Skip to content
Releases GitHub

Changelog — New Feature

Subscribe with RSS

All areas
New Feature
Clear all

Aembit Secrets Operator now available

Aembit Secrets Operator 1.31.298 is now available.

Secrets Operator is a Kubernetes operator that authenticates to the Aembit platform and synchronizes credentials into Kubernetes Secrets. Applications consume managed secrets the same way they consume any other Kubernetes Secret.

Key capabilities in this release:

  • Kubernetes Service Account authentication: Authenticate using the operator’s in-cluster ServiceAccount token, validated against the cluster’s OIDC endpoint. No per-cluster signing key required. Verified on Amazon EKS and K3s. See Set up Secrets Operator for configuration.
  • OIDC symmetric key authentication: Alternatively, authenticate using OIDC tokens with symmetric key signing (HS256) for custom claims and non-Kubernetes identity scenarios.
  • Proactive credential renewal: Credentials refresh at 80% of their TTL, or sooner when you configure a shorter refreshInterval, ensuring applications always have a valid credential.
  • Multi-namespace install: You can now use the same Helm release name across multiple namespaces on the same cluster without resource name conflicts.
Tags:

Oracle Database now generally available

Oracle Database protocol support is now available for production use.

What’s new:

  • Oracle Database GA: Support for Oracle 19c and 21c is now available for production use. Aembit injects username/password credentials into Oracle TNS connections at authentication time, eliminating static database passwords without modifying your application code.
  • TLS connections: Oracle database connections can now use TLS via the TCP/IP with TLS (TCPS) protocol. You can enable TLS independently on the client-to-proxy and proxy-to-database sides by checking the TLS checkbox on the Port and Forward to Port fields in the Server Workload configuration.
  • Improved Oracle error handling: Agent Proxy now returns clearer ORA-* error messages when Oracle authentication fails, making it easier to diagnose credential injection and configuration issues.
  • Prometheus observability: Oracle credential injection events now appear in the aembit_agent_proxy_credential_injections_total metric with application_protocol="oracleDatabase", so you can monitor Oracle credential operations alongside other supported protocols.

For setup instructions, see Create an Oracle Database Server Workload. For a technical overview, see About Oracle Databases.

Tags:

Refresh token support for MCP authorization flows

OIDC ID Token and Aembit Access Token Credential Providers now support refresh tokens for MCP Authorization Server flows. This feature applies exclusively to MCP Authorization Server use cases.

What’s new:

  • An Enable Refresh Token Support option on OIDC ID Token and Aembit Access Token Credential Providers.
  • An Absolute Token Lifetime setting that controls how long refresh tokens remain valid for exchanging for new access tokens after initial issuance.
  • Refresh tokens are single-use. Each exchange returns a new refresh token.

When enabled, the MCP Authorization Server returns refresh tokens alongside access tokens during OAuth token requests. MCP clients can exchange a refresh token for a new access token and a new refresh token, maintaining an active session without completing a new authorization flow. Other credential flows, such as Agent Proxy, are not affected by this setting.

To use this feature, edit your Credential Provider, toggle Enable Refresh Token Support to on, and set the Absolute Token Lifetime.

For details, see Token refresh, OIDC ID Token, and Aembit Access Token.

Tags:

MCP Authorization Server now supports unauthenticated flows

Aembit’s MCP Authorization Server now supports OAuth flows that don’t require end-user authentication. This enables use cases like ChatGPT apps and other MCP integrations where user sign-in isn’t needed or desired.

What’s new:

  • An Enforce SSO option on Client Workloads with the Redirect URI identifier type. Enforce SSO is on by default, preserving the current behavior of requiring user authentication.
  • When Enforce SSO is on, a multi-select dropdown lets you choose which SSO identity providers appear on the MCP authentication page. By default, all configured identity providers are selected.
  • When Enforce SSO is off, the MCP Authorization Server issues access tokens without redirecting users to an identity provider. No Trust Provider is needed, but a Credential Provider is still required.
  • Access Policies still apply as an authorization control. You can turn off policies or entities to block token issuance.

To use this feature, edit your Client Workload, select the Redirect URI client identifier, and configure Enforce SSO under MCP Authorization Configuration.

For details, see Authentication support and MCP Authorization Server architecture.

Tags:

MCP Identity Gateway now supports MCP resources

Aembit has released MCP Identity Gateway version 1.29.4419.

Key Updates:

  • MCP resource support for the Identity Gateway

The MCP Identity Gateway now proxies MCP resource requests in addition to tool requests. MCP servers that expose resources (such as files, database schemas, or application data) are now accessible through the Gateway with the same identity-aware access policies, credential isolation, and audit logging that govern tool invocations.

What’s new:

  • resources/list discovers available resources across all assigned MCP servers. The Gateway fans out the request and aggregates results from all connected servers.
  • resources/read retrieves a specific resource by URI from the appropriate MCP server.

