Release notes archive

Release notes archive

2024-03-25: Fit and finish, and feature enhancements

  • Added Entra ID & Okta (OIDC) health check preferences for interval and time in seconds.
  • Hover legends, graph smoothing, scaling, request counts with response codes, and improved behavior and accuracy for orchestrator telemetry.
  • You can now select a provider or static when defining headers in a user flow.
  • You can now add headers when creating/editing user flows in Safari.

2024-03-19: Resolved issues

  • When you import service extensions now the providers are included in the import.
  • Continued fit and finish to orchestrator telemetry and graphs.
  • Fixed an issue where in regions outside of the U.S. the deprecated header app types were available and the incorrect fabric options were showing.

2024-03-15: Telemetry chart update

New charts have been added with hover tips to reflect data points.

New charts

Resolved issue

  • Importing a bundle with a service extension now supports importing the metadata.

2024-03-08: Support for .tar.gz bundles

You can now import *.tar.gz bundles that contain service extensions with assets.

2024-03-07: Orchestrator settings in Environments

When updating Orchestrator settings in Environments, you must manually restart your orchestrators in order for the changes to take effect. We’ve added a banner to remind you to start your orchestrators on the edit section. We’ve also improved the description for the Orchestrator URL setting.

2024-03-06: Fix for API app type updates

Fix for duplicate service extensions (SEs) not included in a deployment bundle

This issue corrects a scenario in which a deployment that contained two user flows referencing the same service extension resulted in (“…Service Extension: unable to read file…”) in the orchestrator logs. In order to correct the bundle, you need to do one of the following:

  • Go to the environment and click “Redeploy" OR
  • Commit and deploy the new user flow.

With this release, new deployments and re-deployments will generate a bundle that includes the duplicate SEs.

2024-03-01: Support for upload/deploy of binary assets in service extensions

Upload assets

You can now upload and deploy binary file types as assets with your service extensions. These assets can be used for API app types.

Known limitations

  • The user flow list may appear slower to render when including references to service extensions with assets.
  • Import does not currently support bundles that include service extensions with assets.

2024-02-29: Service extension assets and a fix for SE metadata updates

You can now upload and deploy assets that can be used as ancillary resources in your service extensions.

Resolved issue

  • Updates to service extension metadata are now properly deployed.

2024-03-08: Support for .tar.gz bundles

You can now import *.tar.gz bundles that contain service extensions with assets.

2024-03-07: Orchestrator settings in Environments

When updating Orchestrator settings in Environments, you must manually restart your orchestrators in order for the changes to take effect. We’ve added a banner to remind you to start your orchestrators on the edit section. We’ve also improved the description for the Orchestrator URL setting.

2024-03-06: Fix for API app type updates

Fix for duplicate service extensions (SEs) not included in a deployment bundle

This issue corrects a scenario in which a deployment that contained two user flows referencing the same service extension resulted in (“…Service Extension: unable to read file…”) in the orchestrator logs. In order to correct the bundle, you need to do one of the following:

  • Go to the environment and click “Redeploy" OR
  • Commit and deploy the new user flow.

With this release, new deployments and re-deployments will generate a bundle that includes the duplicate SEs.

2024-03-01: Support for upload/deploy of binary assets in service extensions

Upload assets

You can now upload and deploy binary file types as assets with your service extensions. These assets can be used for API app types.

Known limitations

  • The user flow list may appear slower to render when including references to service extensions with assets.
  • Import does not currently support bundles that include service extensions with assets.

2024-02-29: Service extension assets and a fix for SE metadata updates

You can now upload and deploy assets that can be used as ancillary resources in your service extensions.

Resolved issue

  • Updates to service extension metadata are now properly deployed.

2024-02-23: Bug fixes

Resolved issues

  • You are no longer able to set an evaluation environment for Production use.
  • Proxy apps that contain rules in access policies can now be imported and displayed properly.

2024-02-20: Fix for environments and enhancements

In a proxy app user flow, you can now select a service extension in an access policy rule and use the claims defined in the service extension.

Instances of Azure AD have been updated to Entra ID (per Microsoft branding updates).

We’ve also improved consistency and clarity to identity fabric card names and descriptions.

Resolved issue

  • Fixed an issue that prevented users from being able to create or edit an existing environment

2024-02-15: Canary Bank and service extension deployment improvements

All five of our Learning Center recipes have been updated to use Canary Bank instead of Sonar. This update also includes clearer names of imported fabric, apps and user flows.

Service extension snapshots created when deploying user flow revisions

When you commit and deploy a user flow, a snapshot of the service extension code is saved with the revision. This enables you to roll back to that snapshot when you deploy a previous revision.


If you deploy multiple user flows that reference an updated service extension, all of them must be committed and showing a status of “Up-to-date” to get the updated SE.


Resolved issues

  • Attribute providers can now be more reliably be selected when creating an access policy rule in a proxy app type user flow.
  • On import, you are now required to add environment name when selecting local or eval environment.

2024-02-12: Resolved issue

The previous release included a change that moved service extensions into subdirectory in the deployed bundle. The deployed JSON config did not include this path and resulted in an error on Orchestrator startup where the service extension could not be found. We’ve introduced a fix to incorrect SE subdirectories in bundle and config paths. With this fix you can now re-commit/deploy user flows with service extensions.

2024-02-08: CyberArk now available in Identity Fabric

You can now add CyberArk as an IDP to your identity fabric. You can use a either a SAML or OIDC connection to CyberArk’s Workforce and B2B identity offerings with Maverics. Follow the new Learning Center guide to get started.

We’ve also updated descriptions in user flows to read more clearly.

We made some behind the scenes fixes so you can now import/export proxy app type user flows that contain location policies with rules. However when importing, they do not appear on the policy page.

2024-02-06: Bug fixes

  • We’ve resolved an import issue where bundles that contain a combination app types and service extensions would fail to import.
  • We’ve also resolved an issue where evaluation bundle content (for example, maverics.env) was malformed while an eval environment was being created asynchronously. Now, access to certain actions are safely disabled while the eval environment is being created, and a status is shown as “Creating environment.” Wait a few moments before refreshing the page, and the actions will be made available again.

2024-02-04: Regex bug fix

  • We’ve added a fix for regex location policy names with a backslash character.

2024-02-02: Fit and finish updates

  • Some error messages will be displayed to user due to environment misconfiguration when deploying configuration.
  • An additional inspection warning has been added to user flow configuration and deployments to catch some common configuration errors.
  • Applications can no longer be removed if they’re attached to a user flow.
  • All list views now use the updated design.

Resolved issue

  • Fixed a panic due to invalid configuration that resulted in a Cloudflare error page.

2024-01-29: New Learning Center lesson for Microsoft Entra ID and other improvements

Click the Learning Center icon in the upper right side of the Maverics screen to find our new lesson, Extend Microsoft Entra ID to Legacy, Non-Standard Apps. You will need access to an Entra ID tenant to integrate and create a test user for the login flows.

Learning Center

New list views

List views have a new easily selectable and sortable look and feel.

New list views

Updated default list for access policies

Previously, new location policies would default to an invalid policy that would cause an orchestrator to error and fail to start up. Now, when a new policy is added you must select a valid authentication (allow unauthenticated, require auth by IDP, or service extension) and authorization policy (allow all access, use a rule, or service extension).


Evaluation environment improvements

  • Users can now only have one evaluation environment at a time.
  • Creating an evaluation environment is now faster.
  • Using port :443 for Linux eval was a problem because it was a reserved port. Now the default port for evaluation content and lessons has changed from :443 to :8443.
    • maverics.env file has been updated to use :8443
    • Learning Center demo urls and identity fabric definitions have been updated to 8443

2024-01-19: Single Sign On (SSO) for accounts

Account owners can now secure access to their Maverics accounts with single sign on! View our documentation here.

User flow deployments

When you deploy a user flow you now have the ability to preview everything in a deployment bundle. This includes other user flows deployed to the environment, orchestrator configuration specific to that environment and any service extensions.

User flow deployments

Resolved issues

  • You can no longer mark an evaluation environment for production.

