    Open the Command Prompt.
  3. 3.
    Use cd to navigate to where you extracted the eval bundle.
  4. 4.
    Run call maverics.bat && maverics-orchestrator.exe
  5. 5.
    Go to Orchestrator Telemetry and check for the green dot.

Other enhancements

  • You can now modify requests and responses using service extensions in header-based apps.

Resolved issues

  • Fixed an issue selecting a provider when creating an authorization rule.

2023-08-24: Commit to Deploy

To improve the usability of Maverics, we have reworked Save Revision, Publish to Commit->Deploy. This includes:
  • For easy access, it is now pinned to the top of the user flow screen and the Edit a resource location policy screen.
  • Save a revision is now a Commit in a model dialog
  • Inspector results are accessible on hover when there are errors on a user flow. Note: before you can commit you must clear all the errors.

Other enhancements

  • You can now specify attribute provider and username mapping in SAML and OIDC app type user flows,
  • The maverics.env in the Windows evaluation bundle has been improved to make it easier to copy and paste. We also have a new Learning Center topic in the Learning Center to walk you through the Windows process.
  • You can now specify signing certs in AD FS and Azure AD SAML configs to verify that the authentication requests are signed.
Service extension

2023-08-21: Evaluation Experience

There is now a step-by-step guide the Orchestrator Evaluation Bundle installation on Windows.

Resolved issues

  • Addressed an issue where you could not add a header to a user flow.

2023-08-16: New Service Extensions

You can now leverage the buildAccessTokenClaimsSE or buildIdTokenClaimsSE service extension points in the platform to build custom token claims for OIDC and SAML app type user flows. To use:
  1. 1.
    Go to Service Extensions, and select Custom Claims from the Service Extension list.
  2. 2.
    Enter a name and description, and click Create.
    Service extension
  3. 3.
    Paste in your Go code. Here is a "Hello World" example that prints a log event after a user logs in:
package main
import (
func BuildTokenClaims(_ orchestrator.Orchestrator, _ *http.Request, sess session.Session) (map[string]any, error) {
claims := make(map[string]any)
// TODO: Implement service extension code.
claims["Hello"] = "World"
return claims, nil
  1. 4.
    Go to Applications and create an OIDC-based app type.
  2. 5.
    Go to User Flows and create a new user flow. Select the app you created in step 4, and specify an IDP in the following screen.
  3. 6.
    On the User Flow page, scroll to Claims. Select the service extension you created in step 3 for either an Access Token or ID Token.
    Service extension
  4. 7.
    Click Save Revision and publish the user flow and login to your app.
  5. 8.
    In the orchestrator log, you will see:
ts=2023-08-16T22:51:59.768756Z level=debug msg="adding claim Hello:World to ID token" client=client-id

Evaluator Experience: Welcome to Maverics!

Evaluator experience
There is a new guided tour for new account sign-ups that draws people to the Learning Center.
This will be shown only once, but can be recalled by going Help Center->Guides->Welcome to Maverics!
The Learning Center has many content and style updates to make the topics easier to read and understand. There is now a back button so you can navigate more easily between topics.

Resolved issues

  • Unable to add multiple rules or conditions to a access policy

Known issues

  • Currently you are unable to add a header to a header based user flow. As a workaround, you can add them to a resource location policy to achieve the same result.

2023-08-10: Evaluator experience

The responsiveness of Maverics has been optimized for laptop use. We've fixed several issues where page headers and columns were displaying incorrectly when the Learning Center was open. Additionally, we've improved the styling on the Learning Center.

2023-08-07: CPU utilization telemetry and service extensions update

A CPU utilization chart is now available in Orchestrator telemetry (Note: Due to limitations of Mac OS, no data will be reported for this metric).
Additionally, IDPs referenced in a service extension definition are now automatically included in the deployment. We've also made the app more responsive with a collapsible navigation, improved break points, and layout adjustments.

Resolved issues

  • Fixed issue that prevented people from downloading a Docker image for non-evaluation environments

2023-08-01: Learning center now available with two lessons

The first iteration of the Learning Center is available with two lessons:
  • Create an eval environment: a complete how-to process for Mac
  • Use the app modernization recipe: a new recipe that uses hosted demo assets and does not require Docker for the apps and IDPs
Learning center
Orchestrator telemetry is also now available
New graphs in Orchestrtor telemetry show the session count over time. To test it:
  1. 1.
    Start your orchestrator connected to an environment; give it a few minutes for the data to populate.
  2. 2.
    Deploy a user flow that requires authentication, and sign in and out a few times.
  3. 3.
    Go to Orchestrators and click on the Orchestrator ID to view the session graphs and other data.

