Release notes
Using Duo and Maverics together has become even easier. You can now set up Duo Singe Sign-On (SSO) as part of your identity fabric, and use it for authentication in your user flows.
- You can now sort user flows by the last commit date.
- You can now specify TLS settings in header-based apps
- Add a path to a CA cert
- Skip TLS verification (enableSkipVerify):
- Fabric now includes the
logoutURL(for example, https://auth0tenantname/v2/logout) required by Auth0. - You can now specify scopes in OIDC providers.
- Mac, Windows, and Linux now have the same easy 3-step experience. Our updated Linux evaluation bundle now includes a raw orchestrator Linux executable. There's no need to install an RPM enabling you to launch it from a command line.
- Login and isLoggedIn service extensions are always used together and have now been combined into a single form called Upstream Application Login.
- Updated service extension names and descriptions
We've now achieved 90% parity with the service extension points available via the YAML API.
Proxied apps use the the service extension format currently documented for YAML configuration, while SAML apps, OIDC apps, and API endpoints (aka ServeSE) require a new format. The new format is available for internal preview, and public documentation for the new service extensions will be released soon.
Develop an API app to facilitate identity flows by creating custom HTTP endpoints, serving HTML pages, or executing custom scripts.
To use it:
- 1.Go to Applications and select API from the application type column.
- 2.Enter a name, description, and function name (for example, Serve).
- 3.Add your Go code in the code editor and click Create.
- 4.Create a new user flow and select the app you created in step 3.
- 5.Commit and deploy. You can now deploy user flows that can integrate with these APIs.
You can also add Login service extension points to your header-based app user flows.
Service extension
Service extension
Add to your header-based app's user flow.
When a service extension code has been modified, any user flows that reference them will be updated with the status of 'Uncommitted changes.' This will signify that you need to commit and deploy to have the changes take effect.
Finally, in order to simplify the experience, the identity fabric code view has been removed. You can still see the code on the user flow deploy step.
The Windows evaluation experience has been improved. You no longer have to:
- Run an installer
- Delete system environment variables (e.g. default yaml config and license files)
- Edit registry values
- Edit
maverics.env- all paths to certs and keys just work
To use it:
- 1.Download the zip file and right click and select “Extract all…”
- 2.Open the Command Prompt.
- 3.Use
cdto navigate to where you extracted the eval bundle. - 4.Run
call maverics.bat && maverics-orchestrator.exe - 5.Go to Orchestrator Telemetry and check for the green dot.
- You can now modify requests and responses using service extensions in header-based apps.
- Fixed an issue selecting a provider when creating an authorization rule.
To improve the usability of Maverics, we have reworked Save Revision, Publish to Commit->Deploy. This includes:
- For easy access, it is now pinned to the top of the user flow screen and the Edit a resource location policy screen.
- Save a revision is now a Commit in a model dialog
- Inspector results are accessible on hover when there are errors on a user flow. Note: before you can commit you must clear all the errors.
- You can now specify attribute provider and username mapping in SAML and OIDC app type user flows,
- The maverics.env in the Windows evaluation bundle has been improved to make it easier to copy and paste. We also have a new Learning Center topic in the Learning Center to walk you through the Windows process.
- You can now specify signing certs in AD FS and Azure AD SAML configs to verify that the authentication requests are signed.
Service extension
There is now a step-by-step guide the Orchestrator Evaluation Bundle installation on Windows.
- Addressed an issue where you could not add a header to a user flow.
You can now leverage the buildAccessTokenClaimsSE or buildIdTokenClaimsSE service extension points in the platform to build custom token claims for OIDC and SAML app type user flows. To use:
- 1.
- 2.Enter a name and description, and click Create.
- 3.Paste in your Go code. Here is a "Hello World" example that prints a log event after a user logs in:
package main
import (
"net/http"
"github.com/strata-io/service-extension/orchestrator"
"github.com/strata-io/service-extension/session"
)
func BuildTokenClaims(_ orchestrator.Orchestrator, _ *http.Request, sess session.Session) (map[string]any, error) {
claims := make(map[string]any)
// TODO: Implement service extension code.
claims["Hello"] = "World"
return claims, nil
}
- 4.
- 5.Go to User Flows and create a new user flow. Select the app you created in step 4, and specify an IDP in the following screen.
- 6.On the User Flow page, scroll to Claims. Select the service extension you created in step 3 for either an Access Token or ID Token.
- 7.Click Save Revision and publish the user flow and login to your app.
- 8.In the orchestrator log, you will see:
ts=2023-08-16T22:51:59.768756Z level=debug msg="adding claim Hello:World to ID token" client=client-id
Evaluator experience
There is a new guided tour for new account sign-ups that draws people to the Learning Center.
This will be shown only once, but can be recalled by going Help Center->Guides->Welcome to Maverics!
The Learning Center has many content and style updates to make the topics easier to read and understand. There is now a back button so you can navigate more easily between topics.
- Unable to add multiple rules or conditions to a access policy
- Currently you are unable to add a header to a header based user flow. As a workaround, you can add them to a resource location policy to achieve the same result.
