Release notes archive
You can now capture a revision comment and it will display on publish.
Orchestrator health data can now be viewed on the Orchestrators page.
Orchestrator green dot
Orchestrator health data is sent to Maverics from Orchestrators and appears on the page after five minutes. If an orchestrator is stopped it will disappear after 15 minutes, however an unavailable state is not yet supported. Additionally, you can click the ID to see memory utilization.
- We can now offer custom contract terms to customers with custom billing behavior, allowing you to start an annual subscription and pre-purchase up to a certain limit.
- Oracle's Identity Cloud Service can now be configured as an IDP.
- Known issue: This sometimes triggers unexpected panics in orchestrators.
- You can now specify a destination for logout redirects.
- Known issue: Orchestrator does not yet support hot reload of logout URLs. You will need to manually restart orchestrators to see any change in logout behavior.
- Headers with a “.” in the name can be deleted.
- You can no longer create a identity service with a name containing a “.” as this sometimes caused config to break downstream when used in a user flow.
We use a standard OIDC connection to integrate Trusona’s passwordless solution. This enables another great passwordless option for customers who want to modernize their application without having to rewrite any application code.
Trusona
- Our interactive onboarding guide (powered by Pendo) just got better. It now points to the app map to start, and each step has an image to guide you through the process. First time visitors will see the onboarding guide every time they log in, until they have dismissed the guide twice. You can always refer to the onboarding guide again by visiting the Guides section in the Resource Center.
Our sign up and login process has been improved! Maverics Passwordless Account powered by HYPR enables you to use Maverics without a password for free -- no paid tenant required.
Maverics Passwordless sign up
We've also added an app map in the top navigation to help guide your journey as a user.
Maverics app map
You can now use your GitHub account to sign up and sign in to Maverics. Support for GitHub OAuth is a common authentication pattern and benefits admins, app owners, and developers using our product.
We've also improved instructions for using Microsoft Azure storage. You will also need to re-enter your SAS token any time you edit your environment.
We've implemented the accessWidget by accessiBe to automate web accessibility with AI. We are now over 95% in our scoring for web accessibility guidelines!
Additionally, as an enhancement to our hybrid zero trust architecture, we now support publishing configuration bundles to MS Azure Storage. This completes the end-to-end flow as Oochestrators could already read remote config from a Azure Storage container. Customers who have standardized on Azure now have more viable deployment options.
Finally, no matter how old or what kind of apps you have, Maverics can create user flows that can meet their identity needs. By uploading a custom app icon, you can make the Maverics experience more personal. We've also localized the date in time in our tables.
You can now download SAML metadata files from the Environments page. Additionally, you will be prevented from deleting an identity fabric referenced by a service extension.
We now support orchestrating identity for modern applications that require Open ID Connect (OIDC) IDC for authentication (single orchestrator only). Additionally, in the environment settings you can now download SAML metadata. This streamlines the configuration process for some apps that support importing a SAML metadata file .xml format.
- You can now publish configuations to Gitlab repositories.
- After 1 hr 58 min of inactivity you will be warned that your session will expire. You have 2 minutes to renew it and if you don’t you will be signed out.
- You will now be prevented from deleting a identity service when it is associated with a user flow.
To improve security, Maverics now requires a IAM Role for publishing to a S3 bucket. The orchestrator configuration for reading config does not change, and existing environments configured to use a S3 buckets will continue to publish to S3 with an account ID and secret key. However, creating a new environment with an AWS S3 bucket or editing an existing environment requires cross-account roles. For more information, see Configure an environment.
- You can now use Maverics to configure an orchestrator to act as a SAML auth provider for your applications.
- You can now specify the single logout endpoint (e.g. /logout) to trigger logout from all apps and IDPS.
- We've improved accessibility throughout Maverics to meet American Disability Act (ADA) standards.
- We've added Auth0 and Generic SAML as new IDPs.
The Pricing link is now available from the Subscriptions page. Profile and Account menus are now clickable. Finally, the Publish button on individual User Flow pages now lives next to the Save Revision button, for better visibility.
- The Learn more about Deployments link now points to the online help.
Today we addressed feedback we received from our first bug bash.
