Skip to content

Release Notes 4.16.0

Overview

This document outlines the updates, improvements, and fixes introduced between versions 4.14.0 (released on Nov 03, 2025) and 4.16.0 (released on Dec 15, 2025) of the Excalibur v4 software.

New Features

Enhanced Security with Peer Verification

We’ve introduced Peer Verification, a new security layer that ensures critical actions require approval from designated peers. Key improvements include:

  • Intelligent Policy Handling: Actions are automatically evaluated to determine if peer approval is needed.
  • Pending Verifications: Users can easily track verifications requiring their approval via the Notifications tab and Settings.
  • Approval Workflows: Approvers receive in-app and email notifications, and can approve or deny requests directly from mobile or dashboard.
  • Detailed History: View your pending and past verification requests, including who approved or rejected actions.
  • Seamless Integration: Works with authentication and authorization flows, resuming or canceling actions based on verification outcomes.

This feature enhances security, compliance, and visibility for all sensitive operations.

Mobile Flow

Stay informed with a new Notifications icon

A bell icon now appears in the tab bar, showing a badge whenever new notifications arrive.

image

Figure 1. Bell Icon

See your pending verifications at a glance

A new “Pending Verifications” section in Settings displays the count of verification requests waiting for your attention.

image

Figure 2. Pending Verification

Access all notifications in one place

Tap the Notifications icon to open a screen showing all available notifications.

image

Figure 3. Token Notifications

Get full context for each notification

Each notification displays the requester’s name, the requested action (e.g., “Authentication to Dashboard”), tenant name, deployment name, and the time remaining until the verification expires.

image

Figure 4. Notification Detail

Sort and filter your notifications

Two buttons, Sort and Deployment, make it easy to organize your notifications:

  • Sort: Arrange notifications by newest or oldest.
  • Deployment: Filter notifications by a specific deployment or view all deployments.

image

Figure 5. Sorting and Filtering

Scroll and refresh with ease

Notifications support infinite scrolling, loading 10 items at a time, and a pull-to-refresh function ensures you always see the latest updates.

Stay aware even when offline

If your device is disconnected from deployments, a warning appears to let you know some notifications may not be available.

image

Figure 6. Disconnected Deployments Warning

Explore your verification history

The new View History button lets you browse through all your previous notifications. Two types of history views and intuitive icons help you track past verifications easily.

image

Figure 7. Notifications History

image

Figure 8. Notifications History Types

image

Figure 9. Notifications History Icons

See verification details and act immediately

Tapping a notification opens the Verification Detail screen, showing:

  • Requester name
  • Current status (e.g., “Waiting for approval”)
  • Time remaining until expiration
  • Requested action
  • Timestamps (Created At, Expires At)
  • Deployment information (name, tenant, URL, status)
  • Reviewed by section (approver/denier names, denial reason if provided)
  • Action buttons to Approve or Deny

image

Figure 10. Notifications Detail

Approve or deny efficiently
  • Tapping Approve displays your list of authorized users for approval.
  • Tapping Deny shows the list and includes an optional field to provide a reason.

image

Figure 11. Approve & Deny Detail

Manage your own pending verifications

Your personal verification requests are displayed in Settings. Tap any request to open its detail screen, where you can cancel it if needed.

image

Figure 12. Pending Notification Detail

Seamless peer verification after authentication

When peer verification is enabled in security policies, a dedicated page appears after completing authentication factors (PIN, biometrics, location), guiding you through required peer approvals.

image

Figure 13. Peer Verification Detail

Native Client Support for Secure SSH & RDP Through the Excalibur Proxy

We’re introducing full support for accessing PAM-managed systems using native SSH and RDP clients, while still benefiting from Excalibur’s strong authentication, auditing, and least-privilege controls. This gives organizations a smooth transition path—your existing scripts, tools, and native workflows continue working while you gradually adopt the Excalibur web interface.

Why this matters

Many customers rely on native SSH and RDP clients for automation, operations, and legacy workflows. This update ensures these tools keep working securely—without exposing RDP/SSH to the Internet and without bypassing PAM policies, MFA, or auditing.

Key Capabilities

Secure SSH Proxy for Native Clients

You can now connect to PAM-controlled SSH targets using your existing SSH tools, scripts, and automations.