The responsiveness of Maverics has been optimized for laptop use. We've fixed several issues where page headers and columns were displaying incorrectly when the Learning Center was open. Additionally, we've improved the styling on the Learning Center.
A CPU utilization chart is now available in Orchestrator telemetry (Note: Due to limitations of Mac OS, no data will be reported for this metric).
Additionally, IDPs referenced in a service extension definition are now automatically included in the deployment. We've also made the app more responsive with a collapsible navigation, improved break points, and layout adjustments.
- Fixed issue that prevented people from downloading a Docker image for non-evaluation environments
The first iteration of the Learning Center is available with two lessons:
- Create an eval environment: a complete how-to process for Mac
- Use the app modernization recipe: a new recipe that uses hosted demo assets and does not require Docker for the apps and IDPs
Learning center
Orchestrator telemetry is also now available
New graphs in Orchestrtor telemetry show the session count over time. To test it:
- 1.Start your orchestrator connected to an environment; give it a few minutes for the data to populate.
- 2.Deploy a user flow that requires authentication, and sign in and out a few times.
- 3.Go to Orchestrators and click on the Orchestrator ID to view the session graphs and other data.
Telemetry
- Maverics correctly reports the number of days left on subscription pages
- Maverics now remembers the last logged in account
In just a few minutes of setup, you can test your user flows with Evaluation Environments. Evaluation environments provide a ready-made cloud storage environment and companion orchestrator package. This enables you to quickly publish user flows and have them connect to orchestrators pre-configured to consume configuration from this environment.
To get started on Mac or Linux:
- 1.
- 2.Select Evaluation Environment from the list on the right.
- 3.Download the appropriate orchestrator bundle for your OS.
- 4.Unzip all the zipped files.
- 5.Open the Terminal and navigate to the location of the unzipped files
- 6.Source the maverics.env and start the orchestrator with the following command:source ./maverics.env ./maverics_darwin_amd64
When creating this environment, Maverics will:
- Set defaults for Orchestrator URL (https://localhost) and logout URL (/logout) as well as other settings. You can change these settings by clicking the Edit button in the top right hand side.
- Push an empty maverics.tar.gz to the cloud storage bucket (a Strata controlled AWS bucket) so the orchestrator will start up successfully in case there is no user flow published yet.
- Create a downloadable bundle with a maverics.env preconfigured to connect to this environment
You can only have one eval environment at a time. After you create one, you will not be able to access Evaluation Environment from the right side bar.
See it in action:
- The new load attributes service extension point enables you build custom flows such as the IDP picker. Sample code and instructions are coming soon!
- Paid customers will no longer see a trial banner in the UI.
When orchestrating identity in a multi-cloud/IDP world apps have needs and we aim to fulfill those needs without requiring you to change code. In this release, we now expose the access token settings for specifying either a JWT or opaque access token, length, and lifetime.
Token settings
Note: The JWT length options require an upcoming orchestrator build to function properly. For now, select Opaque.
- Removed non-functioning buttons on “Accounts” page.
When creating or editing an environment, you will find a toggle switch to enable or disable sending telemtry to Maverics. Telemetry is on by default.
Telemtry switch
- If user emails were entered with mixed case (for example, [email protected]), the users were not able to accept invites. This has been fixed.
- Users previously unable to accept invite can now click Accept Invite in the invitation email or if they have an account they can go to https://maverics.strata.io/accounts and click Accept.
- After you accept an invite, Maverics now automatically switches to the invited account.
We have reduced the steps and made the fine grained permissions capability for header based apps easier to find.
Now, when you create an access policy for a header based app’s resource you can set the policy all on one page. Each choice that you make automatically updates the policy. We have removed the confusing “Update” and “Back” buttons.
The policy code view has been moved to the top of the page and updates automatically on each change.
You can add conditional rules, toggle different authorization policies (like allow all), it will hide the conditions you created, and when you toggle back the conditions will no longer be lost.
See it in action:
When publishing a configuration, you can now view the differences in the code view with the selected revision, compared to the selected environment. This helps you quickly scan the config for an attribute or mapping you may have missed.
View diff
To compare:
- 1.Save a revision (add an optional comment)
- 2.Click Publish.
- 3.On the deploy screen:
- Select the environment to compare against.
- Select a different revision to compare.
- 4.In the code view green and + indicate additions while red and - indicate removals.
Additionally, Oracle ICDS (OIDC-based) Identity Service has been released. For more information, view the demo below.
- Slow loading of pages with default and custom app icons. Note that with this change, any uploaded custom app icons will revert to default icons. You will need to re-upload any custom app icons you may have previously uploaded.
- After editing an environment, you are correctly returned to the environment page.
- Attribute provider configuration no loger persists in the deployed bundle after being removed from a user flow.
2023-09-11
- Remove logic that prevents 'ServeSE' from being defined with other AppGateway extensions
- Set session cookie regardless of policy (v0.23.52)
2023-09-07
- Add support for verifying signed JWT headers to prevent impersonation via side channel requests.