2024-01-02: OIDC app refresh token settings

When defining a OIDC app type you can now specify refresh token options.

OIDC refresh token

2023-12-20: Optional fields for SAML-based identity fabric, cache config fixed

We’ve updated Azure SAML, ADFS, Duo and Generic SAML fabric by adding SP Cert Path/Key, Name ID Format, and IDP-initiated login options.

Optional fields

Resolved issues

  • TLS block for cache config is now properly formatted for deployment

2023-12-19: Windows client authentication

You can now add Windows desktop authentication to your identity fabric. The Windows Client Authenticator App for Maverics allows Windows/IIS users to validate their identity to Maverics Orchestrator using their Windows desktop credentials. The app can be downloaded from any environment.

Windows Client Authenticator

Resolved issues

  • Resolved an issue where policies that use equals were not being deployed.
  • Resolved an issue where service extension claims values where not appearing on first page load.

2023-12-13: Fixed missing metadata on deploy that includes a Build Claims SE

We’ve released a partial fix to an issue where metadata entered in a build claims SE was not deploying with a user flow.

2023-12-07: Improved import of service extensions and deployment of updated service extensions

This release includes continued improvements to the import process. You can now import user flows that reference service extensions. Deployments now include additional metadata in the JSON for the import process to execute correctly, however the metadata is completely ignored when read by the orchestrator.

Note: To use this update, you will need to redeploy a user flow that contains service extensions, then download the maverics.tar.gz file and re-import using the button on the dashboard.

Resolved issue

  • Fixed an issue where the the latest edits of a service extension were not being deployed in a user flow. This condition was found when two user flows were being deployed that reference the same service extension. Now in this scenario Maverics will always deploy the latest service extension. This is consistent with how identity fabric (Connector) config is deployed when referenced by more than one user flow.

2023-12-05: Canada region selector, import enhancement, and Learning Center update

New accounts have the ability to sign up and login to the new Maverics Canada instance. Accounts in the US and Canada are completely separate. Features and fixes are deployed at the same time as the US.

To use the region selector, go to and select Canada from Available Regions. You will then be redirected to to sign up for a new account.

Selecting Canada as your region

Existing customers who would to use the Canadian region instead of the US region need to manually migrate their data to a new Canadian account. Maverics has import capabilities that can help facilitate migrating user flows, app fabric, application definitions, and environment settings to a new account.

Import configuration to existing environments

When you import configuration, creating a new environment is now optional by default. This enables yyou to easily deploy user flows to existing environments without creating unnecessary environments.

Import configuration

Recipe formats included in the Learning Center have also been updated to use Proxy type apps.

Resolved issue

  • Empty IDP-initiated login fields are no longer being set in the deployed config.

2023-11-29: nameID format for SAML app type

You can now specify the nameID format of your choice in the SAML app type setup.

Resolved issue

  • You can now specify the OIDC well-known endpoint in the Azure AD attribute provider configuration. This will enable you to use Azure as a standalone attribute providers with other IDPs.

2023-11-28: Attribute provider bug fix

Resolved issue

  • Fixed an issue where if an attribute provider was included in a rule, an inspection error was shown that prevented you from being able to commit and deploy.

2023-11-21: Resolved SAML issue

  • If you set up custom certs in the SAML auth provider settings, the SAML cert you download from an Environments page now displays the correct cert (*.pem file).

2023-11-20: Service extension code editor improvements

The service extension code editor will now show compile errors as you type.

Compile errors

Additionally, the deploy screen will now show service extension diffs.

SE diff view

Resolved issues

  • When an account owner deletes an account, it will only delete the selected account and not delete the user. When a user logs in that has no accounts they will be shown the Oops Octopus error. From here they can be invited to another account or delete their user from the profile menu.
  • Fixed an issue where the import of service extension names came through as ids. Now all service extensions deployed will include the name field.
  • When editing an environment, a breadcrumb to go back to the environment now appears.

2023-11-16: Sonar OIDC test app!

To test OIDC auth flows, we have an updated image in Docker Hub and documentation on how to use it to spin up your own local running version of Sonar.

Sonar Systems test app

Resolved issues

  • Orchestrator telemetry is now off by default when creating any non-evaluation environment
  • Audited all default service extension examples to ensure they can deploy without error to orchestrators. Added a specific note about using claims SE with SAML apps.
  • Fixed cert issues when downloading a SAML metadata file
  • Fixed edinvite sign-up flow when user has already started sign-up
  • Fixed a validation on static headers that prevented you from using a or a period in a value.

2023-11-14: Proxy app: static headers

When creating a proxy app user flow, you can now send any static header without having to source it from the session.

Proxy app static headers

Set your attribute, and choose Static as the attribute provider. The header will be sent to your favorite proxy app.

Resolved issues

  • Duplicate accounts are no longer created if a user attempts to sign up multiple times through PLG or SLG sign up flows.
  • The Calendly scheduling widget will now render properly on Safari.

2023-11-10: Proxy app specific logout

You can now add a proxy app logout URL and post logout redirect URL to proxy apps. See our docs.

Proxy app logout

Additionally, if you need to make a query to Okta to add custom claims to your session you can now do this by using Okta as a attribute provider.

Okta attribute provider

Resolved issues

  • Metadata from service extensions persists and are now properly deployed.
  • Claims set in service extensions can now be properly selected and deployed for OIDC and SAML apps.
  • Partial fix for sign up issues causing duplicate accounts.
  • Fixed an issue where attribute providers username mapping configuration was malformed for proxy apps.
  • No longer missing last commit date/time for user flow list
  • Resolved an issue where the orchestrator would fail to start up a SAML or OIDC app type service due to a configuration mismatch when a service extension is present. Maverics will now omit claimsmapping if empty when deploying SAML or OIDC app type user flows.

2023-11-06: Service extensions metadata

You can now define key-value pairs for additional context, such as environment variables, in your service extensions.

Service extension metadata

There is a known issue where the input is colliding with the accessibility widget. If a prompt appears, click Reset in the accessibility widget settings in the lower right corner.

Resolved issues

  • Updated logos on signup.

2023-11-02: IDP initiated login for SAML app user flows

Maverics now enables you to set up an IDP-initiated login flow for a SAML app type.

IDP-initiated login

Resolved issues

  • Addressed an issue where headers were missing or not properly generated for proxy app deployments. (Note: This is still an issue for existing header-based apps. To utilize the fix, create a new proxy app. The fixes to existing header-based apps will be released soon.)

2023-11-01: Introducing proxy apps!

Header apps are now called proxy apps. You will still be able to edit and deploy existing header app type user flows, however you will no longer be able to create new AppGateway-based configuration in Maverics. Instead, you can create proxy apps.

We have also released a new service extension format and updated our service extension examples.

Resolved issues

  • You can now successfully add headers to location policy.
  • You will no longer get orchestrator errors due to the extraneous empty cache config.

2023-10-24: Updated invitation email

We’ve updated user invitation emails to specify the user who sent the invitation and the account you’ve been invited to.

Invitation email

2023-10-23: Transfer ownership of an account

In the Accounts section, you can now transfer ownership of an account to another member of your team. Owners of accounts can invite members, make payments, or delete the account. To transfer ownership of your account, go to Profile > Accounts.

2023-10-16: Resolved issue

  • You can now delete your user profile without error.

2023-10-12: API app type support

Import now supports API app types. You can now download a deployment bundle that contains a API app type user flow and import that configuration into a new local or evaluation environment.

User profile page

Users now have a Profile page where they can view their name and email, and delete their profile. If the user is an account owner, it will delete the account. If the user is a member of another account, it also will remove them as a member of another account.

Resolved issues

  • Updated the build claims service extension code example

2023-10-05: Member invitations

When inviting a member to your account, the invitee no longer has to sign up for a personal account. They become members managed by another account owner.

Member invite flow

Additionally, import options now support orchestrator settings.

Import options

Resolved issues

  • The new IDE now shows up properly for API app types.

2023-10-04: Splitting the main configuration and service extensions for API app type user flows

When deploying a configuration, the deploy preview can now show code changes in the main configuration separately from code changes in the bundled service extensions.

