Release notes

Release notes

For older release notes, see the release notes archive.

Maverics releases

2024-07-18: Resolved issue

  • NameID format settings on SAML fabric types are saved upon update and will persist empty on deploy.

2024-07-16: Resolved issues

  • The Calendly onboarding widget will now appear in account sign-up.
  • The prompt to save edits before navigating away will appear in more places where you need them (for example, when editing identity fabric), and less when you don’t want them (for example, when you delete list items).

2024-07-15: Bug fixes

You will now be prompted by the browser if you make an edit to a user flow and have not otherwise confirmed your changes.

Resolved issues

  • Publishing a new deployment to a GitHub repo no longer results in an error.
  • Validation on service extension metadata field now prevents you from entering empty keys and values.
  • Service extension fields now have descriptions.
  • When the Telemetry option is disabled, both metric and health fields are also disabled.

2024-07-03: Commit and Deploy

Commit and deploy can now be done with one action! The modal has been improved with the following updates:

  • Commit a new revision to deploy
  • Larger text area to add commit comments
  • Deploy a previous revision

Commit and deploy

Resolved issues

  • We’re excited to share today’s update, where we’ve squashed numerous bugs to enhance usability and improve your overall experience.

2024-07-01: Bug fixes

You can now navigate and enter data with a keyboard into fields in the headers, claims, and attribute mapping tables.

Resolved issues

  • Disabled submit buttons after clicking to prevent duplicate requests (account creation and import)
  • Fixed an issue where IDP config was not being updated on deploy when used by two different user flows.
  • Fixed an issue where importing a SAML app type user flow was not being deployed.
  • PKCE toggle on OIDC based IDPs is now persistent.
  • Fixed several issues related to using the browser back button.

2024-06-20: Service Extension Policy Lifetime

You can now specify when policies for proxy app type user flows will be re-evaluated by service extensions. This requires updating your orchestrator to v0.27.42 or higher.

SE Policy Lifetime

2024-05-17: List view improvements

Introducing batch actions on list views! You can now multi-select items and delete from lists on the Applications, Identity Fabric, Environments, and User Flows pages. Additionally, on Applications and Identity Fabric lists, you can view the count of user flows associated with the object.

List view updates

Resolved issue

  • If an environment is configured with a token that has incorrect permissions, it will now show you the correct error message when it fails to deploy.

2024-05-10: Single Logout (SLO) for SAML

You can now define a single logout (SLO) URL in SAML apps.

caption

Resolved issues

  • Orchestrator telemetry graphs are now rendering properly.
  • You can import app type user flows that define a Relay State Service Extension.
  • Orchestrator Release - v0.27.24 - hot reload fixed for SAML app user flows.

2024-05-07: New editors

New editor for claims and headers

You can now add, edit, and delete claims for SAML & OIDC app user flows, and headers for Proxy app user flows.

caption

API app type uses the new Service Extension editor

The API app type editor has been upgraded to use the new Service Extension editor.

caption

2024-05-07: Updated Windows installer

Our new orchestrator installer for Windows makes it easier to set up and configure your storage and variables. You can find the Windows installer for download by going to Environments, selecting one of your environments, and clicking Windows in the Orchestrator section.

For step-by-step instructions on installing the orchestrator on Windows, see Install on Windows Server.

2024-05-02: Editing headers and batch actions

You can now edit headers inline, as demonstrated below!

NameID mapping

We are also gradually rolling out batch actions on list views. Today, in the Applications list view, you can multi-select applications and delete. This feature is coming soon to other list views.

Resolved issues

  • Fixed line height clipping in service extension settings.
  • User Flow list title now renders correctly.
  • Build Relay State SE: the configuration has been corrected and is removed properly when deployed with a SAML app type user flow.

2024-04-26: NameID mapping for SAML user flows

When using Maverics as a SAML identity service, you can now define custom NameID mappings in SAML responses. This new feature enhances interoperability and ensures seamless integration with different identity providers (IDPs) and service providers (SPs).

NameID mapping

Benefits

  • Increased Flexibility: Customize SAML assertions to align with unique requirements of service providers and IDPs.
  • Improved Integration: Ensure compatibility and ease of integration with third-party services, which may require specific NameID formats.
  • Enhanced Control: Gain precise control over user identity attributes shared during the SSO (Single Sign-On) process.
  • Streamlined Identity Management: Simplify the management of user attributes across different platforms, reducing administrative overhead.

To create a NameID mapping:

  1. Follow our user guide to create a SAML user flow.
  2. After creating the user flow, open the user flow and find the NameID Mapping section under SAML Attributes Mapping.
  3. Select a provider and define the attribute you want to define. Click Add.
  4. Re-deploy the user flow, and test the login with a service provider. To verify that the NameID mapping is working correctly, use your browser’s developer tools to view the SAML response.

