Adds an optional, global-level Pass Identity Headers setting, which sends identity headers to all upstream applications when enabled. If you want to forward identity headers only to a specific upstream application, you can still use the per-route Pass Identity Headers setting.
Removes support for the Secure Cookie setting. It is always enabled by default.
Improved error messages and multiple Open Telemetry improvements
Removes support for the deprecated set_authorization_header setting. You can use the Set Request Headers setting to pass IdP tokens to upstream services in any header.
When using set_request_headers, to prevent a ‘$’ character from being treated as the start of a variable substitution, you may need to replace it with ‘$$’.
Pomerium upgraded to Go v1.20.3 and Envoy v1.24.5 to address security issues exposed in these packages. See the release notes in the links for more information.
Hosted Authenticate Service will now be used by default to handle single-sign-on. Pomerium hosts this service as a convenience to its users; no identity provider configuration or authenticate service url needs to be specified if the hosted authenticate service is used. Self-hosted authenticate service is still available for users who want to configure their own identity provider and authenticate service URL.
Wildcard From Routes is a Beta support feature that allows you to define a wildcard route that points matching external routes to a single destination.
RDS changes provide more consistent and linear memory performance that significantly reduces memory consumption, especially in environments with rapidly changing configurations.
Telemetry - View real time metrics and status from Pomerium components inside the Enterprise Console.
More expressive policy syntax: Pomerium's new extended policy language allows more complex policies to be configured, along with non-identity based conditions for access.