Deploy preview

Note: This feature is currently limited to API app type user flows.

Additionally, we now offer a side-by-side comparision view in the deploy preview.

Deploy preview

2023-10-02: SAML and OIDC Auth Providers settings in Environments

You can now upload independent key pairs used for encryption for SAML and OIDC Auth Providers. To use this, open an environment and click Edit. Scroll down and upload your key pairs.

SAML and OIDC auth providers

Additionally, the Import function now shows a preview of ingredients being imported, and a new tutorial to extend Okta to a legacy, non-standard app is now available in the Learning Center.

Known issues with SAML and OIDC Auth Provider certs

  • After you have uploaded custom key pairs, you are unable to revert back to use generated certs
  • When using a custom cert for SAML and generated Cert for OIDC, the deployed config has invalid name values in the OIDC config (workaround: use custom certs for both key pairs in the unlikely event you deploy both of these app types to a single environment)

Resolved issues

  • A portion of the Learning Center no longer appears on the first step of signing up with HYPR.
  • 2023-09-29: Handle unauthorized service extension

Service Extension: CustomUnauthorized-page

Our new CustomUnauthorized service extension enables you to provide a custom experience when a user is not authorized to access a resource.

2023-09-27: SAML app encryption options

When defining a SAML app, you can now upload a cert to verify the signatures of incoming requests.

SAML app cert

When there is no cert uploaded the resulting config will now include: "requestVerification": { "skipVerification": true

SAML provider encryption settings

  • Create/edit environments: SAML provider encryptions options are available when you create and edit an environment.
  • Custom key pair: You can now override the automatic generation of certs/keys and upload a custom cert and key pair.
  • Disable signing: You can now disable signed responses and assertions.

Known issue

  • Checking both Double Signed Response and Double Signed Assertion will result in an error from the Orchestrator. They are meant to be used one at a time, however this will be addressed in a future update.

Import enhancements: Service extensions

You can now import tar.gz files. These can contain app definitions, identity fabric config, user flows…and now user flows that contain service extensions.

To use it:

  1. Deploy a user flow that includes service extensions.
  2. Download the configuration either from the deploy screen or from the environment.
  3. Go to the Dashboard and choose Import using a tar bundle.

Resolved issues

  • Fixed an issue where you could not import json from the Learning Center tutorials.


Import config: expanded to support OIDC and SAML app type and user flows

The import config capability now has a number of use cases that it supports.

  • In-application tutorials: It is used to import recipes in our tutorials
  • Application Onboarding: After a deal is signed, a discovery process launches during a kick-off with our customers. They often complete an inventory of hundreds of applications with technical information that we need to define in config. Now you can construct a JSON file from this data and import it directly into Maverics taking a once manual input process and automating it completely.

Other import enhancements include:

  • “Flow” is no longer appended to the name of an imported flow.
  • Flow names are supported on import/export with the flowName key in the json.
  • You can now import OIDC and SAML app type and user flows To use it:
    • Deploy a SAML or OIDC app type user flow.
    • Download the .tar.gz bundle from the Environments page
    • Unzip the bundle and open the maverics.json in a text editor. Copy the code.
    • Go to Import Identity Orchestration Recipe Import

Policy editing refinements

You can now add add identity fabric to a policy location without having to specify it on a user flow. The radio buttons are now gone and replaced with drop-downs. We also took the opportunity to polish the titles and descriptions with terms that are more straight-forward. Policy editing refinements

Note: The authentication section no longer appears on the user flow definition page for a header based app. This is not an error. It has moved to a policy definition drop down.

Keycloak to Amazon Cognito tutorial in the Learning Center

The newest tutorial available in the Learning Center helps on-prem Keycloak customers extend to Amazon Cognito.

To use it, you will need a Cognito User Pool and test user. You will be adding a client and creating a test user. To try the tutorial, go to

Service extensions: code editing enhancements

The new GO code editor for service extensions provides an enhanced syntax formatting autocomplete. The editor provides a lightweight editing experience, and is not intended to be used like a full IDE.

To use it, start editing service code a drop down will automatically appear with suggestions. You can also ctrl+space anywhere in the code editor to manually envoke the code editor. SE code editing

Other resolved issues

  • When importing a recipe, application icons will no longer appear as broken images.

2023-09-14: Duo Single Sign-On is now available!

Using Duo and Maverics together has become even easier. You can now set up Duo Singe Sign-On (SSO) as part of your identity fabric, and use it for authentication in your user flows.

Other features

  • You can now sort user flows by the last commit date.

2023-09-12: Several feature enhancements


  • You can now specify TLS settings in header-based apps
    • Add a path to a CA cert
    • Skip TLS verification (enableSkipVerify): enableSkipVerify


  • Fabric now includes the logoutURL (for example, https://auth0tenantname/v2/logout) required by Auth0.
  • You can now specify scopes in OIDC providers. enableSkipVerify

Other features

  • Mac, Windows, and Linux now have the same easy 3-step experience. Our updated Linux evaluation bundle now includes a raw orchestrator Linux executable. There’s no need to install an RPM enabling you to launch it from a command line.
  • Login and isLoggedIn service extensions are always used together and have now been combined into a single form called Upstream Application Login.

Resolved issues

  • Updated service extension names and descriptions

2023-09-11: Service Extension parity

We’ve now achieved 90% parity with the service extension points available via the YAML API.

Proxied apps use the the service extension format currently documented for YAML configuration, while SAML apps, OIDC apps, and API endpoints (aka ServeSE) require a new format. The new format is available for internal preview, and public documentation for the new service extensions will be released soon.

Introducing API application type (ServeSE), isLoggedIn, and Login

Develop an API app to facilitate identity flows by creating custom HTTP endpoints, serving HTML pages, or executing custom scripts.

To use it:

  1. Go to Applications and select API from the application type column.
  2. Enter a name, description, and function name (for example, Serve).
  3. Add your Go code in the code editor and click Create.
  4. Create a new user flow and select the app you created in step 3.
  5. Commit and deploy. You can now deploy user flows that can integrate with these APIs.

You can also add Login service extension points to your header-based app user flows.

Service extension

Select from Service Extensions.

Service extension

Add to your header-based app’s user flow.

When a service extension code has been modified, any user flows that reference them will be updated with the status of ‘Uncommitted changes.’ This will signify that you need to commit and deploy to have the changes take effect.

Finally, in order to simplify the experience, the identity fabric code view has been removed. You can still see the code on the user flow deploy step.

2023-09-05: Improved Windows evaluation bundle

The Windows evaluation experience has been improved. You no longer have to:

  • Run an installer
  • Delete system environment variables (e.g. default yaml config and license files)
  • Edit registry values
  • Edit maverics.env - all paths to certs and keys just work

To use it:

  1. Download the zip file and right click and select “Extract all…”
  2. Open the Command Prompt.
  3. Use cd to navigate to where you extracted the eval bundle.
  4. Run call maverics.bat && maverics-orchestrator.exe
  5. Go to Orchestrator Telemetry and check for the green dot.

Other enhancements

  • You can now modify requests and responses using service extensions in header-based apps.

Resolved issues

  • Fixed an issue selecting a provider when creating an authorization rule.

2023-08-24: Commit to Deploy

To improve the usability of Maverics, we have reworked Save Revision, Publish to Commit->Deploy. This includes:

  • For easy access, it is now pinned to the top of the user flow screen and the Edit a resource location policy screen.
  • Save a revision is now a Commit in a model dialog
  • Inspector results are accessible on hover when there are errors on a user flow. Note: before you can commit you must clear all the errors.

Other enhancements

  • You can now specify attribute provider and username mapping in SAML and OIDC app type user flows,
  • The maverics.env in the Windows evaluation bundle has been improved to make it easier to copy and paste. We also have a new Learning Center topic in the Learning Center to walk you through the Windows process.
  • You can now specify signing certs in AD FS and Azure AD SAML configs to verify that the authentication requests are signed.

Service extension

2023-08-21: Evaluation Experience

There is now a step-by-step guide the Orchestrator Evaluation Bundle installation on Windows.

