configuration files added during the initial installation, use: sudo apt purge maverics If you perform apt remove maverics and manually delete configuration files after uninstalling, you will not be able to reinstall the orchestrator until you run apt purge maverics . Configuring the Service Local Configuration File Edit the maverics.yaml file in the /etc/maverics directory and add your desired Orchestrator configuration. To use a configuration file in a different location, or with a different name, use the MAVERICS_CONFIG environment variable to override the default location. Set this to the full path to your configuration file (e.g. MAVERICS_CONFIG=/opt/orchestrator/custom.yaml ). Remote Configuration File See the Remote Configuration & Auto-Reload section on how to configure the Orchestrator for remote shared storage. Starting the Service The maverics service is managed by Systemd using configuration defined in /etc/systemd/system/maverics.service . This in turn sources environment variables …

...

...

Maverics deployment. MAVERICS_BUNDLE_PUBLIC_KEY_FILE=./public_key.pem # MAVERICS_AZURE_CONFIG: JSON string containing AWS configuration details. # Includes region, bucket name, access key ID, secret access key, and (optional) configuration file path. MAVERICS_AZURE_CONFIG='{"token": "sp=r&st=2023-03-31T02:31:53Z&se=2023-07-14T10:31:53Z&spr=https&sv=2021-12-02&sr=c&sig=xxxxyxxxxxxxxx", "account": "exampleStorage", "container": "exampleContainer", "configurationFilePath": "folder1/folder2"}' Refer to the Docker install article for details on system requirements, installation procedures, updates, and uninstallation. Create a maverics.env using a text editor and save it to a working directory. Replace the bracketed placeholders with files and values needed for your environment. # MAVERICS_DEBUG_MODE: Enables or disables debug mode for Maverics. # When set to true, additional debug information will be logged. export MAVERICS_DEBUG_MODE=true # MAVERICS_HTTP_ADDRESS: Specifies the HTTP address and port for the Maverics server …

Maverics Orchestrator can retrieve secrets from CyberArk CCP . CyberArk CCP is using certificate authentication method, so you need to provide the path to the root CA certificate, client certificate, and client key. To load secrets from the CCP, set the environment variable MAVERICS_SECRET_PROVIDER in the file /etc/maverics/maverics.env MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&safe=some-safe&caFile=rootCA.crt&certFile=client.crt&keyFile=client.pem" Optionally, you can specify folder parameter as well. MAVERICS_SECRET_PROVIDER="cyberarkccp://secrets.mydomain.com?appID=some-app-id&folder=my-folder&safe=some-safe&caFile=rootCA.crt&certFile=client.crt&keyFile=client.pem" For more detailed parameters description, please refer to the CyberArk CCP documentation . If paths to your certificate files contain special characters or spaces, they should be URL encoded, similarly as you would treat other URL query parameters. For example, if your …

Features Service Extension Metadata Workflows Added support for editing metadata values the following service extension points: Proxy User Flows: Authentication Create Headers Handle Unauthorized Upstream login Modify HTTP Response Modify HTTP Request Review the Service extensions documentation to learn more about how to use metadata to simplify your deployments. Authorization Flows Proxy app type user flows, for a given location policy you can now combine a service extension and a conditional rule.

decisions. These flows are designed to be modular, reusable, and environment-aware, making it easy to update identity logic without having to modify the underlying applications. In practice, a user flow may begin with a primary authentication provider, like Entra ID, followed by an attribute resolution step using an LDAP directory or external API, and finally an optional service extension to transform or enrich the session. The flow defines how usernames are mapped across systems, how roles or claims are generated, and how fallbacks are handled if an IDP is unavailable. Whether you’re enabling SSO, adding MFA, or orchestrating identity continuity across environments, user flows ensure consistent policy enforcement and simplify the deployment of complex identity logic at runtime. Customizing identity behavior with Service Extensions Service Extensions in Maverics are custom, pluggable modules written in Go that let you extend and customize identity behavior at key points in a …

2024-12-13: OIDC provider endpoint fixes for /logout and /revoke On deployment of a OIDC app type user flow, the default end session and revoke endpoints will be properly set in the config. 2024-12-10: Resolved ARN issue The ARN value needed for setting up a AWS environment will now properly display in regions outside of the US. 2024-12-06: Minor bug fixes Attribute providers now render correctly when used on OIDC claims mapping Fixed padding when editing apps Better error logging to upload assets 2024-12-05: OIDC app logout redirect URLs & virus scanning on Service Extension asset uploads You can now define valid logout redirect URLs in the OIDC app definition. Virus scanning on service extension asset uploads Maverics now scans custom app icons and assets uploaded to service extensions for viruses. If a virus is detected the upload will be prevented. 2024-11-21 …

Overview This guide will walk you through the following steps: Configuring Google Cloud as your storage provider Creating a Maverics environment to publish config to Google Cloud Deploying an orchestrator to read the config in Google Cloud Prerequisites Before you begin, you will need an account and new project dedicated to Maverics set up in Google Cloud. Configure storage provider You will utilize GCS to publish configurations from the Maverics Console, which your orchestrators will access. The Maverics Console must have permissions to both read and write to this bucket, while the orchestrators will need read-only access. Create Google Cloud Storage bucket In Google Cloud Console, select the project you’ve created for Maverics from the dropdown menu in the top navigation. Go to Cloud Storage . You may find this under Quick Access or Products. Go to Buckets and click Create . Enter a unique name for your bucket and …