Resolved issues

  • Service extension settings updates were not being deployed.
  • Service extensions that are added to user flows now have a common look and feel.

2024-04-23: Build Relay State SE, service extension experience, and docs updates!

Build relay state service extension

The dynamic RelayState URL for SAML app type user flows can now be customized with the Build Relay State Service Extension. This extension enhances the flexibility and user experience of Single Sign-On (SSO) processes by enabling customizable redirections post-authentication.

ℹ️
You will need to update to Orchestrator release 0.27.4 to use the Build Relay State extension point.

Key highlights:

  • Feature overview: Allows for dynamic customization of redirection URLs after user authentication, maintaining seamless user states.
  • Target application: Specially designed for SAML app type user flows to dynamically direct users based on their roles or initial access contexts.
  • Customization capabilities:
    • Personalized user redirects: Directs users to role-specific or contextually appropriate URLs immediately after login.
    • Flexible application integration: Easily integrates into existing SAML workflows for tailored navigation based on predefined criteria.

To use:

  1. Follow the guide to create a SAML app user flow.
  2. Go to service extensions and click Relay State from the list on the right.
  3. Add your own or customize the example code.
  4. Open a SAML app user flow and scroll to the bottom to the service extension area. Under Build Relay select the service extension you created in step 2. This service extension will override the relay state URLs defined in the associated SAML app definitions.

SAML service extensions

  1. Deploy the user flow.
  2. To try the user flow, start an IDP initiated login flow to your application. Open the developer tools in your browser and from the network tab, inspect the SAML payload.

SAML payload

Improvements with the service extension experience

Our new editor is out of preview and now available to use. Improvements include:

  • Larger code editing.
  • Faster return of compilation errors
  • Upload, view, and edit (non-binary) assets to use with your service extensions.

These improvements are not yet available for editing API app type (ServeSE).

SE editing experience

Additionally, the service extension list is now reordered and tagged by app types supported (All, Proxy, SAML & OIDC, SAML).

New documentation improvements

We have new guides to walk you through the end-to-end process of deploying proxy, SAML, and OIDC user flows.

Additionally, you can now browse docs and release notes from the Resource Center. Click the question mark icon in the lower right corner of your screen for access.

Resolved issues

  • Keycloak fabric now has the correct oidc type set on deploy.

2024-04-19: Service extension editor fix

The service extension editor will now show errors when attempting to compile malformed code.

Service extension editor

2024-04-17: Restrict access by http request methods for modernizing header based apps

By restricting certain operations (like DELETE or PUT) to only authorized users based on their HTTP method, Maverics helps in mitigating potential security risks such as unauthorized data modification or deletion.

Granular Access Control: Maverics now allows administrators to define access policies for modernizing header based apps that are specific to the HTTP methods used in requests, such as GET, POST, PUT, DELETE, etc. This granularity enables more precise control over how resources are accessed depending on the action being performed.

HTTP request method

Condition-based Policy Definition: When setting up location policies in Maverics, you can specify the HTTP method in the authorization rules. This means you can create different access rules for reading a resource (using GET) versus modifying it (using POST or PUT).

2024-04-16: Fit and finish updates

Country flags now display when selecting a Maverics region.

Country flags

Additionally, when defining a rule in a location policy, you can now select does not contain or does not equal.

Policy rules

Resolved issues

  • You can now delete a header and add a header back with same name to a location policy without an error.
  • A location policy page will render properly when adding a header service extension.

2024-04-10: UX updates and bug fixes

We’ve updated toggles to enable IDP initiated login on SAML fabric types, and to enable PKCE for OIDC fabric types.

Resolved issues

  • SameSite=Lax is now properly set on login call back cookies.
  • When you deploy a Proxy App type with an Upstream Login service extension, the service extension is now properly nested under upstreamLogin.
  • In SSO flows, email addresses are no longer case sensitive. (For example, if an IDP sends [email protected] and [email protected], these accounts will be treated as the same user, and the user will not be prompted to create a new account).
  • OIDC fabric types will no longer show blank default values for scopes.

2024-04-04: Service extension fixes

Resolved issues

  • You are now prevented from deleting service extensions that are referenced in a user flow.
  • Adding a Create Header service extension will no longer render incorrectly.
  • You can now delete service extensions that have assets.

