Release notes
For older release notes, see the release notes archive.
Maverics releases
2024-07-18: Resolved issue
- NameID format settings on SAML fabric types are saved upon update and will persist empty on deploy.
2024-07-16: Resolved issues
- The Calendly onboarding widget will now appear in account sign-up.
- The prompt to save edits before navigating away will appear in more places where you need them (for example, when editing identity fabric), and less when you don’t want them (for example, when you delete list items).
2024-07-15: Bug fixes
You will now be prompted by the browser if you make an edit to a user flow and have not otherwise confirmed your changes.
Resolved issues
- Publishing a new deployment to a GitHub repo no longer results in an error.
- Validation on service extension metadata field now prevents you from entering empty keys and values.
- Service extension fields now have descriptions.
- When the Telemetry option is disabled, both metric and health fields are also disabled.
2024-07-03: Commit and Deploy
Commit and deploy can now be done with one action! The modal has been improved with the following updates:
- Commit a new revision to deploy
- Larger text area to add commit comments
- Deploy a previous revision
Resolved issues
- We’re excited to share today’s update, where we’ve squashed numerous bugs to enhance usability and improve your overall experience.
2024-07-01: Bug fixes
You can now navigate and enter data with a keyboard into fields in the headers, claims, and attribute mapping tables.
Resolved issues
- Disabled submit buttons after clicking to prevent duplicate requests (account creation and import)
- Fixed an issue where IDP config was not being updated on deploy when used by two different user flows.
- Fixed an issue where importing a SAML app type user flow was not being deployed.
- PKCE toggle on OIDC based IDPs is now persistent.
- Fixed several issues related to using the browser back button.
2024-06-20: Service Extension Policy Lifetime
You can now specify when policies for proxy app type user flows will be re-evaluated by service extensions. This requires updating your orchestrator to v0.27.42 or higher.
2024-05-17: List view improvements
Introducing batch actions on list views! You can now multi-select items and delete from lists on the Applications, Identity Fabric, Environments, and User Flows pages. Additionally, on Applications and Identity Fabric lists, you can view the count of user flows associated with the object.
Resolved issue
- If an environment is configured with a token that has incorrect permissions, it will now show you the correct error message when it fails to deploy.
2024-05-10: Single Logout (SLO) for SAML
You can now define a single logout (SLO) URL in SAML apps.
Resolved issues
- Orchestrator telemetry graphs are now rendering properly.
- You can import app type user flows that define a Relay State Service Extension.
- Orchestrator Release - v0.27.24 - hot reload fixed for SAML app user flows.
2024-05-07: New editors
New editor for claims and headers
You can now add, edit, and delete claims for SAML & OIDC app user flows, and headers for Proxy app user flows.
API app type uses the new Service Extension editor
The API app type editor has been upgraded to use the new Service Extension editor.
2024-05-07: Updated Windows installer
Our new orchestrator installer for Windows makes it easier to set up and configure your storage and variables. You can find the Windows installer for download by going to Environments, selecting one of your environments, and clicking Windows in the Orchestrator section.
For step-by-step instructions on installing the orchestrator on Windows, see Install on Windows Server.
2024-05-02: Editing headers and batch actions
You can now edit headers inline, as demonstrated below!
We are also gradually rolling out batch actions on list views. Today, in the Applications list view, you can multi-select applications and delete. This feature is coming soon to other list views.
Resolved issues
- Fixed line height clipping in service extension settings.
- User Flow list title now renders correctly.
- Build Relay State SE: the configuration has been corrected and is removed properly when deployed with a SAML app type user flow.
2024-04-26: NameID mapping for SAML user flows
When using Maverics as a SAML identity service, you can now define custom NameID mappings in SAML responses. This new feature enhances interoperability and ensures seamless integration with different identity providers (IDPs) and service providers (SPs).
Benefits
- Increased Flexibility: Customize SAML assertions to align with unique requirements of service providers and IDPs.
- Improved Integration: Ensure compatibility and ease of integration with third-party services, which may require specific NameID formats.
- Enhanced Control: Gain precise control over user identity attributes shared during the SSO (Single Sign-On) process.
- Streamlined Identity Management: Simplify the management of user attributes across different platforms, reducing administrative overhead.
To create a NameID mapping:
- Follow our user guide to create a SAML user flow.
- After creating the user flow, open the user flow and find the NameID Mapping section under SAML Attributes Mapping.
- Select a provider and define the attribute you want to define. Click Add.