Resolved issues

  • Maverics correctly reports the number of days left on subscription pages
  • Maverics now remembers the last logged in account

2023-07-24: Evaluation environments now available

In just a few minutes of setup, you can test your user flows with Evaluation Environments. Evaluation environments provide a ready-made cloud storage environment and companion orchestrator package. This enables you to quickly publish user flows and have them connect to orchestrators pre-configured to consume configuration from this environment.
To get started on Mac or Linux:
  1. 1.
    Go to Environments
  2. 2.
    Select Evaluation Environment from the list on the right.
  3. 3.
    Download the appropriate orchestrator bundle for your OS.
  4. 4.
    Unzip all the zipped files.
  5. 5.
    Open the Terminal and navigate to the location of the unzipped files
  6. 6.
    Source the maverics.env and start the orchestrator with the following command:
    source ./maverics.env ./maverics_darwin_amd64
When creating this environment, Maverics will:
  • Set defaults for Orchestrator URL (https://localhost) and logout URL (/logout) as well as other settings. You can change these settings by clicking the Edit button in the top right hand side.
  • Push an empty maverics.tar.gz to the cloud storage bucket (a Strata controlled AWS bucket) so the orchestrator will start up successfully in case there is no user flow published yet.
  • Create a downloadable bundle with a maverics.env preconfigured to connect to this environment
You can only have one eval environment at a time. After you create one, you will not be able to access Evaluation Environment from the right side bar.
See it in action:

Other enhancements

  • The new load attributes service extension point enables you build custom flows such as the IDP picker. Sample code and instructions are coming soon!

Resolved issues

  • Paid customers will no longer see a trial banner in the UI.

2023-07-17: Token settings are now available when creating an OIDC app type

When orchestrating identity in a multi-cloud/IDP world apps have needs and we aim to fulfill those needs without requiring you to change code. In this release, we now expose the access token settings for specifying either a JWT or opaque access token, length, and lifetime.
Token settings
Note: The JWT length options require an upcoming orchestrator build to function properly. For now, select Opaque.

Resolved issues

  • Removed non-functioning buttons on “Accounts” page.

2023-07-11: Enable or disable telemetry

When creating or editing an environment, you will find a toggle switch to enable or disable sending telemtry to Maverics. Telemetry is on by default.
Telemtry switch

Resolved issues

  • If user emails were entered with mixed case (for example, [email protected]), the users were not able to accept invites. This has been fixed.
  • Users previously unable to accept invite can now click Accept Invite in the invitation email or if they have an account they can go to and click Accept.
  • After you accept an invite, Maverics now automatically switches to the invited account.

2023-07-07: Create and update fine grained permissions with ease

We have reduced the steps and made the fine grained permissions capability for header based apps easier to find.
Now, when you create an access policy for a header based app’s resource you can set the policy all on one page. Each choice that you make automatically updates the policy. We have removed the confusing “Update” and “Back” buttons.
The policy code view has been moved to the top of the page and updates automatically on each change.
You can add conditional rules, toggle different authorization policies (like allow all), it will hide the conditions you created, and when you toggle back the conditions will no longer be lost.
See it in action:

2023-07-06: Deploy with confidence!

When publishing a configuration, you can now view the differences in the code view with the selected revision, compared to the selected environment. This helps you quickly scan the config for an attribute or mapping you may have missed.
View diff
To compare:
  1. 1.
    Save a revision (add an optional comment)
  2. 2.
    Click Publish.
  3. 3.
    On the deploy screen:
  • Select the environment to compare against.
  • Select a different revision to compare.
  1. 4.
    In the code view green and + indicate additions while red and - indicate removals.
Additionally, Oracle ICDS (OIDC-based) Identity Service has been released. For more information, view the demo below.

Resolved issues

  • Slow loading of pages with default and custom app icons. Note that with this change, any uploaded custom app icons will revert to default icons. You will need to re-upload any custom app icons you may have previously uploaded.
  • After editing an environment, you are correctly returned to the environment page.
  • Attribute provider configuration no loger persists in the deployed bundle after being removed from a user flow.