New users can sign in with a passkey as an alternative to the HYPR app. If you are an existing customer and would like to add a alternative login method to the HYPR, contact support@strata.io to get a magic link. For HYPR app users: Users now have improved login notifications, and a better user experience within the HYPR app. This should mitigate any issues where push notifications did not go through. Additionally the app no longer requires entering a 4-digit pin to confirm authentication. For more information, see our docs .

authorization rule. If you wish to leave this option turned off, you can apply fine-grain access control and authorization by selecting Use rules to define access and using the boolean rule builder that appears on screen. The rule builder allows you to add rules and conditions by provider. Additionally, you can add a rule or condition to restrict access based on HTTP request method. You can specify the HTTP method and create different access rules for reading a resource (using GET) versus modifying it (using POST or PUT). Alternatively, you can select a service extension if you have any authorization service extensions already configured. Service Extension Policy Decision Lifetime : Define the length of time when policies are re-evaluated by service extensions. If your user flow does not leverage a service extension for authorization or load attributes, you can skip this option. Cached for the duration of the session …

2025-04-22 New features Logging enhancements Logs in the CreateHeader service extension have been updated to include traceID , sessionID , and service attributes. API service extensions can now leverage a newly exposed function that allows for retrieving a logger from the context of a request. The log.WithRequest function can be used to ensure logs include the traceID and sessionID attributes. For more information, refer to the API examples . Note Customers running API service extensions must update their service extensions to use the new function ONLY if they want to their logs to include traceID and sessionID . Strata advises customers to first test this new orchestrator release against their existing API service extensions in a lab or lower environment to ensure their service extensions continue to operate normally. For more information, refer to Serve Service Extension . Resolved issues This release resolves an issue in which orchestrator telemetry data was being …

On startup, the Maverics service starts automatically with a delayed auto start. This means the Maverics service will not start until all the other auto-start services have started. Note that the Startup Type value of the Maverics service will be reset back to Automatic (Delayed Start) on the next reinstall or upgrade if it has been manually changed. Updating the orchestrator from an earlier orchestrator MSI If you are running an older version of Orchestrator on Windows, you can upgrade to the latest version seamlessly. The MSI installer will preserve any existing system environment variables and migrate them to the Windows Registry. These environment variables will be prepended with migrated_ (for example, migrated_MAVERICS_HTTP_ADDRESS ). Obtain the latest Maverics MSI package and transfer the file to the target server. As Administrator, double-click the MSI file (or right-click and choose "Install"). The maverics.exe binary will be …

To configure Maverics SSO with Okta, you will need to set up a new App Integration. Go to Applications and click Create App Integration . Create Maverics as an OIDC Open ID Connect Web Application . Accept the default settings. Allow everyone. You will need the Client ID, Client Secret, and Issuer URL to set up SSO in Maverics. The Client ID and Client Secret appear after saving your App Integration in Okta. The Issuer URL is typically: https://${yourOktaDomain}/oauth2/default .

Configure Maverics to use Duo as a identity provider using the SAML protocol. Identity Fabric/Duo (SAML)→Configure Settings→Use for authentication in any type of user flow Configure Identity Fabric Use a Secret Provider Production settings ought to implement a secret management system. Maverics connects with multiple secret management systems, which keep secrets that Orchestrator instances retrieve during startup. To cite a secret from your provider, enclose the name in angle brackets. (e.g. ) Learn more about Secret Providers Field Name Description Example Name A friendly name for your SAML service. samlClient Metadata URL This is the metadata URL from the application configured in the SAML service. This setting will accept a file:/// URI if the metadata file is saved on a filesystem accessible to the Orchestrator user. https://saml-idp.com/FederationMetadata/2007-06/FederationMetadata.xml Consumer Service (ACS) URL The URL that the SAML service will use …

...

defined in the Compose file, you can run the following command: docker-compose down This will stop and remove all the containers created by the Compose file. SAML support Sonar also supports SAML. You can follow the same steps to run Sonar as a SAML app by modifying the ports to use 8987 and the Docker image to sonar:latest.

Overview This guide will walk you through the following steps: Configuring Amazon Web Services (AWS) S3 as your storage provider Creating a Deployment to publish config to AWS S3 Deploying an orchestrator to consume the config in AWS Prerequisites An active AWS account with permissions to create and manage S3 buckets, IAM roles, and policies. Permissions in your host environment install the orchestrator service Configure storage provider You will utilize AWS’s Simple Storage Service (S3) to publish configurations from the Maverics Console, which your orchestrators will access. The Maverics Console must have permissions to both read and write to this bucket, while the orchestrators need read-only access. Create an AWS S3 bucket Refer to the Creating a bucket AWS documentation for more information. Sign in to the AWS Management Console Navigate to AWS Console In the search bar, type S3 and select Amazon S3 . Select the AWS Region …

You can quickly change the account you are working in by clicking the account name at the top left side of the main screen and selecting a different account from the dropdown menu. To view all of your accounts and the number of members, click your email address in the upper right corner of the screen. In the dropdown menu, select Accounts . On the Accounts page, you can view the information on the accounts you have access to, including the number of members of each account and which accounts you own. From here, you can click Use this account to switch to any of your listed accounts. Additionally, accounts you have been invited to are listed in the lower section. Click Accept invite to become an account member. The account will then appear in your access list. Account owner vs. account member Account members have the ability to configure identity …