- Updated Orchestrator description and fixed help links to creating an environment.
- Clicking Deployments breadcrumb no longer returns an error. The Deployments breadcrumb is now gone and correctly shows the path back to the User Flow.
- Cleaned up all the Learn More links.
- Describe the IAM permissions needed for an AWS S3 bucket. When creating an AWS S3 environment, we now show a Learn more and info icon which points to the AWS bucket policy in Remote configuration.
- SAML app types are on the way! When creating a new or editing an environment you can now specify the Orchestrator URL.
- The Dashboard now has a short-cut to Invite a Member to your Account. This is a owner only action. If you are not the account owner it will take you to the member list.
As part of our PLG Onboarding initiative we want to make it super easy for evaluators to explore everything that Maverics has to offer. We made a couple small, but impactful changes to the user experience. It is a first step towards our grand plan to build out recipes and how they will simplify the difficult tasks of building a cohesive identity fabric.
- On the Dashboard, Import custom configuration has been renamed to Import Identity Orchestration Recipe.
- The default import is the same config from the Quick Start Guide. Just click Create and you will have a fully baked and deployable user flow!
- After creating a new environment, you'll land on the show page so you can immediately move on to set up an orchestrator.
- Updated Learn More links throughout the app.
- New content and behaviors for the Welcome to Maverics onboarding screens.
Our new Sign Up page is brought to you by an extra special collaboration with Product, Design, Marketing and Engineering.
Additionally, we've made several updates to our Environments flow:
- When creating and editing an environment you can now specify session and cookie domain settings used when proxying header based apps.
- When editing an environment you can easily download the public key file, configuration and a orchestrator build.
- You can now more easily download a deployed configuration for local testing.
You can now download an Orchestrator from an environment. On a new deployment, you can also go to an Environment by clicking its name.
Additionaly, you can now use a Create Header service extension on an Access Policy (e.g. reports). The service extension name now appears in the show field, and we've removed the unused Attribute field when adding a Create Header service extension.
- The Buy Now button disappears if you've purchased a subscription.
Secrets must be re-entered to update any shared storage settings.
When deploying a user flow, it will correctly bundle the latest service extension
We uniquely enable our customers to compose an Identity Fabric and deploy User Flows for their applications, anywhere they are deployed. Our goal is to make this clear in practice when customers use Maverics to set up an environment, configure shared storage, connect orchestrators to the environment, and manage deployed User Flows.
Today we released Part 1 of this journey: Create and edit an environment.
- 1.The Environments list enables you to choose the cloud storage provider or a local environment.
- 2.Creating a new environment now has form input. You no longer have to copy and paste JSON code.
- 3.Editing an environment has two tabs:
- Settings: Shared storage provider settings and orchestrator startup configuration
- Publish: User flows, get a public key for an orchestrator, download a deployed configuration
- Renamed the Orchestrator download to maverics-orchestrator.
<ext>. This helps differentiate it from the maverics.tar.gz config bundle. - To delete your account and cancel your subscription in Chargebee, follow these steps: go to the Profile Menu, select Accounts, select the name of your Account, and click Delete. This will also remove you from any accounts you have been invited to.
You can now self-service purchase a Maverics Subscription! After your trial period is over, the Buy Now button appears and you can purchase your subscription. The subscription estimate is based on the number of apps and IDPs published to an environment marked for Production. Watch our demo.
The User Flow list page also has a new Status column. The values are as follows:
- Current: The user flow is up to date with the current revision. No action needs to be taken.
- Modified: The user flow has changed and a new revision needs to be published. This can mean:
- The user flow itself has been edited (an access policy, provider, or header could have been added or updated)
- A referenced identity service has been updated. For example, adding a logout URL to a referenced OIDC authentication provider will require the user flow to be published again.
- The Last Modified columns will never be blank; it will either show the creation date or the last modified date.
- On a new deployment page, the Publish and Cancel buttons have been moved up for better visibility.
You can now get to Service Extensions from the main navigation! From here you can create and edit 3 different extension points that can be used in User Flows for Header based apps:
CreateHeaders, Authentication (Authenticate+IsAuthenticated), and IsAuthorized.- Fixed db migrations that were setting off alerts
Revise and publish have been simplified! The previous steps to revise and publish a user flow were confusing and prone to errors. To simplify this experience:
- We've moved the Save As a Revision action, Publish action, and Automated Inspector to the top of a user flow.