- Re-deploy the user flow, and test the login with a service provider. To verify that the NameID mapping is working correctly, use your browser’s developer tools to view the SAML response.
Resolved issues
- Service extension settings updates were not being deployed.
- Service extensions that are added to user flows now have a common look and feel.
2024-04-23: Build Relay State SE, service extension experience, and docs updates!
Build relay state service extension
The dynamic RelayState URL for SAML app type user flows can now be customized with the Build Relay State Service Extension. This extension enhances the flexibility and user experience of Single Sign-On (SSO) processes by enabling customizable redirections post-authentication.
Key highlights:
- Feature overview: Allows for dynamic customization of redirection URLs after user authentication, maintaining seamless user states.
- Target application: Specially designed for SAML app type user flows to dynamically direct users based on their roles or initial access contexts.
- Customization capabilities:
- Personalized user redirects: Directs users to role-specific or contextually appropriate URLs immediately after login.
- Flexible application integration: Easily integrates into existing SAML workflows for tailored navigation based on predefined criteria.
To use:
- Follow the guide to create a SAML app user flow.
- Go to service extensions and click Relay State from the list on the right.
- Add your own or customize the example code.
- Open a SAML app user flow and scroll to the bottom to the service extension area. Under Build Relay select the service extension you created in step 2. This service extension will override the relay state URLs defined in the associated SAML app definitions.
- Deploy the user flow.
- To try the user flow, start an IDP initiated login flow to your application. Open the developer tools in your browser and from the network tab, inspect the SAML payload.
Improvements with the service extension experience
Our new editor is out of preview and now available to use. Improvements include:
- Larger code editing.
- Faster return of compilation errors
- Upload, view, and edit (non-binary) assets to use with your service extensions.
These improvements are not yet available for editing API app type (ServeSE
).
Additionally, the service extension list is now reordered and tagged by app types supported (All, Proxy, SAML & OIDC, SAML).
New documentation improvements
We have new guides to walk you through the end-to-end process of deploying proxy, SAML, and OIDC user flows.
Additionally, you can now browse docs and release notes from the Resource Center. Click the question mark icon in the lower right corner of your screen for access.
Resolved issues
- Keycloak fabric now has the correct
oidc
type set on deploy.
2024-04-19: Service extension editor fix
The service extension editor will now show errors when attempting to compile malformed code.
2024-04-17: Restrict access by http request methods for modernizing header based apps
By restricting certain operations (like DELETE or PUT) to only authorized users based on their HTTP method, Maverics helps in mitigating potential security risks such as unauthorized data modification or deletion.
Granular Access Control: Maverics now allows administrators to define access policies for modernizing header based apps that are specific to the HTTP methods used in requests, such as GET, POST, PUT, DELETE, etc. This granularity enables more precise control over how resources are accessed depending on the action being performed.
Condition-based Policy Definition: When setting up location policies in Maverics, you can specify the HTTP method in the authorization rules. This means you can create different access rules for reading a resource (using GET) versus modifying it (using POST or PUT).
2024-04-16: Fit and finish updates
Country flags now display when selecting a Maverics region.
Additionally, when defining a rule in a location policy, you can now select does not contain
or does not equal
.
Resolved issues
- You can now delete a header and add a header back with same name to a location policy without an error.
- A location policy page will render properly when adding a header service extension.
2024-04-10: UX updates and bug fixes
We’ve updated toggles to enable IDP initiated login on SAML fabric types, and to enable PKCE for OIDC fabric types.
Resolved issues
SameSite=Lax
is now properly set on login call back cookies.- When you deploy a Proxy App type with an Upstream Login service extension, the service extension is now properly nested under upstreamLogin.
- In SSO flows, email addresses are no longer case sensitive. (For example, if an IDP sends
[email protected]
and[email protected]
, these accounts will be treated as the same user, and the user will not be prompted to create a new account). - OIDC fabric types will no longer show blank default values for scopes.
2024-04-04: Service extension fixes
Resolved issues
- You are now prevented from deleting service extensions that are referenced in a user flow.
- Adding a Create Header service extension will no longer render incorrectly.
- You can now delete service extensions that have assets.