Resolved issues

  • Addressed an issue where you could not add a header to a user flow.

2023-08-16: New Service Extensions

You can now leverage the buildAccessTokenClaimsSE or buildIdTokenClaimsSE service extension points in the platform to build custom token claims for OIDC and SAML app type user flows. To use:

  1. Go to Service Extensions, and select Custom Claims from the Service Extension list.
  2. Enter a name and description, and click Create. Service extension
  3. Paste in your Go code. Here is a “Hello World” example that prints a log event after a user logs in:
package main
import (


func BuildTokenClaims(_ orchestrator.Orchestrator, _ *http.Request, sess session.Session) (map[string]any, error) {
	claims := make(map[string]any)
	// TODO: Implement service extension code.
	claims["Hello"] = "World"
 	return claims, nil
  1. Go to Applications and create an OIDC-based app type.
  2. Go to User Flows and create a new user flow. Select the app you created in step 4, and specify an IDP in the following screen.
  3. On the User Flow page, scroll to Claims. Select the service extension you created in step 3 for either an Access Token or ID Token. Service extension
  4. Click Save Revision and publish the user flow and login to your app.
  5. In the orchestrator log, you will see:
ts=2023-08-16T22:51:59.768756Z level=debug msg="adding claim Hello:World to ID token" client=client-id

Evaluator Experience: Welcome to Maverics!

Evaluator experience

There is a new guided tour for new account sign-ups that draws people to the Learning Center.

This will be shown only once, but can be recalled by going Help Center->Guides->Welcome to Maverics!

The Learning Center has many content and style updates to make the topics easier to read and understand. There is now a back button so you can navigate more easily between topics.

Resolved issues

  • Unable to add multiple rules or conditions to a access policy

Known issues

  • Currently you are unable to add a header to a header based user flow. As a workaround, you can add them to a resource location policy to achieve the same result.

2023-08-10: Evaluator experience

The responsiveness of Maverics has been optimized for laptop use. We’ve fixed several issues where page headers and columns were displaying incorrectly when the Learning Center was open. Additionally, we’ve improved the styling on the Learning Center.

2023-08-07: CPU utilization telemetry and service extensions update

A CPU utilization chart is now available in Orchestrator telemetry (Note: Due to limitations of Mac OS, no data will be reported for this metric).

Additionally, IDPs referenced in a service extension definition are now automatically included in the deployment. We’ve also made the app more responsive with a collapsible navigation, improved break points, and layout adjustments.

Resolved issues

  • Fixed issue that prevented people from downloading a Docker image for non-evaluation environments

2023-08-01: Learning center now available with two lessons

The first iteration of the Learning Center is available with two lessons:

  • Create an eval environment: a complete how-to process for Mac
  • Use the app modernization recipe: a new recipe that uses hosted demo assets and does not require Docker for the apps and IDPs

Learning center

Orchestrator telemetry is also now available

New graphs in Orchestrtor telemetry show the session count over time. To test it:

  1. Start your orchestrator connected to an environment; give it a few minutes for the data to populate.
  2. Deploy a user flow that requires authentication, and sign in and out a few times.
  3. Go to Orchestrators and click on the Orchestrator ID to view the session graphs and other data.


Resolved issues

  • Maverics correctly reports the number of days left on subscription pages
  • Maverics now remembers the last logged in account

2023-07-24: Evaluation environments now available

In just a few minutes of setup, you can test your user flows with Evaluation Environments. Evaluation environments provide a ready-made cloud storage environment and companion orchestrator package. This enables you to quickly publish user flows and have them connect to orchestrators pre-configured to consume configuration from this environment.

To get started on Mac or Linux:

  1. Go to Environments
  2. Select Evaluation Environment from the list on the right.
  3. Download the appropriate orchestrator bundle for your OS.
  4. Unzip all the zipped files.
  5. Open the Terminal and navigate to the location of the unzipped files
  6. Source the maverics.env and start the orchestrator with the following command:
    source ./maverics.env ./maverics_darwin_amd64

When creating this environment, Maverics will:

  • Set defaults for Orchestrator URL (https://localhost) and logout URL (/logout) as well as other settings. You can change these settings by clicking the Edit button in the top right hand side.
  • Push an empty maverics.tar.gz to the cloud storage bucket (a Strata controlled AWS bucket) so the orchestrator will start up successfully in case there is no user flow published yet.
  • Create a downloadable bundle with a maverics.env preconfigured to connect to this environment

You can only have one eval environment at a time. After you create one, you will not be able to access Evaluation Environment from the right side bar.

See it in action:

Other enhancements

  • The new load attributes service extension point enables you build custom flows such as the IDP picker. Sample code and instructions are coming soon!

Resolved issues

  • Paid customers will no longer see a trial banner in the UI.

2023-07-17: Token settings are now available when creating an OIDC app type

When orchestrating identity in a multi-cloud/IDP world apps have needs and we aim to fulfill those needs without requiring you to change code. In this release, we now expose the access token settings for specifying either a JWT or opaque access token, length, and lifetime.

Token settings

Note: The JWT length options require an upcoming orchestrator build to function properly. For now, select Opaque.

Resolved issues

  • Removed non-functioning buttons on “Accounts” page.

2023-07-11: Enable or disable telemetry

When creating or editing an environment, you will find a toggle switch to enable or disable sending telemtry to Maverics. Telemetry is on by default.

Telemtry switch

Resolved issues

  • If user emails were entered with mixed case (for example, [email protected]), the users were not able to accept invites. This has been fixed.
  • Users previously unable to accept invite can now click Accept Invite in the invitation email or if they have an account they can go to and click Accept.
  • After you accept an invite, Maverics now automatically switches to the invited account.

2023-07-07: Create and update fine grained permissions with ease

We have reduced the steps and made the fine grained permissions capability for header based apps easier to find.

Now, when you create an access policy for a header based app’s resource you can set the policy all on one page. Each choice that you make automatically updates the policy. We have removed the confusing “Update” and “Back” buttons.

The policy code view has been moved to the top of the page and updates automatically on each change.

You can add conditional rules, toggle different authorization policies (like allow all), it will hide the conditions you created, and when you toggle back the conditions will no longer be lost.

See it in action:

2023-07-06: Deploy with confidence!

When publishing a configuration, you can now view the differences in the code view with the selected revision, compared to the selected environment. This helps you quickly scan the config for an attribute or mapping you may have missed.

View diff

To compare:

  1. Save a revision (add an optional comment)
  2. Click Publish.
  3. On the deploy screen:
  • Select the environment to compare against.
  • Select a different revision to compare.
  1. In the code view green and + indicate additions while red and - indicate removals.

Additionally, Oracle ICDS (OIDC-based) Identity Service has been released. For more information, view the demo below.

Resolved issues

  • Slow loading of pages with default and custom app icons. Note that with this change, any uploaded custom app icons will revert to default icons. You will need to re-upload any custom app icons you may have previously uploaded.
  • After editing an environment, you are correctly returned to the environment page.
  • Attribute provider configuration no loger persists in the deployed bundle after being removed from a user flow.

2023-06-30: Revision comments

You can now capture a revision comment and it will display on publish.

2023-06-29: Orchestrator health data is bigger and better!

Orchestrator health data can now be viewed on the Orchestrators page.

Orchestrator green dot

Orchestrator health data is sent to Maverics from Orchestrators and appears on the page after five minutes. If an orchestrator is stopped it will disappear after 15 minutes, however an unavailable state is not yet supported. Additionally, you can click the ID to see memory utilization.

Other enhancements

  • We can now offer custom contract terms to customers with custom billing behavior, allowing you to start an annual subscription and pre-purchase up to a certain limit.
  • Oracle’s Identity Cloud Service can now be configured as an IDP.
    • Known issue: This sometimes triggers unexpected panics in orchestrators.
  • You can now specify a destination for logout redirects.
    • Known issue: Orchestrator does not yet support hot reload of logout URLs. You will need to manually restart orchestrators to see any change in logout behavior.

Resolved issues

  • Headers with a “.” in the name can be deleted.
  • You can no longer create a identity service with a name containing a “.” as this sometimes caused config to break downstream when used in a user flow.

