On this page
Changelog
0.24.0
Breaking
Removes support for the deprecated set_authorization_header
setting. You can use the Set Request Headers setting to pass IdP tokens to upstream services in any header.
Security
Previously, the Enterprise Console logged gRPC calls and their payload data. This release removes payload data from the logs.
New
Now, you can configure device authentication using client certificates in the Enterprise Console's PPL builder.
Performance improvements with configuration and service account syncs.
Fixed
Various UI improvements, and a fix that prevents missing policy criteria when migrating routes.
Changed
Various Telemetry fixes in the Console.
0.23.0
New
Set Request Headers has three new new token substitution values that it can send to upstream apps or services:
Client certificate fingerprint (the short-form SHA-256 fingerprint of the presented client certificate)
ID token (the OIDC ID token from the identity provider)
Access token (the OAuth access token from the identity provider)
Access Log Fields and Authorize Log Fields settings allow you to customize the values that are logged in the access and authorize logs.
Cookies SameSite is now configurable in the Enterprise Console.
Breaking
When using set_request_headers
, to prevent a ‘$’ character from being treated as the start of a variable substitution, you may need to replace it with ‘$$’.
0.22.0
Security patch
Pomerium upgraded to Go v1.20.3 and Envoy v1.24.5 to address security issues exposed in these packages. See the release notes in the links for more information.
New
Hosted Authenticate Service will now be used by default to handle single-sign-on. Pomerium hosts this service as a convenience to its users; no identity provider configuration or authenticate service url needs to be specified if the hosted authenticate service is used. Self-hosted authenticate service is still available for users who want to configure their own identity provider and authenticate service URL.
Wildcard From Routes is a Beta support feature that allows you to define a wildcard route that points matching external routes to a single destination.
RDS changes provide more consistent and linear memory performance that significantly reduces memory consumption, especially in environments with rapidly changing configurations.
Fixed
Removes user references when a device credential is deleted
Displays external data source link only if provider exists
Changed
Adds additional DNS Lookup Families and defaults to V4_PREFERRED
Requires a name when creating a Namespace
0.21.1
Fixed
Fixes for UI errors saving empty headers, custom text fields, and more
New
Pass TLS options to HTTP clients
Updated
Remove device credential references from the user and session
0.21.0
Breaking
Re-enroll devices and update device IDs due to non-forward compatible internal change
New
Auto TLS support for Console and Databroker gRPC endpoints
Client TLS renegotiation for upstream clusters
Fixed
Fixes to the Enterprise Console's UI, builds, gRPC calls, and more
0.20.1
Fixed
UI fixes and improvements to branding settings
0.20.0
Breaking
Groups & Directory sync now managed and sourced from external data sources. See upgrading for details.
Fixed
Dozens of UI fixes and improvements
Fixed a bug in policy builder when using groups
Performance improvements to generated metrics
Updated
0.19.0
New
Additional error details and policy debugging for Enterprise
ACME TLS-ALPN support for autocert
Branding customization for Enterprise
Updated
Well-Known endpoint handler for Proxy
Upgrade to Envoy 1.23.0
Add virtual host domains for all certificates
Use generic types for sets and atomics
Fixed
Add CORS headers to JWKS endpoint
Add authority header to outbound gRPC requests
Remove not-null constraint on data column of record changes table
0.18.0
New
Support for external data sources
Simplified Kubernetes ingress controller
Updated
Postgres databroker backend
Upgrade to Envoy 1.21.1
Data in the Authorize service is now queried on-demand
Fixed
Various issues related to internal service URLs
Error pages for forward auth
Databroker in-memory backend deadlock
0.17.0
New
Pomerium Enterprise now requires a valid license to start.
Updated
Route and Policy screens have been redesigned for better UX.
0.16.0
New
Devices: It is now possible to manage, enroll, approve, and write authorization policy for device identity.
Signing keys can now be dynamically pulled from the Authenticate service's JWKS endpoint.
Added the ability to write PPL policy for HTTP method and path contexts.
Updated
Policies can now incorporate device identity and approval status.
Routes certificate UI now shows the matching TLS certificate used.
Routes now has Kubernetes service account token field
Metric addresses are now shown in the runtime info dashboard.
Envoy was upgraded to 1.20.1.
The code editor now supports dark mode.
Various UI style improvements and fixes.
Fixed
--tls-insecure-skip-verify
was not applied to databroker connections.
Fixed a bug in the host rewrite code (thank you @rankinc for reporting).
Fixed a bug in the way timeout fields were being displayed.
Fixed a bug in the way route header fields were being ordered.
Fixed
0.15.2
Fixed
A regression in the Deployments
page loading has been corrected.
0.15.1
Fixed
Tracing settings now persist correctly.
Updated
Support configuring multiple audiences for the console.
Improved configuration validation.
Various UI style improvements.
0.15.0
New
Telemetry - View real time metrics and status from Pomerium components inside the Enterprise Console.
More expressive policy syntax: Pomerium's new extended policy language allows more complex policies to be configured, along with non-identity based conditions for access.
Support for Google Cloud Serverless configuration on routes.
Support for SPDY configuration on routes.
More consistent filtering and sorting across resource listing pages .
Updated
Certificate Management - Certificates with overlapping SAN names are no longer permitted.
Policies - New editing screen supports Wizard based, Text based or Rego based policy.
Policies - Only global administrators may manage Rego based policies.
Policies - Support time based criteria.
Service Accounts - Simplified UI.
Service Accounts - Support token expiration time.
Service Accounts - Namespace support.
Impersonation - Impersonation is now done on an individual session basis.
Various other bug fixes and improvements.