Release notes

For older release notes, see the release notes archive.

Maverics releases

2024-04-26: NameID mapping for SAML user flows

When using Maverics as a SAML identity service, you can now define custom NameID mappings in SAML responses. This new feature enhances interoperability and ensures seamless integration with different identity providers (IDPs) and service providers (SPs).

Benefits

• Increased Flexibility: Customize SAML assertions to align with unique requirements of service providers and IDPs.
• Improved Integration: Ensure compatibility and ease of integration with third-party services, which may require specific NameID formats.
• Enhanced Control: Gain precise control over user identity attributes shared during the SSO (Single Sign-On) process.
• Streamlined Identity Management: Simplify the management of user attributes across different platforms, reducing administrative overhead.

To create a NameID mapping:

1. Follow our user guide to create a SAML user flow.
2. After creating the user flow, open the user flow and find the NameID Mapping section under SAML Attributes Mapping.
3. Select a provider and define the attribute you want to define. Click Add.
4. Re-deploy the user flow, and test the login with a service provider. To verify that the NameID mapping is working correctly, use your browser’s developer tools to view the SAML response.

Resolved issues

• Service extension settings updates were not being deployed.
• Service extensions that are added to user flows now have a common look and feel.

2024-04-23: Build Relay State SE, service extension experience, and docs updates!

Build relay state service extension

The dynamic RelayState URL for SAML app type user flows can now be customized with the Build Relay State Service Extension. This extension enhances the flexibility and user experience of Single Sign-On (SSO) processes by enabling customizable redirections post-authentication.

Key highlights:

• Feature overview: Allows for dynamic customization of redirection URLs after user authentication, maintaining seamless user states.
• Target application: Specially designed for SAML app type user flows to dynamically direct users based on their roles or initial access contexts.
• Customization capabilities:
  • Personalized user redirects: Directs users to role-specific or contextually appropriate URLs immediately after login.
  • Flexible application integration: Easily integrates into existing SAML workflows for tailored navigation based on predefined criteria.

To use:

1. Follow the guide to create a SAML app user flow.
2. Go to service extensions and click Relay State from the list on the right.
3. Add your own or customize the example code.
4. Open a SAML app user flow and scroll to the bottom to the service extension area. Under Build Relay select the service extension you created in step 2. This service extension will override the relay state URLs defined in the associated SAML app definitions.

5. Deploy the user flow.
6. To try the user flow, start an IDP initiated login flow to your application. Open the developer tools in your browser and from the network tab, inspect the SAML payload.

Improvements with the service extension experience

Our new editor is out of preview and now available to use. Improvements include:

• Larger code editing.
• Faster return of compilation errors
• Upload, view, and edit (non-binary) assets to use with your service extensions.

These improvements are not yet available for editing API app type (ServeSE).

Additionally, the service extension list is now reordered and tagged by app types supported (All, Proxy, SAML & OIDC, SAML).

New documentation improvements

We have new guides to walk you through the end-to-end process of deploying proxy, SAML, and OIDC user flows.

Additionally, you can now browse docs and release notes from the Resource Center. Click the question mark icon in the lower right corner of your screen for access.

Resolved issues

• Keycloak fabric now has the correct oidc type set on deploy.

2024-04-19: Service extension editor fix

The service extension editor will now show errors when attempting to compile malformed code.

2024-04-17: Restrict access by http request methods for modernizing header based apps

By restricting certain operations (like DELETE or PUT) to only authorized users based on their HTTP method, Maverics helps in mitigating potential security risks such as unauthorized data modification or deletion.

Granular Access Control: Maverics now allows administrators to define access policies for modernizing header based apps that are specific to the HTTP methods used in requests, such as GET, POST, PUT, DELETE, etc. This granularity enables more precise control over how resources are accessed depending on the action being performed.

Condition-based Policy Definition: When setting up location policies in Maverics, you can specify the HTTP method in the authorization rules. This means you can create different access rules for reading a resource (using GET) versus modifying it (using POST or PUT).

2024-04-16: Fit and finish updates

Country flags now display when selecting a Maverics region.

Additionally, when defining a rule in a location policy, you can now select does not contain or does not equal.

Resolved issues

• You can now delete a header and add a header back with same name to a location policy without an error.
• A location policy page will render properly when adding a header service extension.

2024-04-10: UX updates and bug fixes

We’ve updated toggles to enable IDP initiated login on SAML fabric types, and to enable PKCE for OIDC fabric types.

Resolved issues

• SameSite=Lax is now properly set on login call back cookies.
• When you deploy a Proxy App type with an Upstream Login service extension, the service extension is now properly nested under upstreamLogin.
• In SSO flows, email addresses are no longer case sensitive. (For example, if an IDP sends [email protected] and [email protected], these accounts will be treated as the same user, and the user will not be prompted to create a new account).
• OIDC fabric types will no longer show blank default values for scopes.

2024-04-04: Service extension fixes

Resolved issues

• You are now prevented from deleting service extensions that are referenced in a user flow.
• Adding a Create Header service extension will no longer render incorrectly.
• You can now delete service extensions that have assets.

Orchestrator builds

v0.27.5

2024-04-23

• [SAML Apps] Call BuildRelayState extension post-authentication

v0.27.2

2024-04-18

• [SAML Apps] Expose NameID configuration

v0.27.1

2024-04-18

• Include allowedProtectedPackages option for Service Extensions

v0.27.0

2024-04-16

• Introduce cache to SAMLProvider

v0.26.108

2024-04-16

• Expose BuildRelayState service extension for IDP-initiated login flow

v0.26.106

2024-04-12

• Allow IDP-initiated ‘relayStateURL’ field to be optionally defined

v0.26.102-104

2024-04-11

• Fix log key to have correct attrProvider name
• Simplify IDP health check service

v0.26.94-100

2024-04-10

• Implement generic SAML in 1Kosmos and add cache
• Improve idphealthcheck test assertion
• Manually validate timestamp assertions in SAML
• Organize authprovider pkg and improve logging
• Store cacheRequester on samlAuthProvider to simplify CreateClient method signature

v0.26.90

2024-04-04

• Add proxy app support for HTTP request methods

v0.26.87-89

2024-04-03

• Enable PingFederate connector to use SAML package and cache
• Bug fix: Add ‘Authorization’ to list of ‘Access-Control-Allow-Headers’

v0.26.86

2024-04-02

• Set SAML CacheRequester at reload

v0.26.85

2024-04-01

• Add cache for SAML connectors using generic implementation

Known issues

2024-04-16

• If you change the authentication strategy on a location policy it will remove any rules. A fix for this is planned.
• If you add an upstream login service extension, you will not be able to remove it and it will prevent you from deploying. A fix for this is planned.