Orchestrator builds


  • Remove logic that prevents 'ServeSE' from being defined with other AppGateway extensions
  • Set session cookie regardless of policy (v0.23.52)

v0.1.0 (Maverics TAI Module)

  • Add support for verifying signed JWT headers to prevent impersonation via side channel requests.


  • Expose TAI pkg in Service Extensions to enable JWT generation
  • Fix decryption using older keys in AES256GCMEncryptor (v0.23.49)
  • Export go-jose JWT library v3 symbols (v0.23.48)
  • Export go-ldap library v3 symbols (v0.23.47)


  • Expose 'ldap.NewModifyRequest' in Service Extensions
  • Add metadata to V2 service extensions (v0.23.43)
  • Signed binaries for Maverics Evaluation bundle downloads (v0.23.42)
  • Fix Telemetry panic on SIGTERM (v0.23.38)
  • Update SAML Provider buildClaims v2 signature to match OIDC Provider. (v0.23.37)
  • Enable attribute loading in v2 Service Extensions (v0.23.34)
  • Make API Service Extensions reloadable (v0.23.31)
  • ServeSE v2 in APIs block (v0.23.28)
  • Add ldap.NewPasswordModifyRequest symbol (v0.23.27)
  • Add support for BuildUserInfoClaimsSE for OIDC apps (v0.23.25)


  • Enable attribute loading in v2 Service Extensions - #2147


  • Make API Service Extensions reloadable - #2140


  • Unregister HTTP endpoints when API Service Extensions are stopped - #2139


  • Restart session metrics on telemetry reload - #2119


  • ServeSE v2 in APIs block - #2134


  • Add ldap.NewPasswordModifyRequest symbol - #2136


  • Orchestrator metrics as service - #2122


  • Add support for BuildUserInfoClaimsSE for OIDC apps - #2135


  • Fixed issue preventing OIDC client creation with JWT access token - #2110


  • Return a non-nil action in the HYPR connector when Lookup is successful - #2130


  • Add BuildClaims SE to SAML apps - #2128


  • Move authn fields under new authenticationPolicy in policy struct - #2123


  • Add Authentication Service Extensions to SAML Apps - #2121


  • Add BuildIDTokenClaims and BuildAccessTokenClaims extensions to apps of type OIDC - #2120


  • Remove Public Signing Key from Auth Provider Config - #2117


  • Add IsAuthenticated and Authenticate SE to OIDC apps - #2118


  • Support subtree searching for LDAP connector as IDP - #2114


  • initialize metrics during orchestrator startup - #2115


  • Create v2 Service Extension package and expose parsing method - #2113


  • SAML AuthProvider: Ensure XML dateTime attributes use millisecond precision - #2111


  • Remove connector and app count logging - #2098


  • Enable NameID Format to be defined on SAML AuthProvider clients - #2103


  • Only set SameSite cookie attribute when cookie is Secure - #2101


  • Remove "reload count" metric - #2099


  • add config version to health - #2096


  • Ensure Lookup validation is successful before using connector as IdentityProvider - #2091


  • Refactor telemetry into a service and change the Reloader to reload telemetry based on new config. - #2093


  • Fix LDAP IDP login bug - #2085


  • SAML logout in Okta - #2075


  • Emit Orchestrator health to OTLP - #2065


  • Remove old HealthSvc - #2082


  • Prevent SAML auth provider from panic if no IDPs provided. - #2080


  • Add ldap.DialWithTLSConfig to Service Extension symbols - #2077


  • Add redirectScheme to consumer fabric - #2069


  • Organize and add Godoc for configuration fields in AppGateway - #2070


  • Fix issue where Fabric Consumer (RP Orchestrator) fails to load TLS config - #2064


  • Add os/exec to service extension symbols if enableOSLib:true - #2063


  • Return ErrMetricsInvalidExporter if exporter not specified in telemetry metrics configuration - #2066


  • Refactor telemetry config to allow multiple OTLP exporters; reference… - #2057


  • Improve error handling in Fabric Consumer when nonce is not found - #2060


  • Add ldap.NewSearchRequest to service extension symbols - #2052


  • Don't log message about metrics when telemetry not enabled. - #2050


  • Add support for domain hint in SAML SP - #2053


  • Support SAML login in Okta connector - #2051


  • Leave maverics.yaml untouched on uninstall - #2049


  • Support IDP-initiated SAML login in ADFS connector - #2047


  • Support IDP-initiated SAML login in Azure connector - #2048


  • Add default maverics.yaml on Windows installation - #2046