2023-09-07
- Expose TAI pkg in Service Extensions to enable JWT generation
- Fix decryption using older keys in AES256GCMEncryptor (v0.23.49)
- Export go-jose JWT library v3 symbols (v0.23.48)
- Export go-ldap library v3 symbols (v0.23.47)
2023-08-29
- Expose 'ldap.NewModifyRequest' in Service Extensions
- Add metadata to V2 service extensions (v0.23.43)
- Signed binaries for Maverics Evaluation bundle downloads (v0.23.42)
- Fix Telemetry panic on SIGTERM (v0.23.38)
- Update SAML Provider buildClaims v2 signature to match OIDC Provider. (v0.23.37)
- Enable attribute loading in v2 Service Extensions (v0.23.34)
- Make API Service Extensions reloadable (v0.23.31)
- ServeSE v2 in APIs block (v0.23.28)
- Add ldap.NewPasswordModifyRequest symbol (v0.23.27)
- Add support for BuildUserInfoClaimsSE for OIDC apps (v0.23.25)
2023-08-15
- Enable attribute loading in v2 Service Extensions - #2147
2023-08-11
- Make API Service Extensions reloadable - #2140
2023-08-11
- Unregister HTTP endpoints when API Service Extensions are stopped - #2139
2023-08-11
- Restart session metrics on telemetry reload - #2119
2023-08-11
- ServeSE v2 in APIs block - #2134
2023-08-10
- Add ldap.NewPasswordModifyRequest symbol - #2136
2023-08-10
- Orchestrator metrics as service - #2122
2023-08-10
- Add support for BuildUserInfoClaimsSE for OIDC apps - #2135
2023-08-03
- Fixed issue preventing OIDC client creation with JWT access token - #2110
2023-08-03
- Return a non-nil action in the HYPR connector when Lookup is successful - #2130
2023-08-03
- Add BuildClaims SE to SAML apps - #2128
2023-08-02
- Move authn fields under new authenticationPolicy in policy struct - #2123
2023-07-28
- Add Authentication Service Extensions to SAML Apps - #2121
2023-07-28
- Add BuildIDTokenClaims and BuildAccessTokenClaims extensions to apps of type OIDC - #2120
2023-07-28
- Remove Public Signing Key from Auth Provider Config - #2117
2023-07-26
- Add IsAuthenticated and Authenticate SE to OIDC apps - #2118
2023-07-25
- Support subtree searching for LDAP connector as IDP - #2114
2023-07-24
- initialize metrics during orchestrator startup - #2115
2023-07-19
- Create v2 Service Extension package and expose parsing method - #2113
2023-07-17
- SAML AuthProvider: Ensure XML dateTime attributes use millisecond precision - #2111
2023-07-13
- Remove connector and app count logging - #2098
2023-07-12
- Enable NameID Format to be defined on SAML AuthProvider clients - #2103
2023-07-12
- Only set SameSite cookie attribute when cookie is Secure - #2101
2023-07-12
- Remove "reload count" metric - #2099
2023-07-12
- add config version to health - #2096
2023-07-07
- Ensure Lookup validation is successful before using connector as IdentityProvider - #2091
2023-07-07
- Refactor telemetry into a service and change the Reloader to reload telemetry based on new config. - #2093
2023-07-05
- Fix LDAP IDP login bug - #2085
2023-06-28
- SAML logout in Okta - #2075
2023-06-27
- Emit Orchestrator health to OTLP - #2065
2023-06-26
- Remove old HealthSvc - #2082
2023-06-26
- Prevent SAML auth provider from panic if no IDPs provided. - #2080
2023-06-23
- Add ldap.DialWithTLSConfig to Service Extension symbols - #2077
2023-06-20
- Add redirectScheme to consumer fabric - #2069
2023-06-19
- Organize and add Godoc for configuration fields in AppGateway - #2070
2023-06-16
- Fix issue where Fabric Consumer (RP Orchestrator) fails to load TLS config - #2064
2023-06-16
- Add os/exec to service extension symbols if enableOSLib:true - #2063
2023-06-16
- Return ErrMetricsInvalidExporter if exporter not specified in telemetry metrics configuration - #2066
2023-06-15
- Refactor telemetry config to allow multiple OTLP exporters; reference… - #2057
2023-06-15
- Improve error handling in Fabric Consumer when nonce is not found - #2060
2023-06-14
- Add ldap.NewSearchRequest to service extension symbols - #2052
2023-06-14
- Don't log message about metrics when telemetry not enabled. - #2050
2023-06-13
- Add support for domain hint in SAML SP - #2053
2023-06-13
- Support SAML login in Okta connector - #2051
2023-06-13
- Leave maverics.yaml untouched on uninstall - #2049
2023-06-08
- Support IDP-initiated SAML login in ADFS connector - #2047
2023-06-08
- Support IDP-initiated SAML login in Azure connector - #2048
2023-06-08
- Add default maverics.yaml on Windows installation - #2046