Configure applications
Maverics applications proxy apps, determine which identity systems should be used to authenticate users or provide attributes, extend those identity systems by managing sessions or evaluating and enforcing policies, and map attributes to headers that legacy on-premises or cloud-hosted apps need to allow access.
Maverics supports several types of applications including header-based, OIDC-based, SAML-based, and custom JSON code.
After creating your app, you can then create a user flow to connect your identity fabric to the app.
Proxy apps
To create a proxy app, click Applications from the sidebar and select Proxied app from the app store section. You will need to configure the following:
- Name: The friendly name of your application.
- App icon: Upload an image for your application to display in Maverics. Maverics supports JPEG, PNG, or SVG, up to 2MB maximum.
- Upstream URL: The URL to determine where to send traffic after doing its work, like evaluating policies or sending users to a provider for authentication.
- Route Patterns: The list of patterns that will be used to map a request to the appropriate app. Either a hostname, path, or combination of the two can be used.
- CA Path: (Optional) The path to your certificate authority when using self signed certs.
- Skip TLS Certification: By default, TLS Certification is required. When this toggle is enabled, the HTTP client will not validate the server’s certificate chain and host name. This should always be used with extreme caution.
- Unauthorized Page: (Optional) The URL your users are redirected to when a policy evaluation prevents access to the application. (example.com/unauthorized, example.com/403)
- Preserve Host: Used to determine if the host header should be preserved on outbound requests. By default, the orchestrator will set the host header to match the upstream’s host. This field is often used when the orchestrator is forwarding traffic to another reverse proxy such as Apache.
- Logout
- Logout Callback URL: The endpoint that will be exposed to facilitate a logout for application users. (https://app.sonarsystems.com/logout)
- Post Logout Redirect URL: The address where a user will be redirected after a successful logout. (https://app.sonarsystems.com)
Click Create to save the configuration. After creating the proxy app configuration, you can click the app in the Applications list, and define resources.
Resources are locations in your app for which you can map to in your user flows when defining access policies and headers. Examples include a path to a resource like / or /example. You can also specify regular expressions. To apply regular expression matching to resource path, add “~ " (note the space) at the front of the resource location.
OIDC-based apps
To create an OIDC app, click Applications from the sidebar and select OIDC-based app from the app store section. You will need to configure the following:
- Name: The friendly name of your application.
- App icon: Upload an image for your application to display in Maverics. Maverics supports JPEG, PNG, or SVG, up to 2MB maximum.
- Client ID: The client ID OIDC clients will need to connect. Use unique client IDs per application.
- Client Secret: The client secret OIDC clients will need to connect. You can use a secret provider with the
<SECRET_KEY>
syntax. - Redirect URL: The allow list of URLs to redirect to your clients.
- Access Token Settings: This section defines the configuration for the OAuth access token.
- Type: The type can be set to either jwt (default) or opaque.
- Length: If the type is set to opaque, the length can be set to between 22 and 256 characters. If jwt, the default length is 28 characters.
- Lifetime Seconds: By default, access tokens have a lifetime of one hour. You can configure each client’s Access Token lifetime, by setting the lifetimeSeconds tag under accessToken section, to a valid seconds (integer) value.
- Refresh Token Settings
- Allow Offline Access: Defines whether a client can request refresh tokens.
- Length: Can be set to between 22 and 256 characters to define the length of a refresh token.
Click Create to save the configuration.
SAML-based apps
To create an SAML app, click Applications from the sidebar and select SAML-based app from the app store section. You will need to configure the following:
- Name: The friendly name of your application.
- App icon: Upload an image for your application to display in Maverics. Maverics supports JPEG, PNG, or SVG, up to 2MB maximum.
- Audience: Denotes who the client is. It should match the Issuer field provided by the service provider.
- Consumer Service URL: The URL where SAML responses will be sent.
- Duration: The duration in seconds for which this server’s responses are valid.
- NameID Format: (Optional) Define the NameID Format that will be used in the SAML assertion. When not defined, a value of
urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified
will be used. - Certificate File: Upload a certificate file to verify the signatures of incoming requests. Supported formats: PEM, KEY.
- IDP Initiated Login:
- Login URL: The endpoint that the user will visit from their browser to initiate the IDP login flow. (https://maverics.sonarsystems.com/login-sonar)
- Relay State URL: The endpoint that gets passed to the service provider and is intended to be the landing page for the user after the authentication flow is complete. (https://app.sonarsystems.com/index.html)
Click Create to save the configuration.
API
API configuration can be used to to expose custom HTTP endpoints on the Orchestrator server. These HTTP endpoints can serve custom HTML pages or help facilitate arbitrary identity flows. The API extensions can also be used for other tasks such as running a custom script. For more information on how to create API service extensions, see our Service Extension documentation.
The initial configuration of an API app only requires an app name and icon. The Serve function is automatically populated in the configuration, and is used to define a custom API service extension. Click Create to save this configuration.
After creating the API app configuration, click the app name in the Applications list. On the API configuration page, you can view the following additional sections:
Metadata An arbitrary set of key-value pairs that can be made available to this service extension.
Assets Upload assets to be used in your service extension. You can reference these within your service extension. They will be deployed with the user flow.