2023-06-21: Maverics now supports Trusona

We use a standard OIDC connection to integrate Trusona’s passwordless solution. This enables another great passwordless option for customers who want to modernize their application without having to rewrite any application code.


Other enhancements

  • Our interactive onboarding guide (powered by Pendo) just got better. It now points to the app map to start, and each step has an image to guide you through the process. First time visitors will see the onboarding guide every time they log in, until they have dismissed the guide twice. You can always refer to the onboarding guide again by visiting the Guides section in the Resource Center.

2023-06-20: Maverics Passwordless Account now powered by HYPR

Our sign up and login process has been improved! Maverics Passwordless Account powered by HYPR enables you to use Maverics without a password for free – no paid tenant required.

Maverics Passwordless sign up

We’ve also added an app map in the top navigation to help guide your journey as a user.

Maverics app map

2023-06-14: Two releases!

You can now use your GitHub account to sign up and sign in to Maverics. Support for GitHub OAuth is a common authentication pattern and benefits admins, app owners, and developers using our product.

We’ve also improved instructions for using Microsoft Azure storage. You will also need to re-enter your SAS token any time you edit your environment.

2023-06-13: Accessibility, environments, and custom icons

We’ve implemented the accessWidget by accessiBe to automate web accessibility with AI. We are now over 95% in our scoring for web accessibility guidelines!

Additionally, as an enhancement to our hybrid zero trust architecture, we now support publishing configuration bundles to MS Azure Storage. This completes the end-to-end flow as Oochestrators could already read remote config from a Azure Storage container. Customers who have standardized on Azure now have more viable deployment options.

Finally, no matter how old or what kind of apps you have, Maverics can create user flows that can meet their identity needs. By uploading a custom app icon, you can make the Maverics experience more personal. We’ve also localized the date in time in our tables.

2023-06-09: Aloha Friday release notes

You can now download SAML metadata files from the Environments page. Additionally, you will be prevented from deleting an identity fabric referenced by a service extension.

2023-06-07: SAML and OIDC app types and user flows now fully available!

We now support orchestrating identity for modern applications that require Open ID Connect (OIDC) IDC for authentication (single orchestrator only). Additionally, in the environment settings you can now download SAML metadata. This streamlines the configuration process for some apps that support importing a SAML metadata file .xml format.

Other enhancements

  • You can now publish configuations to Gitlab repositories.
  • After 1 hr 58 min of inactivity you will be warned that your session will expire. You have 2 minutes to renew it and if you don’t you will be signed out.

Resolved issues

  • You will now be prevented from deleting a identity service when it is associated with a user flow.

2023-06-06: Improved security for AWS S3 users

To improve security, Maverics now requires a IAM Role for publishing to a S3 bucket. The orchestrator configuration for reading config does not change, and existing environments configured to use a S3 buckets will continue to publish to S3 with an account ID and secret key. However, creating a new environment with an AWS S3 bucket or editing an existing environment requires cross-account roles. For more information, see Configure an environment.

Other enhancements

  • You can now use Maverics to configure an orchestrator to act as a SAML auth provider for your applications.
  • You can now specify the single logout endpoint (e.g. /logout) to trigger logout from all apps and IDPS.
  • We’ve improved accessibility throughout Maverics to meet American Disability Act (ADA) standards.
  • We’ve added Auth0 and Generic SAML as new IDPs.

2023-05-18: Feature refinements continue…

The Pricing link is now available from the Subscriptions page. Profile and Account menus are now clickable. Finally, the Publish button on individual User Flow pages now lives next to the Save Revision button, for better visibility.

Resolved issues

  • The Learn more about Deployments link now points to the online help.

2023-05-17: Fixes and feature refinements

Today we addressed feedback we received from our first bug bash.

Resolved issues

  • Updated Orchestrator description and fixed help links to creating an environment.
  • Clicking Deployments breadcrumb no longer returns an error. The Deployments breadcrumb is now gone and correctly shows the path back to the User Flow.
  • Cleaned up all the Learn More links.
  • Describe the IAM permissions needed for an AWS S3 bucket. When creating an AWS S3 environment, we now show a Learn more and info icon which points to the AWS bucket policy in Remote configuration.

Other enhancements

  • SAML app types are on the way! When creating a new or editing an environment you can now specify the Orchestrator URL.
  • The Dashboard now has a short-cut to Invite a Member to your Account. This is a owner only action. If you are not the account owner it will take you to the member list.

2023-05-16: New recipes

As part of our PLG Onboarding initiative we want to make it super easy for evaluators to explore everything that Maverics has to offer. We made a couple small, but impactful changes to the user experience. It is a first step towards our grand plan to build out recipes and how they will simplify the difficult tasks of building a cohesive identity fabric.

  • On the Dashboard, Import custom configuration has been renamed to Import Identity Orchestration Recipe.
  • The new import screen has an updated description with links to the Quick Start Guide.
  • The default import is the same config from the Quick Start Guide. Just click Create and you will have a fully baked and deployable user flow!

Other enhancements

  • After creating a new environment, you’ll land on the show page so you can immediately move on to set up an orchestrator.
  • Updated Learn More links throughout the app.
  • New content and behaviors for the Welcome to Maverics onboarding screens.

2023-05-15: A new Sign Up and Sign In page, and creating environments

Our new Sign Up page is brought to you by an extra special collaboration with Product, Design, Marketing and Engineering.

Additionally, we’ve made several updates to our Environments flow:

  • When creating and editing an environment you can now specify session and cookie domain settings used when proxying header based apps.
  • When editing an environment you can easily download the public key file, configuration and a orchestrator build.
  • You can now more easily download a deployed configuration for local testing.

2023-05-12: Updates to Environments and Service Extensions

You can now download an Orchestrator from an environment. On a new deployment, you can also go to an Environment by clicking its name.

Additionaly, you can now use a Create Header service extension on an Access Policy (e.g. reports). The service extension name now appears in the show field, and we’ve removed the unused Attribute field when adding a Create Header service extension.

Resolved issues

  • The Buy Now button disappears if you’ve purchased a subscription.

2023-05-11: Secrets must be entered to update shared storage settings

Secrets must be re-entered to update any shared storage settings.

Resolved issues

When deploying a user flow, it will correctly bundle the latest service extension

2023-05-10: Create and edit environments

We uniquely enable our customers to compose an Identity Fabric and deploy User Flows for their applications, anywhere they are deployed. Our goal is to make this clear in practice when customers use Maverics to set up an environment, configure shared storage, connect orchestrators to the environment, and manage deployed User Flows.

Today we released Part 1 of this journey: Create and edit an environment.

  1. The Environments list enables you to choose the cloud storage provider or a local environment.
  2. Creating a new environment now has form input. You no longer have to copy and paste JSON code.
  3. Editing an environment has two tabs:
  • Settings: Shared storage provider settings and orchestrator startup configuration
  • Publish: User flows, get a public key for an orchestrator, download a deployed configuration

Other enhancements

  • Renamed the Orchestrator download to maverics-orchestrator.<ext>. This helps differentiate it from the maverics.tar.gz config bundle.
  • To delete your account and cancel your subscription in Chargebee, follow these steps: go to the Profile Menu, select Accounts, select the name of your Account, and click Delete. This will also remove you from any accounts you have been invited to.

2023-05-05: Buy Now and New User Flow Status

You can now self-service purchase a Maverics Subscription! After your trial period is over, the Buy Now button appears and you can purchase your subscription. The subscription estimate is based on the number of apps and IDPs published to an environment marked for Production. Watch our demo.

The User Flow list page also has a new Status column. The values are as follows:

  • Current: The user flow is up to date with the current revision. No action needs to be taken.
  • Modified: The user flow has changed and a new revision needs to be published. This can mean:
    • The user flow itself has been edited (an access policy, provider, or header could have been added or updated)
    • A referenced identity service has been updated. For example, adding a logout URL to a referenced OIDC authentication provider will require the user flow to be published again.

Watch our demo of the new user flow page.