No action required. Resource support is available automatically after upgrading to MCP Identity Gateway 1.29.4419. Your existing access policies, Trust Providers, and Credential Providers apply to resource requests with no configuration changes.

For details, see MCP resource support.

Tags:

Aembit Virtual Appliance now available for Edge components

Aembit has released a new, pre-packaged deployment model that enables you to use a Virtual Appliance configuration and setup for deploying Aembit Edge Components in your environment. This virtual appliance image includes both Agent Controller and Agent Proxy bundled together in a single OVA file.

For more detailed information on how to deploy the Aembit Virtual Appliance, please see the Virtual Appliance technical documentation.

Tags:

Dynamic steering to specific hostnames now available

Aembit now supports dynamically steering only specific traffic to the Agent Proxy.

The dynamic steering feature introduces the ability to restrict this proxied traffic to a specific list of hostnames. When this feature is enabled, only egress traffic to the user-specified hostnames will be proxied. This enables you to have more precise control over which destinations’ traffic is managed by the Agent Proxy.

Tags:

OAuth 2.0 Authorization Code Credential Provider now available

Aembit now supports 3-legged OAuth (3LO) workflows through the new OAuth 2.0 Authorization Code Credential Provider. Applications can request a user’s permission to access their account data and act on the user’s behalf.

With 3LO support, an application can access services or applications that the user has authorized.

Aembit supports the following third-party services with OAuth 2.0 Authorization Code Credential Providers:

For configuration details, see the OAuth 2.0 Authorization Code Credential documentation.

An expansion to Client Workload identification and Trust Provider match rules also shipped in this release; see Expanded Client Workload identification and Trust Provider match rules.

Tags:

OAuth 2.0 Authorization Code Credential Provider enters beta

Aembit has released beta support for the OAuth 2.0 Authorization Code Credential Provider.

Many organizations require Credential Provider support for various 3rd party SaaS services which only support short lived credentials with the OAuth 2.0 Authorization Code Flow. These services included:

  • Atlassian
  • GitLab
  • Slack
  • GCP BigQuery
  • Apigee
  • PagerDuty

This beta release enables users to use 3rd party SaaS services and have short-lived access tokens generated on demand for authentication to APIs that these 3rd party services provide.

For more information on how to configure the OAuth 2.0 Authorization Code Credential Provider to be used with any of these 3rd party services, please see the OAUth 2.0 Authorization Code Credential Provider page.

Tags:

AWS Role Trust Provider now available

Aembit has released an update to support AWS Role-Based Trust Providers.

The ability to create and use different types of Trust Providers in your Aembit environment enables you to have flexibility in how resources are managed. With this enhancement, you now have an additional option when selecting a Trust Provider.

For more information on AWS Role-Based Trust Providers, please see the AWS Role Trust Provider page.

Tags:

Resource Sets now available

Many organizations have certain security requirements that specify which resources should be managed by a group. To address these security needs, Aembit has released a new Resource Sets feature that enables you to determine which groups will have access to various resources.

You may find it necessary to segment management responsibilities for certain entities and resources in your Aembit environment between different individuals and groups for security reasons. To accommodate this requirement, Aembit has released the Resource Sets feature.

Resource Sets enable you to group entities and resources (e.g. Credential Providers, Trust Providers, Identity Providers, etc.) into a single collection and assign specific users to manage these resources.

For more detailed technical information on how to use create and manage Resource Sets, please refer to the Resource Sets technical documentation.

Tags:

AWS Lambda Container deployment now supported

There are many different deployment options you can currently use to deploy Aembit Edge Components in your environment, including GitHub Actions, GitLab Jobs, and Kubernetes.

To increase the available deployment options for our users, Aembit now provides support for users who wish to deploy Aembit Edge Components to an Amazon Web Services (AWS) Lambda Container.

For more detailed information on how to deploy Aembit Edge Components to AWS Lambda Containers, please refer to the AWS Lambda Container technical documentation.

Tags:

Kerberos Trust Provider now available for Active Directory

Aembit has released a Kerberos Trust Provider that enables the attestation of Client Workloads running in virtual machine environments joined to Active Directory. This attestation method is specifically designed for on-premise deployments where alternative attestation methods, such as AWS or Azure metadata service trust providers, are not available.

For more detailed information on this Kerberos Trust Provider, please refer to the Kerberos Trust Provider technical documentation.

Tags:

SAML SSO authentication now available for administrators

Aembit now supports SAML/SSO authentication for administrators who wish to simplify the Aembit Tenant login process for their users. Instead of requiring a user to enter their username/password credentials every time a user tries to access the Aembit Tenant, users will now be able to use a 3rd party SAML SSO Provider (e.g. Google, Okta, Microsoft Entrata) to log into the tenant.

For more information on how to configure Identity Providers using SAML, please see the Configuring Identity Providers technical documentation.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit