Orchestrator build release notes

Orchestrator build release notes

For older release notes, see the release notes archive.

v0.113.0

2025-05-14

New features

Use Authorization Service Extension and Conditional Policies for authorization

This release introduces the ability to use the IsAuthorized service extension and authorization rules together. This allows more granular control of user authorization to protected resources. This feature is supported on SAML, OIDC, and Proxy apps.

ℹ️

Both the authorization service extension and the authorization rules must be validated as true to grant a user access. If either validates as false, the user is denied access.

For more details see Authorization.

Custom Unauthorized Page for SAML Apps

SAML apps now support an error page for unauthorized users. Custom unauthorized pages for SAML apps will be configurable from the user interface in an upcoming release of the Maverics Console.

v0.112.0

2025-05-07

New features

Support for custom query parameter in Entra ID (OIDC) and generic OIDC identity services

Orchestrator now supports routing a custom query parameter to a declared Entra ID or OIDC IDP via service extension. Orchestrator passes the query parameter which then gets captured by the browser. Service extensions should be updated per the Go documentation for idfabric.

Field ordering of orchestrator logs

Readability of orchestrator logs can be improved by enabling fieldOrdering (optional). fieldOrdering organizes the fields in the log output, setting values in the following order: ts , level, service, traceID, sessionID, and msg.

ℹ️
Please note that enabling fieldOrdering will impact orchestrator performance. If performance must remain optimal, Strata recommends leaving this option disabled. For more information, see Logging.

v0.111.0

2025-05-01

New features

Orchestrator heartbeat

The Orchestrator now includes a heartbeat. This lightweight service logs runtime details at a configurable time interval. Enabled by default, the heartbeat service prints a log message containing the orchestrator ID, orchestrator version, orchestrator config version, as well as CPU count, usage, and total memory. By default, the heartbeat service logs at the info level.

The heartbeat service is part of the Health configuration block. It will be configurable from via user interface in an upcoming release of the Maverics Console. For more information, see Heartbeat.

Access logs enabled by default

HTTP access logs are now enabled by default. This change is meant to provide customers with greater insight into how requests flow through the system and can be used to confirm that all requests result in a corresponding response.

By default, access logs are logged at the debug level. If desired, access logs can be disabled via the orchestrator config. Access logs will be configurable from via user interface in an upcoming release of the Maverics Console. For more information, see Access Logs.

LDAP custom login page and localization

Orchestrator v0.111.0 introduces support for an optional custom login page when using LDAP as an IDP. By defining customLogin in the orchestrator configuration, the orchestrator delivers a custom HTML page stored in the filesystem.

In addition, the custom login page now supports standards-based language localization (BCP 47). By default, the localization selection is driven from the Accept-Language header, but can be customized to meet deployment specific needs.```

LDAP custom login and localization will be configurable from via user interface in an upcoming release of the Maverics Console. For more information, see Custom Login.

v0.110.0

2025-04-22

New features

Logging enhancements

  • Logs in the CreateHeader service extension have been updated to include traceID, sessionID, and service attributes.

  • API service extensions can now leverage a newly exposed function that allows for retrieving a logger from the context of a request. The log.WithRequest function can be used to ensure logs include the traceID and sessionID attributes. For more information, refer to the API examples.

ℹ️
Customers running API service extensions must update their service extensions to use the new function ONLY if they want to their logs to include traceID and sessionID. Strata advises customers to first test this new orchestrator release against their existing API service extensions in a lab or lower environment to ensure their service extensions continue to operate normally. For more information, refer to Serve Service Extension.

Resolved issues

This release resolves an issue in which orchestrator telemetry data was being sent to the Maverics Console even though telemetry was disabled. This issue was introduced in v0.107.0 and only impacts customers that are using Maverics Console.

v0.109.0

2025-04-16

New features

Logging enhancements

Logs in the following identity services have been updated to include traceID and service attributes:

  • 1Kosmos
  • PingFederate
  • SAML
  • Windows Client Authenticator (WCA)
  • WSO2

API service extension logs have been updated to include traceID, service, seName, seFuncName, and seChecksum attributes.

Resolved issues

  • This release resolves an issue in which re-authentications triggered by session expiry would fail with an OIDC identity provider using PKCE.

v0.108.0

2025-04-14

New features

Orchestrator v0.108.0 adds improvements to observability, including HTTP access logs, contextual logging, tracing, and standard telemetry. These changes provide more detailed logs for better insight into transactions from all areas of the orchestrator including service extensions.

HTTP access logging

All HTTP requests and responses are now optionally logged. Access logs are logged at debug level by default. Currently, access logs can be enabled/disabled in the orchestrator config. Access logging can be enabled/disabled from the user interface in a forthcoming update to Maverics Console. For more info, please see the reference docs.

Logging

The logger now includes a traceID attribute in log messages that can be used to trace requests through the system. Additionally, logs now include the service key to help clearly identify the source of logs. For service extensions, the seName, seFuncName, and seChecksum keys are also now included.

Security enhancements

v0.107.0

2025-03-26

  • Internal enhancements and improvements.

v0.106.1

2025-03-25

Resolved issues

*go-redis has been updated to v9.7.3 to resolve CVE-2025-29923. Strata recommends all customers using the Redis cache upgrade to this latest version of orchestrator to resolve this issue.

  • Internal enhancements and improvements.

v0.106.0

2025-03-19

New features

  • Orchestrator logs can now be filtered to suppress or reduce specific log messages. For more information, see Filters.
⚠️
Use log filters with caution. Strata advises to only enable log filters if absolutely necessary. There is the possibility of inadvertently suppressing critical security logs. In addition, log filters can negatively impact orchestrator performance.
  • DPoP Nonces can be disabled optionally. By default, when DPoP is enabled, the DPoP Nonce is also enabled. However, if desired you can now disable the DPoP nonce. The Orchestrator will be able to issue and validate DPoP-bound tokens without requiring the nonce. For more info, see the docs.
⚠️
Strata advises against disabling the DPoP Nonce. Disabling the DPoP Nonce increases the risk of being subject to replay attacks. The DPoP nonce ensures the maximum age of the DPoP proof and prevents an attacker from minting DPoP proofs in the future.

  • As part support for the OAuth Hybrid flow, support for the response_mode request parameter has been added. For more information, please see the spec.

  • The LDAP Connector now supports logout. Query parameters are preserved as part of the logout flow in order to ensure a seamless integration when single logout (SLO) is also used.

Resolved issues

  • Resolved an issue where the OIDC Provider did not return standard grants as part of the well-known response. After this fix, the grant_types_supported that are returned align with standard OAuth grants as per section 1.3 of the RFC.

v0.102.0

2025-03-04

Shipped support for the OAuth Hybrid Flow in orchestrator to grant OIDC applications access to an ID token while maintaining secure retrieval of access tokens and refresh tokens. As part of this implementation, orchestrator includes supports for the Implicit Grant Type (deprecated) as it is required to be combined with the Authorization Code flow in order to facilitate the Hybrid Flow.

ℹ️
Strata does NOT recommend using the Implicit flow. For more information, see our OIDC Provider doc

v0.101.4, v0.101.5, v0.102.1

2025-03-03

The following libraries have been updated to resolve discovered vulnerabilities:

v0.101.2

2025-02-28

Resolved an issue to allow the introspection response to succeed for access tokens for nested claims.

v0.101.1

2025-02-28

The golang crypto library in the orchestrator has been updated to version 0.35.0 to resolve CVE-2025-22869.

v0.100.0, v0.101.0

2025-02-27

Shipped support for silent OIDC authentication in the Auth0 Connector, as well as support for a custom error page. This allows for a silent auth to Auth0 with the authentication request returning prompt=none. This can help facilitate bi-directional SSO use cases. Strata will bring this functionality to more IDPs in the near future.

v0.99.1

2025-02-24

Resolved an issue to allow reload to work successfully when an end session endpoint for an OIDC provider is defined.

v0.99.0

2025-02-24

The go-redis package in the orchestrator has been updated to version 9.7.1.

v0.97.0

2025-02-19

The build architecture of the macOS download artifact has been updated from AMD to ARM.

v0.96.0

2025-02-21

Added support for multiple secret paths in HashiCorp Vault secret provider

The orchestrator integration with HashiCorp Vault now supports multiple secret paths from the same secrets engine. If needed as part of your user flows, you can define secret paths for multiple secrets in the orchestrator configuration. For more details, see Secrets Management: HashiCorp Vault.

⚠️

As part of this update, secret names cannot contain any forward slashes (/).

If you are currently using HashiCorp Vault as a secrets provider and your secret names include slashes, Strata advises you to remove the slashes or change the secret name before upgrading your orchestrator to v0.96.0.

Failing to do so might result in a connection failure to your Vault instance. To remediate this, change your secret name to remove slashes then restart orchestrator.

v0.94.0

2025-02-13

Orchestrator has been upgraded to Go v1.23.

Noteworthy changes include:

  • 3DES cipher suites are removed from the default list of secure ciphers that the Orchestrator uses. If required, these ciphers can be reenabled by using the enabledCiphers TLS config.
  • net/http Cookie implementation no longer strips double quotes from cookies when storing. This should not impact existing service extensions, but Strata is performing a further investigation to verify behaviours remain consistent.

For more information, see Go 1.23 Release Notes.

v0.93.0

2025-02-13

  • Browser based client apps now have access to DPoP-Nonce response headers.

v0.91.0

2025-02-10

  • The OIDC Provider now requires DPoP nonce validation.

v0.90.0

2025-01-31

  • When a previously issued access token is DPoP bound, DPoP proof and its corresponding access token are now validated at the userinfo endpoint.

v0.89.0

2025-01-31

  • Internal enhancements and improvements.
  • Maverics now supports DPoP bound refresh tokens.

v0.88.2

2025-01-29

  • A bug causing attribute providers to break in proxy apps was fixed.

v0.88.1

2025-01-29

  • Internal Only release: enhancements and improvements.

v0.88.0

2025-01-28

  • Maverics now supports opaque access tokens when using DPoP.

v0.80.0

2025-01-22

  • We have updated the metadata endpoint to return DPoP signing algorithms for OIDC providers.

v0.79.0

2025-01-22

  • Maverics now supports DPoP sender-bound access tokens for OIDC providers.
Release notes archive