Resolved issues

  • The Last Modified columns will never be blank; it will either show the creation date or the last modified date.
  • On a new deployment page, the Publish and Cancel buttons have been moved up for better visibility.

2023-05-03: Service extensions on the menu

You can now get to Service Extensions from the main navigation! From here you can create and edit 3 different extension points that can be used in User Flows for Header based apps: CreateHeaders, Authentication (Authenticate+IsAuthenticated), and IsAuthorized.

Resolved issues

  • Fixed db migrations that were setting off alerts

2023-05-02: Simplified revise and publish

Revise and publish have been simplified! The previous steps to revise and publish a user flow were confusing and prone to errors. To simplify this experience:

  • We’ve moved the Save As a Revision action, Publish action, and Automated Inspector to the top of a user flow.
  • We’ve removed the side by side comparison from the bottom.
  • We’ve the ability to override a calculated revision in the code view.
  • We’ve moved read only code view to the new deploy step.

See a demo of the new user flow page in action.

Other Enhancements

  • Branded identity service provider icons now appear on the user flow for easier identification.
  • You no longer have to toggle a switch to select an available service extension.

Resolved Issues

  • OIDC secrets are now hidden in form view.
  • Header in on access controls in the User Flow views are no longer garbled
  • New Header type descriptions are rendering properly

2023-04-21: Deploying secure bundles

We are excited to add support for deploying configuration as securely signed bundles! This security enhancement helps to ensure that the configuration being deployed is legitimate and has not been altered by malicious actors. In addition, bundles pave the way for us to deliver Service Extensions.

What do you need to know?

This security enhancement requires that you recreate your Environments with new key names and republish your user flows to those environments. You will need to update your Orchestrator to at least version: v0.19.0 which can be downloaded from the Orchestrators page.

During a deployment Maverics bundles and signs the configuration with a digital signature that is unique to that environment. The bundle file is named “maverics.tar.gz.” When unzipped you see it contains maverics.json which is the configuration, jwt signature file, and a directory of any service extensions referenced in user flows.

The signed bundle is then validated by connected orchestrators configured to use that public key. If the validation fails, the Orchestrator will not load the configuration. To configure your Orchestrator, go to the environment page, download the public key file to the machine running the orchestrator. Set the path to the downloaded file in the MAVERICS_BUNDLE_PUBLIC_KEY_FILE env var.

Learn more.

Go to an environment to download its public key.

Environment and Remote Config Key Names

configurationFileObjectKey and configuration_file_object_key are no longer supported.

configurationFilePathis new and is now the only key that specifies the file path to maverics.tar.gz.

Google Cloud Storage

bucket_name is no longer supported and has been renamed to bucketName which is consistent with all other environments.

2023-04-11: Fit and finish Maverics updates

Sidebar lists on right like Identity Services are now more compact and scrollable. App and Authentication sections of user flows are now more compact.

Additionally the Linux download for Maverics is now a tar.gz file.

Resolved issues

  • When specifying a header, it is now required to be unique to the user fl ow at the app or resource policy level. The benefit here is that it will prevent you from specifying duplicate headers like SM_USER or firstname. This will avoid conflicts downstream.

2023-04-05: Maverics now supports Ping Federate SAML and OIDC

You can now use Ping Federate SAML and OIDC as an identity provider in your identity fabric.

Other enhancements

  • Added SAML-based apps and user flows
    • Includes adding/removing claims and attribute providers, and the ability to publish the SAML user flow. NOTE: SAML user flows are limited to one authentication provider
    • Support for Oracle Universal Directory (OUD) as an attribute provider
  • Added OIDC-based apps
  • Added Automation-based apps
  • Added Automation Flows: A user flow can be built on the newly introduced Automation app type.
  • Support for Service Extensions: You can now upload and delete custom Service Extensions.
  • 🚀 Easy Eval: Docker Compose includes Orchestrator, Keycloak - Quicksilver, PostgreSQL, Redis, Minio for shared storage

2023-03-30: Switch accounts in Maverics

This version of Maverics features a new account switcher in the top navigation and table restyling.

Other enhancements

  • Fabric names are no longer editable after you create them. This prevents breaking elements downstream to referenced user flows. This is a temporary measure until IDs are implemented as references.
  • The top navigation shows how many days are left in your trial. The Buy Now button appears when your trial has ended.
  • A Re-publish button has been added to Environments. You can now delete user flows, edit startup configuration, and click Re-publish to push changes to your shared storage. Any waiting Orchestrator instances can pick up those changes.

Resolved issues

  • Bug fixes and refinements

2023-03-24: The Mac version of Orchestrator is now available to download

You can now download the Orchestrator for Mac as part of an easy evaluation experience.

Other enhancements

  • Inviting members is a few clicks closer! Click on the Account name in the top nav. From there you just click the “Add Members” button.
  • We now send 💌 email to new member invitees
  • Pendo is no longer be blocked by most ❤️ 🛑 ad blockers. This means that our Onboarding Guides and Resource Center can be shown to more visitors.
  • The trial banner reminds you how many days you have left
  • Fit and finish
    • © 2023 Strata Identity, Inc. Privacy Policy now appears in the footer
    • Spelling fixes
  • Apps and user flows

Resolved issues

  • 🔐 Now protected from cross-site forgery vulnerabilities

2023-03-20: Import custom configuration from the dashboard

You can now upload a custom configuration straight from the dashboard.

Resolved issues

  • Less jumpiness when adding and removing headers on a user flow

2023-03-17: User flows now has a configuration inspector

Before you publish a revision, the configuration inspector will tell you if any IDPs or attribute providers are missing required information. The configuration inspector will look in app headers, policy rules, and policy headers for any missing components.

Headers used in a resource access policy also appear on the user flows.

Resolved issues

  • Updating a policy preserves existing headers instead of deleting them
  • Sign in with Microsoft account now shows Strata Identity instead of “unverified”

2023-03-16: Use Keycloak as an IDP

Maverics now supports adding Keycloak as an identity provider.

We are kicking off an initiative to deliver a self-service try and buy experience for Maverics. The Easy to Trial and Buy initiative will include several future releases with product tours, guides and videos, pre-built user flows, apps, and IDPs. The vision for this initiative is to allow prospects to implement one of our recipes using Maverics.

Soon we will deliver Keycloak as a ready-made, containerized IDP available through Maverics along with our Canary and Sonar demo apps. Evaluators will not have to go through the time and effort to bring their own IDP to trial Maverics.

Additionally, Subscriptions and Accounts have been moved from the left-nav to the user profile in the top-right corner of the Maverics user interface

Resolved issues

  • host field was not being properly written out when creating a header based app. To implement this fix for existing apps, you will need go to the app, add the host field, and revise & publish any user flows.
  • Fixed typos in UI

2023-03-13: AWS Cognito is now an authentication provider

Amazon Cognito is an OIDC-based IDP. You can now add AWS Cognito to provide authentication in your user flows.

Other enhancements

  • Maverics now supports multiple user flows per environment! This means that you can do MORE with your POCs!
    • The Orchestrators page no longer lists the User Flow list. To see which user flows are deployed where first go Environments and click on the environment you’d like to inspect.
    • You can download the configuration from this page as well by clicking “(download configuration)” above the table.
  • Import is on its way back into the product. You can import JSON by going to This will make its way back to the Dashboard very soon.
  • The config analyzer now provides context in the inspection results. This will now tell you which part of a user flow and the name of the provider its missing.

Resolved issues

  • Fixed remaining gosec errors
  • Code editor fixes

2023-03-08: HYPR is now an authentication provider

Customers can now include Hypr as a passwordless authentication provider in their identity fabric. Our partnership with HYPR is even stronger. You can now use Maverics to demonstrate how to modernize those pesky non-standard apps with passwordless authentication.

To give it a try, go to Identity Fabric in Maverics and click “Add” under the HYPR card to configure HYPR. You will need access to Strata’s HYPR Control Center demo tenant to use it. In the Control Center you will need the app’s details and a app user configured to test.

Then, create an app and user flow in Maverics. In the user flow authentication section, select your new HYPR provider. Use it in a policy for a resource. Finally, publish the user flow!