Orchestrator builds
v0.27.71
2024-07-18
- Enforce authorization rules in SAML Apps - #2514
v0.27.69
2024-07-17
- Reimplement Cyberark Conjur Secret Provider - #2510
v0.27.68
2024-07-12
- Update Yaegi to 16.1 - #2509
v0.27.66
2024-07-11
- Remove legacy LDAP ‘attrproviders’ implementation - #2506
v0.27.64
2024-07-10
- [SAML APP] Query for nameID attributeMapping attribute if not on session - #2503
v0.27.63
2024-07-09
- Update log level to error when referenced secret is not found - #2505
v0.27.60
2024-07-02
- Expose ldap.Control - #2498
v0.27.57
2024-06-27
- Add AWS Secrets manager secret provider support - #2496
v0.27.56
2024-06-25
- [Telemetry] Update OTel libraries to latest - #2495
v0.27.54
2024-06-24
- [Telemetry] Update local Docker Compose telemetry environment for development - #2494
v0.27.53
2024-06-24
- Support reload for single logout config - #2491
v0.27.49
2024-06-20
- Protect session store with mutex and add session service to config reloader - #2490
v0.27.48
2024-06-19
- Implement session config reload - #2487
v0.27.46
2024-06-18
- [Service Extensions] Expose symbols for JWT encryption - #2485
v0.27.45
2024-06-18
- Wrap session in service.Service - #2483
v0.27.43
2024-06-14
- [MSI] Fix file contention issue - #2482
v0.27.42
2024-06-14
- Re-evaluate policies based on decision lifetime - #2478
v0.27.38
2024-06-11
- [Proxy apps] Remove legacy resilience implementation - #2475
v0.27.36
2024-06-06
- Redirect SAML SSO error responses correctly - #2472
v0.27.33
2024-05-31
- SAMLProvider support LogoutRequest via POST binding - #2470
v0.27.32
2024-05-30
- [Connectors] Move SAML client initialization to constructor - #2469
v0.27.31
2024-05-29
- [Connectors] Gracefully handle failure to retrieve OIDC well-known metadata - #2466
v0.27.30
2024-05-16
- Verify Signed SAML Logout requests via Redirect binding - #2468
v0.27.29
2024-05-16
- [Connectors] Refactor SAML pkg to better handle SP initialization - #2467
v0.27.28
2024-05-14
- [SAML Apps] Store logout request in cache - #2465
v0.27.27
2024-05-14
- Fix SAMLProvider cacheState storage when using multiple IDPs - #2464
v0.27.26
2024-05-13
- Add support for namespace in HashiVault - #2460
v0.27.23-24
2024-05-10
- Unregister SAMLProvider SLO endpoint during stop - #2463
- [Connectors] Better handle logout errors - #2461
v0.27.20-21
2024-05-09
- Update release pipeline to replace the old MSI installer with the new - #2458
- Append query parameters to authn request during IDP Initiated SAML - #2459
v0.27.19
2024-05-08
- Validate bundle file in MSI installer - #2457
v0.27.16-18
2024-05-07
- [SAMLProvider] Add SingleLogoutService to metadata when sloEndpoint is defined - #2456
- [SAMLProvider] Implement SP initiated SLO - #2441
- [MSI] Fix service restart when change and add default remote configs. - #2442
v0.27.13-15
2024-05-06
- [Service Extensions] Expose symbols to enable JWT generation - #2450
- [Connectors] Set transport properties on health check HTTP client - #2449
v0.27.12
2024-05-03
- [SAML Connectors] Fix panic observed when generating unsigned logout requests - #2452
v0.27.5
2024-04-23
- [SAML Apps] Call BuildRelayState extension post-authentication
v0.27.2
2024-04-18
- [SAML Apps] Expose NameID configuration
v0.27.1
2024-04-18
- Include allowedProtectedPackages option for Service Extensions
v0.27.0
2024-04-16
- Introduce cache to SAMLProvider
v0.26.108
2024-04-16
- Expose BuildRelayState service extension for IDP-initiated login flow
v0.26.106
2024-04-12
- Allow IDP-initiated ‘relayStateURL’ field to be optionally defined
v0.26.102-104
2024-04-11
- Fix log key to have correct attrProvider name
- Simplify IDP health check service
v0.26.94-100
2024-04-10
- Implement generic SAML in 1Kosmos and add cache
- Improve idphealthcheck test assertion
- Manually validate timestamp assertions in SAML
- Organize authprovider pkg and improve logging
- Store cacheRequester on samlAuthProvider to simplify CreateClient method signature
v0.26.90
2024-04-04
- Add proxy app support for HTTP request methods
v0.26.87-89
2024-04-03
- Enable PingFederate connector to use SAML package and cache
- Bug fix: Add ‘Authorization’ to list of ‘Access-Control-Allow-Headers’
v0.26.86
2024-04-02
- Set SAML CacheRequester at reload
v0.26.85
2024-04-01
- Add cache for SAML connectors using generic implementation