- We've removed the side by side comparison from the bottom.
- We've the ability to override a calculated revision in the code view.
- We've moved read only code view to the new deploy step.
- Branded identity service provider icons now appear on the user flow for easier identification.
- You no longer have to toggle a switch to select an available service extension.
- OIDC secrets are now hidden in form view.
- Header in on access controls in the User Flow views are no longer garbled
- New Header type descriptions are rendering properly
We are excited to add support for deploying configuration as securely signed bundles! This security enhancement helps to ensure that the configuration being deployed is legitimate and has not been altered by malicious actors. In addition, bundles pave the way for us to deliver Service Extensions.
This security enhancement requires that you recreate your Environments with new key names and republish your user flows to those environments. You will need to update your Orchestrator to at least version: v0.19.0 which can be downloaded from the Orchestrators page.
During a deployment Maverics bundles and signs the configuration with a digital signature that is unique to that environment. The bundle file is named “maverics.tar.gz.” When unzipped you see it contains maverics.json which is the configuration, jwt signature file, and a directory of any service extensions referenced in user flows.
The signed bundle is then validated by connected orchestrators configured to use that public key. If the validation fails, the Orchestrator will not load the configuration. To configure your Orchestrator, go to the environment page, download the public key file to the machine running the orchestrator. Set the path to the downloaded file in the MAVERICS_BUNDLE_PUBLIC_KEY_FILE env var.
Go to an environment to download its public key.
configurationFileObjectKey and configuration_file_object_key are no longer supported.configurationFilePathis new and is now the only key that specifies the file path to maverics.tar.gz.Google Cloud Storage
bucket_name is no longer supported and has been renamed to bucketName which is consistent with all other environments.Sidebar lists on right like Identity Services are now more compact and scrollable. App and Authentication sections of user flows are now more compact.
Additionally the Linux download for Maverics is now a tar.gz file.
- When specifying a header, it is now required to be unique to the user fl ow at the app or resource policy level. The benefit here is that it will prevent you from specifying duplicate headers like SM_USER or firstname. This will avoid conflicts downstream.
You can now use Ping Federate SAML and OIDC as an identity provider in your identity fabric.
- Added SAML-based apps and user flows
- Includes adding/removing claims and attribute providers, and the ability to publish the SAML user flow. NOTE: SAML user flows are limited to one authentication provider
- Support for Oracle Universal Directory (OUD) as an attribute provider
- Added OIDC-based apps
- Added Automation-based apps
- Added Automation Flows: A user flow can be built on the newly introduced Automation app type.
- Support for Service Extensions: You can now upload and delete custom Service Extensions.
- 🚀 Easy Eval: Docker Compose includes Orchestrator, Keycloak - Quicksilver, PostgreSQL, Redis, Minio for shared storage
This version of Maverics features a new account switcher in the top navigation and table restyling.
- Fabric names are no longer editable after you create them. This prevents breaking elements downstream to referenced user flows. This is a temporary measure until IDs are implemented as references.
- The top navigation shows how many days are left in your trial. The Buy Now button appears when your trial has ended.
- A Re-publish button has been added to Environments. You can now delete user flows, edit startup configuration, and click Re-publish to push changes to your shared storage. Any waiting Orchestrator instances can pick up those changes.
- Bug fixes and refinements
You can now download the Orchestrator for Mac as part of an easy evaluation experience.
- Inviting members is a few clicks closer! Click on the Account name in the top nav. From there you just click the “Add Members” button.
- We now send 💌 email to new member invitees
- Pendo is no longer be blocked by most ❤️ 🛑 ad blockers. This means that our Onboarding Guides and Resource Center can be shown to more visitors.
- The trial banner reminds you how many days you have left
- Fit and finish
- © 2023 Strata Identity, Inc. Privacy Policy now appears in the footer
- Spelling fixes
- Apps and user flows
- You can now remove a User Flow from an environment
- See a video: https://www.loom.com/share/4bb80cdc77994cb595c9acc304220dc2
- 🔐 Now protected from cross-site forgery vulnerabilities
You can now upload a custom configuration straight from the dashboard.