Authentication Options

  • QR-based passwordless login (mobile MFA required)

What’s supported

  • Fully transparent SSH session forwarding through the proxy
  • Secure SFTP file transfers
  • Session recording (optional per target)
  • Automatic enforcement of RBAC—users only see targets they’re allowed to use
  • No TCP forwarding, no port tunneling, no lateral movement

What’s improved

  • No SSH target is ever exposed publicly
  • Your existing automation continues to work with minimal adjustments
  • A safer alternative to VPN-based SSH or direct public IP exposure
Secure RDP Proxy for Native Clients

Native RDP clients (Microsoft Remote Desktop, etc.) can now connect securely to PAM-controlled Windows targets through the Excalibur Proxy.

Authentication

  • QR-based MFA is the only authentication method, ensuring strong, passwordless access for graphical sessions.

Capabilities

  • Seamless connection via a local tunnel using the user’s native RDP client
  • Full session recording and oversight
  • Controlled clipboard and file-transfer rules for balanced security vs usability
  • Strong isolation and no public exposure of RDP endpoints
Unified Access Model

Both SSH and RDP now follow a consistent access principle:

  • Use a local tunnel
  • Select an allowed target
  • Work through your native SSH/RDP client
  • Sessions are fully audited and recorded

This approach ensures your native workflows remain intact, all while enforcing modern security controls.

Transition-Friendly Design

This release lets organizations:

  • Keep existing native workflows operational
  • Avoid disruptions to automation
  • Strengthen security without large-scale rewrites
  • Gradually migrate to the new web-based PAM experience

You can switch at your own pace.

Summary

This major enhancement enables secure, compliant, and convenient access to PAM-managed targets directly from native SSH and RDP clients, with full support for MFA, auditing, RBAC, and session policies. Your tools continue to work—now safer than ever.

Usability Improvements

Enhanced Invitations Page

The Invitations page now automatically sorts newly created invitations at the top, making it easier to track recent activity.

  • When inviting a user, the dialog now shows an alert if the user is already registered.
  • Both the Invitations page and Add Invitations modal now display the current group membership for registered users — but only when a single registered user is selected.
  • For multiple users, this information is hidden to keep the interface clear.

image

Figure 14. Enhanced User Re-invite

We’ve added a fresh logo to the home screen to give the app a more recognizable and polished look. Enjoy a more branded and engaging experience every time you open the app.

image

Figure 15. Home Screen Logo

Enabled Bulk User Import for Local Identity Store

We’ve added a new Import Users option to the Users list, making it faster to add multiple users at once through a simple 4-step wizard:

  • Upload – Import your user list via CSV or XLSX files, or optionally paste CSV data. A sample template is provided to help you get started.
  • Map Columns – Automatically map common headers like Email, Name, and Surname, or manually adjust mappings as needed.
  • Validate & Preview – See a per-row status indicating Valid, Warning, or Error. The system checks for duplicate entries within the file, validates email formats, and resolves group assignments before import.
  • Run Import – Once everything looks correct, import your users in bulk.

The existing Create User functionality for adding single users remains unchanged.

image

Figure 16. Bulk Import

Updated Maps Settings with Helpful Information

The Maps Settings page now includes a helpful note at the bottom explaining how our app uses your Google API Key and the Places API service. You’ll also find a direct link to our documentation for more details and setup guidance.

image

Figure 17. Enhanced Map Settings

Improved Clipboard & Search Behavior Across Remote Sessions

We’ve enhanced clipboard handling and search functionality across RDP, VNC, and SSH sessions to deliver a more consistent and secure experience:

RDP & VNC Sessions

  • Standard keyboard shortcuts (Ctrl+C / Ctrl+V and Command+C / Command+V) are now fully supported.
  • Right-click → Paste is intentionally disabled to prevent unintended clipboard propagation.

SSH Sessions

  • Clipboard operations now work through right-click copy and paste, making interactions simpler and more reliable.

Improved Search

  • Clipboard-related context is now included in full-text search results, ensuring better visibility of session activity.

Clipboard Size Limit

  • Clipboard transfers are now capped at 256 KB to maintain performance and security.

Behind the scenes, the backend now captures clipboard copy and paste actions during active PAM sessions for improved auditing and traceability.