Other enhancements

  • Subscriptions: environments can now report app and IDP usage split out between production and development environments
  • Identity Fabric: secrets :closed_lock_with_key: such as LDAP passwords and OIDC client secrets are now hidden on form views
  • User Flows: broader support for automated user flow inspection. It will now check for missing authentication providers in app headers and policy.

Resolved issues

  • Chargebee will no longer fail to create customers from invalid sign up survey results

2023-03-07: Configuration analysis makes it easier for users to create configs

Configuration analysis makes it easier for users to create configurations that will always work when sent to an Orchestrator. In this first version, when you save a revision and the auth provider has been removed from the User Flow, a message will appear showing you that it could be missing from a resource policy or from an attribute provider definition. To see it in action, click here.

Additionally, Environments can now be tagged for Production use. This ensures that we only charge customers for apps and IDPs in their production environments.

Resolved issues

  • UX – Marketing feedback on copy updates has been incorporated in this release.
  • Several general refactors to improve the dev experience.
  • Better performance of the Orchestrators page, by implementing asynchronous calls to the page when fetching Orchestrator status.

2023-03-02: Billing through Chargebee

On trial sign up, new customers and free trial subscriptions are created in Chargebee.

Other enhancements

  • Sign up form improvements - you no longer lose your previous entries when attempting to Start Trial with missing fields
  • A new Orchestrator available in Orchestrator/downloads. The downloads will always show the latest release.

Resolved issues

  • Better messaging when attempting to delete a application that is referenced in a user flow
  • Saving a new revision is no longer jumpy- We are updating interactions to HTMX all over the app so it will no longer scroll jump every time you hit a button. More to come!

2023-03-01: Use Github in Environments

Customers can now use a Github repository to publish config that configured orchestrators can consume.

Other enhancements

  • Hypr sign up
    • Improved step-by-step instructions in intersticial screen and emails
    • Temporarily removed signing in using fido2 devices
  • Sign up form - remove generated name and make all fields required
  • Text and editorial feedback - thanks to a ton of feedback from Marketing, Design and Docs the copy in the UI is much cleaner and consistent
  • User Flows - Add multiple rules and conditions to an access policy

Resolved issues

  • Make LDAP delimiter optional
  • Fixed bad request when editing an account after switching accounts

2023-02-28: Maverics has shipped!

We are excited to announce the first commercial ship (FCS) of, our newest offering designed to help businesses onboard to the Maverics Identity Orchestration Platform. The initial release provides a comprehensive set of capabilities primarily focussed on modernizing non-standard header based apps.

What do you need to know?

  • Maverics is now available for any user to sign up for a free trial. If customers would like to purchase they will need to contact sales.
  • A quick start guide available for evaluators at
  • Status of the app’s availability can be monitored at
  • Existing customers and partners can open support tickets through our customer portal.

What’s next?

We will be releasing enhancements very often focussed on polished UX, adding more choices like AWS Cognito & Hypr when creating Identity Fabric, additional app types, and so much more! Release notes like these will be published as a Confluence Blog in the #general channel. If you need access to Confluence please reach out to @Eric Leach (Unlicensed) and he can resend an invite.

Orchestrator Builds



  • Enhance SAML metadata parsing to support formatted certificates
  • Support api.App in IsAuthenticatedSE, AuthenticateSE and v2/BuildClaimsSE for saml apps
  • Support api.App in IsAuthenticatedSE, AuthenticatedSE, BuildAccessTokenClaimsSE, BuildIDTokenClaimsSE for oidc apps



  • Update Nancy CI action to use correct version of Go
  • Add support RP-initiated logout in OIDC provider



  • Add support to Service Extensions.
  • Support api.App in loadAttrsSE for proxy apps
  • Support api.App in createHeaderSE for proxy apps
  • Support api.App in loginSE and isLoggedInSE for proxy apps
  • Allow CyberArk CCP to be configured with certificate authentication directly from Windows Cert Store. See docs here.



  • Add missing Cache WithTTL option to SE symbols



  • Add functions and structures from ‘’ to v2 SEs.



  • Update go-ntlm to the latest version



  • Update to latest go OTLP libraries



  • Upgrade Golang to 1.22



  • Parse the OIDC Auth request params to not only parse from the query but also from the request body



  • Add configuration options to MSI installer and fix upgrade behavior



  • Support loading service extension assets as a file system



  • Add offline_access to scopes_supported in OIDC well-known endpoint



  • Implement Context interface for service extensions



  • Support retrieving App name for Proxy Apps in some Service Extensions
  • Expose orchestrator cache to service extension (v0.25.39)
  • Add client_id to claims in access token (v0.25.38)
  • Support login options in service extensions (v0.25.37)
  • Fix refresh token length configuration (v0.25.35)
  • Close HTTP response body in connectors (v0.25.34)
  • Omit env var substitution if the line starts with ‘#’ in YAML config (v0.25.33)
  • Close response body when making token request (v0.25.32)
  • Update crypto lib to v0.17.0 to handle CVE-2023-48795 (v0.25.31)
  • Fix panic when cert not found in Windows cert store (v0.25.30)
  • Correctly set RelayState during IDP initiated login (v0.25.29)
  • Add env vars for Windows Certificate Store (v0.25.28)
  • Improve error handling in OIDC connectors (v0.25.27)
  • Add support for reloadable cache (v0.25.26)



  • Allow SAML client to support both IDP initiated login and verified SP login
  • Rename go-jose exported name from v3 to jose (v0.25.24)
  • Add Windows Client Authenticator connector to orchestrator (v0.25.23)



  • Register SAML endpoints as case insensitive
  • Register OIDC endpoints as case insensitive (v0.25.4)
  • Fix typo in telemetry logs (v0.25.3)
  • Implement TAIProvider interface for Service Extensions (v0.25.2)
  • Fix panic observed when running in Windows console as non-admin (v0.25.1)



  • Rotate refresh tokens on use per OAuth security best practices
  • Implement token revocation for JWT tokens (v0.24.35)
  • Store JWT tokens in the cache (v0.24.34)



  • Update to fix indirect GRPC vulnerabilities
  • Expose GetBytes, GetAny, and SetBytes on Service Extension session provider implementations (v0.24.32)
  • SAMLProvider validates signed authn requests received via HTTP-Redirect binding (v0.24.29)
  • Implement v2.Session API for Service Extensions for OIDC Provider (v0.24.28)
  • Add post logout redirect URL to proxy apps (v0.24.27)
  • Return all claims for opaque access token (v0.24.26)
  • Add logout to proxy apps (v0.24.25)
  • Add clock skew leeway for SAML Authn requests (v0.24.23)
  • Stop Maverics process on failure to bind to a port (v0.24.22)



  • Add support for IDP initiated login for app of type SAML
  • Add support for HTTP Redirect binding in the SAML auth provider (v0.24.20)
  • Improve attribute loading error handling in proxy apps (v0.24.18)
  • Add query params matching in proxy apps policies (v0.24.17)
  • Add handleUnauthorizedSE to proxy apps (v0.24.16)



  • Add upstream login extension to proxy apps
  • Add support for IDP initiated login for the SAML provider (v0.24.14)
  • Add ModifyRequest and ModifyResponse Service Extensions to proxy apps (v0.24.13)
  • Add LoadAttrsSE to proxy apps (v0.24.12)
  • Expose ‘goPath’ on v2 Service Extensions (v0.24.11)
  • Add CreateHeader service extension to proxy apps (v0.24.10)
  • Add IsAuthorized service extension to proxy apps (v0.24.9)
  • Add IsAuthenticated and Authenticate extensions to proxy apps (v0.24.8)
  • Update goxmldsig library to fix signature validation bug (v0.24.7)
  • Add TLS to proxy apps (v0.24.4)
  • Patch CVE-2023-45683 (SAML XSS bug) (v0.24.2)
  • Support multiple route patterns on a proxy app (v0.24.1)
  • Add Orchestrator Groups cache support (v0.24.0)
  • Add regexp policy matching to proxyapps (v0.23.75)
  • Add attribute provider to proxy apps (v0.24.74)