- Less jumpiness when adding and removing headers on a user flow
Before you publish a revision, the configuration inspector will tell you if any IDPs or attribute providers are missing required information. The configuration inspector will look in app headers, policy rules, and policy headers for any missing components.
Headers used in a resource access policy also appear on the user flows.
- Updating a policy preserves existing headers instead of deleting them
- Sign in with Microsoft account now shows Strata Identity instead of “unverified”
Maverics now supports adding Keycloak as an identity provider.
We are kicking off an initiative to deliver a self-service try and buy experience for Maverics. The Easy to Trial and Buy initiative will include several future releases with product tours, guides and videos, pre-built user flows, apps, and IDPs. The vision for this initiative is to allow prospects to implement one of our recipes using Maverics.
Soon we will deliver Keycloak as a ready-made, containerized IDP available through Maverics along with our Canary and Sonar demo apps. Evaluators will not have to go through the time and effort to bring their own IDP to trial Maverics.
Additionally, Subscriptions and Accounts have been moved from the left-nav to the user profile in the top-right corner of the Maverics user interface
hostfield was not being properly written out when creating a header based app. To implement this fix for existing apps, you will need go to the app, add the host field, and revise & publish any user flows.- Fixed typos in UI
Amazon Cognito is an OIDC-based IDP. You can now add AWS Cognito to provide authentication in your user flows.
- Maverics now supports multiple user flows per environment! This means that you can do MORE with your POCs!
- The Orchestrators page no longer lists the User Flow list. To see which user flows are deployed where first go Environments and click on the environment you’d like to inspect.
- You can download the configuration from this page as well by clicking “(download configuration)” above the table.
- Import is on its way back into the product. You can import JSON by going to https://maverics.strata-staging.io/user_flows_import. This will make its way back to the Dashboard very soon.
- The config analyzer now provides context in the inspection results. This will now tell you which part of a user flow and the name of the provider its missing.
- Fixed remaining gosec errors
- Code editor fixes
Customers can now include Hypr as a passwordless authentication provider in their identity fabric. Our partnership with HYPR is even stronger. You can now use Maverics to demonstrate how to modernize those pesky non-standard apps with passwordless authentication.
To give it a try, go to Identity Fabric in Maverics and click “Add” under the HYPR card to configure HYPR. You will need access to Strata’s HYPR Control Center demo tenant to use it. In the Control Center you will need the app’s details and a app user configured to test.
Then, create an app and user flow in Maverics. In the user flow authentication section, select your new HYPR provider. Use it in a policy for a resource. Finally, publish the user flow!
- Subscriptions: environments can now report app and IDP usage split out between production and development environments
- Identity Fabric: secretssuch as LDAP passwords and OIDC client secrets are now hidden on form views🔐
- User Flows: broader support for automated user flow inspection. It will now check for missing authentication providers in app headers and policy.
- Chargebee will no longer fail to create customers from invalid sign up survey results
Configuration analysis makes it easier for users to create configurations that will always work when sent to an Orchestrator. In this first version, when you save a revision and the auth provider has been removed from the User Flow, a message will appear showing you that it could be missing from a resource policy or from an attribute provider definition. To see it in action, click here.
Additionally, Environments can now be tagged for Production use. This ensures that we only charge customers for apps and IdPs in their production environments.
- UX – Marketing feedback on copy updates has been incorporated in this release.
- Several general refactors to improve the dev experience.
- Better performance of the Orchestrators page, by implementing asynchronous calls to the page when fetching Orchestrator status.
On trial sign up, new customers and free trial subscriptions are created in Chargebee.
- Sign up form improvements - you no longer lose your previous entries when attempting to Start Trial with missing fields
- A new Orchestrator available in Orchestrator/downloads. The downloads will always show the latest release.
- Better messaging when attempting to delete a application that is referenced in a user flow
- Saving a new revision is no longer jumpy- We are updating interactions to HTMX all over the app so it will no longer scroll jump every time you hit a button. More to come!
Customers can now use a Github repository to publish config that configured orchestrators can consume.