Orchestrator builds

v0.27.71

2024-07-18

  • Enforce authorization rules in SAML Apps - #2514

v0.27.69

2024-07-17

  • Reimplement Cyberark Conjur Secret Provider - #2510

v0.27.68

2024-07-12

  • Update Yaegi to 16.1 - #2509

v0.27.66

2024-07-11

  • Remove legacy LDAP ‘attrproviders’ implementation - #2506

v0.27.64

2024-07-10

  • [SAML APP] Query for nameID attributeMapping attribute if not on session - #2503

v0.27.63

2024-07-09

  • Update log level to error when referenced secret is not found - #2505

v0.27.60

2024-07-02

  • Expose ldap.Control - #2498

v0.27.57

2024-06-27

  • Add AWS Secrets manager secret provider support - #2496

v0.27.56

2024-06-25

  • [Telemetry] Update OTel libraries to latest - #2495

v0.27.54

2024-06-24

  • [Telemetry] Update local Docker Compose telemetry environment for development - #2494

v0.27.53

2024-06-24

  • Support reload for single logout config - #2491

v0.27.49

2024-06-20

  • Protect session store with mutex and add session service to config reloader - #2490

v0.27.48

2024-06-19

  • Implement session config reload - #2487

v0.27.46

2024-06-18

  • [Service Extensions] Expose symbols for JWT encryption - #2485

v0.27.45

2024-06-18

  • Wrap session in service.Service - #2483

v0.27.43

2024-06-14

  • [MSI] Fix file contention issue - #2482

v0.27.42

2024-06-14

  • Re-evaluate policies based on decision lifetime - #2478

v0.27.38

2024-06-11

  • [Proxy apps] Remove legacy resilience implementation - #2475

v0.27.36

2024-06-06

  • Redirect SAML SSO error responses correctly - #2472

v0.27.33

2024-05-31

  • SAMLProvider support LogoutRequest via POST binding - #2470

v0.27.32

2024-05-30

  • [Connectors] Move SAML client initialization to constructor - #2469

v0.27.31

2024-05-29

  • [Connectors] Gracefully handle failure to retrieve OIDC well-known metadata - #2466

v0.27.30

2024-05-16

  • Verify Signed SAML Logout requests via Redirect binding - #2468

v0.27.29

2024-05-16

  • [Connectors] Refactor SAML pkg to better handle SP initialization - #2467

v0.27.28

2024-05-14

  • [SAML Apps] Store logout request in cache - #2465

v0.27.27

2024-05-14

  • Fix SAMLProvider cacheState storage when using multiple IDPs - #2464

v0.27.26

2024-05-13

  • Add support for namespace in HashiVault - #2460

v0.27.23-24

2024-05-10

  • Unregister SAMLProvider SLO endpoint during stop - #2463
  • [Connectors] Better handle logout errors - #2461

v0.27.20-21

2024-05-09

  • Update release pipeline to replace the old MSI installer with the new - #2458
  • Append query parameters to authn request during IDP Initiated SAML - #2459

v0.27.19

2024-05-08

  • Validate bundle file in MSI installer - #2457

v0.27.16-18

2024-05-07

  • [SAMLProvider] Add SingleLogoutService to metadata when sloEndpoint is defined - #2456
  • [SAMLProvider] Implement SP initiated SLO - #2441
  • [MSI] Fix service restart when change and add default remote configs. - #2442

v0.27.13-15

2024-05-06

  • [Service Extensions] Expose symbols to enable JWT generation - #2450
  • [Connectors] Set transport properties on health check HTTP client - #2449

v0.27.12

2024-05-03

  • [SAML Connectors] Fix panic observed when generating unsigned logout requests - #2452

v0.27.5

2024-04-23

  • [SAML Apps] Call BuildRelayState extension post-authentication

v0.27.2

2024-04-18

  • [SAML Apps] Expose NameID configuration

v0.27.1

2024-04-18

  • Include allowedProtectedPackages option for Service Extensions

v0.27.0

2024-04-16

  • Introduce cache to SAMLProvider

v0.26.108

2024-04-16

  • Expose BuildRelayState service extension for IDP-initiated login flow

v0.26.106

2024-04-12

  • Allow IDP-initiated ‘relayStateURL’ field to be optionally defined

v0.26.102-104

2024-04-11

  • Fix log key to have correct attrProvider name
  • Simplify IDP health check service

v0.26.94-100

2024-04-10

  • Implement generic SAML in 1Kosmos and add cache
  • Improve idphealthcheck test assertion
  • Manually validate timestamp assertions in SAML
  • Organize authprovider pkg and improve logging
  • Store cacheRequester on samlAuthProvider to simplify CreateClient method signature

v0.26.90

2024-04-04

  • Add proxy app support for HTTP request methods

v0.26.87-89

2024-04-03

  • Enable PingFederate connector to use SAML package and cache
  • Bug fix: Add ‘Authorization’ to list of ‘Access-Control-Allow-Headers’

v0.26.86

2024-04-02

  • Set SAML CacheRequester at reload

v0.26.85

2024-04-01

  • Add cache for SAML connectors using generic implementation
Release notes archive