  • Update to the latest to address CVE-2023-39325
  • Upgrade Yaegi to 15.1 (v0.23.72)
  • Support policy-level header definitions on proxy apps (v0.23.71)
  • Implement revoke endpoint support for OIDC refresh tokens (v0.23.70)
  • Add unauthorized page to proxy apps (v0.23.68)
  • Add headers to proxy apps (v0.23.67)
  • Improve authorization and authentication policy validation for proxy apps (v0.23.66)
  • Add authorization to proxy apps (v0.23.65)



  • Add basic authentication to proxy apps in new app-centric configuration format
  • Allow fabric consumer (RP Orchestrator) to define and use unauthorizedPage (v0.23.61)



  • Update OIDCProvider service extensions to work with cache
  • Fix OIDCProvider userinfo endpoint to reject ID Bearer tokens (v0.23.59)
  • Support the refresh token flow using the cache (v0.23.58)
  • OIDCProvider uses cache to build user claims (v0.23.56)



  • Support AuthCode w/ PKCE using cache implementation



  • Make logging more verbose in Azure connector



  • Remove logic that prevents ‘ServeSE’ from being defined with other AppGateway extensions
  • Set session cookie regardless of policy (v0.23.52)

v0.1.0 (Maverics TAI Module)


  • Add support for verifying signed JWT headers to prevent impersonation via side channel requests.



  • Expose TAI pkg in Service Extensions to enable JWT generation
  • Fix decryption using older keys in AES256GCMEncryptor (v0.23.49)
  • Export go-jose JWT library v3 symbols (v0.23.48)
  • Export go-ldap library v3 symbols (v0.23.47)



  • Expose ’ldap.NewModifyRequest’ in Service Extensions
  • Add metadata to V2 service extensions (v0.23.43)
  • Signed binaries for Maverics Evaluation bundle downloads (v0.23.42)
  • Fix Telemetry panic on SIGTERM (v0.23.38)
  • Update SAML Provider buildClaims v2 signature to match OIDC Provider. (v0.23.37)
  • Enable attribute loading in v2 Service Extensions (v0.23.34)
  • Make API Service Extensions reloadable (v0.23.31)
  • ServeSE v2 in APIs block (v0.23.28)
  • Add ldap.NewPasswordModifyRequest symbol (v0.23.27)
  • Add support for BuildUserInfoClaimsSE for OIDC apps (v0.23.25)



  • Enable attribute loading in v2 Service Extensions - #2147



  • Make API Service Extensions reloadable - #2140



  • Unregister HTTP endpoints when API Service Extensions are stopped - #2139



  • Restart session metrics on telemetry reload - #2119



  • ServeSE v2 in APIs block - #2134



  • Add ldap.NewPasswordModifyRequest symbol - #2136



  • Orchestrator metrics as service - #2122



  • Add support for BuildUserInfoClaimsSE for OIDC apps - #2135



  • Fixed issue preventing OIDC client creation with JWT access token - #2110



  • Return a non-nil action in the HYPR connector when Lookup is successful - #2130



  • Add BuildClaims SE to SAML apps - #2128



  • Move authn fields under new authenticationPolicy in policy struct - #2123



  • Add Authentication Service Extensions to SAML Apps - #2121



  • Add BuildIDTokenClaims and BuildAccessTokenClaims extensions to apps of type OIDC - #2120



  • Remove Public Signing Key from Auth Provider Config - #2117



  • Add IsAuthenticated and Authenticate SE to OIDC apps - #2118



  • Support subtree searching for LDAP connector as IDP - #2114



  • initialize metrics during orchestrator startup - #2115



  • Create v2 Service Extension package and expose parsing method - #2113



  • SAML AuthProvider: Ensure XML dateTime attributes use millisecond precision - #2111



  • Remove connector and app count logging - #2098



  • Enable NameID Format to be defined on SAML AuthProvider clients - #2103



  • Only set SameSite cookie attribute when cookie is Secure - #2101



  • Remove “reload count” metric - #2099



  • add config version to health - #2096



  • Ensure Lookup validation is successful before using connector as IdentityProvider - #2091



  • Refactor telemetry into a service and change the Reloader to reload telemetry based on new config. - #2093



  • Fix LDAP IDP login bug - #2085



  • SAML logout in Okta - #2075



  • Emit Orchestrator health to OTLP - #2065



  • Remove old HealthSvc - #2082



  • Prevent SAML auth provider from panic if no IDPs provided. - #2080



  • Add ldap.DialWithTLSConfig to Service Extension symbols - #2077



  • Add redirectScheme to consumer fabric - #2069



  • Organize and add Godoc for configuration fields in AppGateway - #2070



  • Fix issue where Fabric Consumer (RP Orchestrator) fails to load TLS config - #2064



  • Add os/exec to service extension symbols if enableOSLib:true - #2063



  • Return ErrMetricsInvalidExporter if exporter not specified in telemetry metrics configuration - #2066



  • Refactor telemetry config to allow multiple OTLP exporters; reference… - #2057



  • Improve error handling in Fabric Consumer when nonce is not found - #2060



  • Add ldap.NewSearchRequest to service extension symbols - #2052



  • Don’t log message about metrics when telemetry not enabled. - #2050



  • Add support for domain hint in SAML SP - #2053



  • Support SAML login in Okta connector - #2051



  • Leave maverics.yaml untouched on uninstall - #2049



  • Support IDP-initiated SAML login in ADFS connector - #2047



  • Support IDP-initiated SAML login in Azure connector - #2048



  • Add default maverics.yaml on Windows installation - #2046



  • Ensure keys in JWKS have unique IDs - #1990



  • Add support for apps of type OIDC - #1987



  • fix cache timing logic - #1992



  • Describe Service Extension dependencies for AuthProviders - #1991



  • [OIDC Auth Provider] Inject unused cache.Cache - #1988



  • [OIDC Auth Provider] Move cache creation into NewOIDCProvider - #1984



  • add URLPath to otel http config - #1980



  • Add Orchestrator ID to metrics resources - #1976



  • Add username search key value to session for LDAP - #1985



  • Handle error from service extension panic recovery - #1986



  • Add source assets for the docker grafana quickstart in docs repo. - #1978
  • Serve discovery endpoints on app-centric OIDC Provider - #1983



  • Add ability to create clients on OIDC AuthProvider - #1982



  • add mock cache implementation - #1981



  • Removes the AuthProvider feature flag - #1979



  • add initial caching foundation - #1968



  • Add MAVERICS_CONFIG to multiple environment variable check - #1975



  • Distinguish between validation and unmarshalling in OIDCProvider by @patrick-strata in #1969
  • Remove undocumented and unused logical operators from OIDC AuthProvider authentication policy by @patrick-strata in #1970
  • Query escape configuration_file_object_key for GCP provider by @wfernandes in #1972
  • Decouple unmarshaling from construction in OIDC AuthProvider in support of OIDC apps by @eliasjf in #1973
  • Support configurationFilePath key in provider configs by @wfernandes in #1971
  • Implement bundle verification by @kewun in #1967
  • Organize tests into separate files for OIDC AuthProvider by @eliasjf in #1974

Full Changelog:



  • Distinguish between validation and unmarshalling in OIDCProvider by @patrick-strata in #1969
  • Remove undocumented and unused logical operators from OIDC AuthProvider authentication policy by @patrick-strata in #1970
  • Query escape configuration_file_object_key for GCP provider by @wfernandes in #1972
  • Decouple unmarshaling from construction in OIDC AuthProvider in support of OIDC apps by @eliasjf in #1973
  • Support configurationFilePath key in provider configs by @wfernandes in #1971
  • Implement bundle verification by @kewun in #1967
  • Organize tests into separate files for OIDC AuthProvider by @eliasjf in #1974

Full Changelog:



  • Simplify SAML Provider signature configuration - #1966



  • Add encryption to SAML Apps - #1965



  • Update Swarm to latest - #1964



  • Remove antiquated autogenerated LDAP test mock - #1962
  • Remove outdated telemetry docs - #1961
  • Enable encryption config to be defined on SAML AuthProvider client - #1963