- Hypr sign up
- Improved step-by-step instructions in intersticial screen and emails
- Temporarily removed signing in using fido2 devices
- Sign up form - remove generated name and make all fields required
- Text and editorial feedback - thanks to a ton of feedback from Marketing, Design and Docs the copy in the UI is much cleaner and consistent
- User Flows - Add multiple rules and conditions to an access policy
- Make LDAP delimiter optional
- Fixed bad request when editing an account after switching accounts
We are excited to announce the first commercial ship (FCS) of https://maverics.strata.io, our newest offering designed to help businesses onboard to the Maverics Identity Orchestration Platform. The initial release provides a comprehensive set of capabilities primarily focussed on modernizing non-standard header based apps.
- Maverics is now available for any user to sign up for a free trial. If customers would like to purchase they will need to contact sales.
We will be releasing enhancements very often focussed on polished UX, adding more choices like AWS Cognito & Hypr when creating Identity Fabric, additional app types, and so much more! Release notes like these will be published as a Confluence Blog in the #general channel. If you need access to Confluence please reach out to @Eric Leach (Unlicensed) and he can resend an invite.
2023-05-03
- Ensure keys in JWKS have unique IDs - #1990
2023-05-03
- Add support for apps of type OIDC - #1987
2023-05-03
- fix cache timing logic - #1992
2023-05-03
- Describe Service Extension dependencies for AuthProviders - #1991
2023-05-02
- [OIDC Auth Provider] Inject unused cache.Cache - #1988
2023-05-02
- [OIDC Auth Provider] Move cache creation into NewOIDCProvider - #1984
2023-05-02
- add URLPath to otel http config - #1980
2023-05-02
- Add Orchestrator ID to metrics resources - #1976
2023-05-01
- Add username search key value to session for LDAP - #1985
2023-05-01
- Handle error from service extension panic recovery - #1986
2023-05-01
- Add source assets for the docker grafana quickstart in docs repo. - #1978
- Serve discovery endpoints on app-centric OIDC Provider - #1983
2023-04-27
- Add ability to create clients on OIDC AuthProvider - #1982
2023-04-27
- add mock cache implementation - #1981
2023-04-26
- Removes the AuthProvider feature flag - #1979
2023-04-26
- add initial caching foundation - #1968
2023-04-21
- Add MAVERICS_CONFIG to multiple environment variable check - #1975
2023-04-21
- Distinguish between validation and unmarshalling in OIDCProvider by @patrick-strata in #1969
- Remove undocumented and unused logical operators from OIDC AuthProvider authentication policy by @patrick-strata in #1970
- Query escape configuration_file_object_key for GCP provider by @wfernandes in #1972
- Decouple unmarshaling from construction in OIDC AuthProvider in support of OIDC apps by @eliasjf in #1973
- Support configurationFilePath key in provider configs by @wfernandes in #1971
- Implement bundle verification by @kewun in #1967
- Organize tests into separate files for OIDC AuthProvider by @eliasjf in #1974
Full Changelog: https://github.com/strata-io/maverics/compare/v0.18.47...v0.18.48
2023-04-21
- Distinguish between validation and unmarshalling in OIDCProvider by @patrick-strata in #1969
- Remove undocumented and unused logical operators from OIDC AuthProvider authentication policy by @patrick-strata in #1970
- Query escape configuration_file_object_key for GCP provider by @wfernandes in #1972
- Decouple unmarshaling from construction in OIDC AuthProvider in support of OIDC apps by @eliasjf in #1973
- Support configurationFilePath key in provider configs by @wfernandes in #1971
- Implement bundle verification by @kewun in #1967
- Organize tests into separate files for OIDC AuthProvider by @eliasjf in #1974
Full Changelog: https://github.com/strata-io/maverics/compare/v0.18.47...v0.19.1
2023-04-18
- Simplify SAML Provider signature configuration - #1966
2023-04-18
- Add encryption to SAML Apps - #1965
2023-04-17
- Update Swarm to latest - #1964
2023-04-17
- Remove antiquated autogenerated LDAP test mock - #1962
- Remove outdated telemetry docs - #1961
- Enable encryption config to be defined on SAML AuthProvider client - #1963