Configure environments

Configure environments

Environments define cloud storage containers where you can deploy user flow configuration and the Orchestrators that will read that configuration for your applications. Create environments (e.g. dev, test, staging, and production), configure cloud storage containers, and assign orchestrators to those environments.

Maverics model

For additional information on environment variables that can be used in the configuration, see Environment Variables.

ℹ️
Production environments should ensure shared storage solutions are secure. Please review our production recommendations for shared storage solutions.
  1. From the sidebar, click Environments, and click the + icon next to the type of storage you would like to configure. If you are creating an evaluation environment, skip to the next section.
  2. Configure the following:

General Settings

  • Name: A friendly name for your environment. For this example, let’s use AWS-staging.
  • Description: Additional description of the environment.
  • Production: This checkbox denotes that this will be used as a Production environment.

Orchestrator Settings

  • Cookie Domain: This field is optional and specifies the hosts to which the session cookie will be sent.
  • Max Lifetime Seconds: This field is optional and represents the maximum number of seconds that can elapse post-authentication before the session’s authentication state becomes invalid.
  • Orchestrator URL: This field is required when configuring the orchestrator as an OIDC or SAML provider.
  • Logout Endpoint: This optional field is the endpoint clients may call to trigger logout from all applications and IDPs.
  • Post-Logout Redirect URL: This field is optional and represents the URL to redirect the client to after the single logout process is complete.
  • Telemetry: When enabled, orchestrators send telemetry data to Maverics. You can view this on the Orchestrator Telemetry page. After you have started your Orchestrator, (re)publish a configuration, and it will take up to 5-15 min to take effect. This option is turned on by default.

Additional configuration details

  • Additional configuration details will depend on the cloud storage environment you have selected. This usually includes bucket names, access keys, tokens, and configuration file paths. More information on these configuration details is presented later in this topic.
  1. Click Create.
  2. The details of your environment will appear on the next page. From here, download your public key and the Orchestrator appropriate for your operating system. Follow our instructions to install your Orchestrator

Configuring OIDC Provider and Dynamic Client Registration

Dynamic client registration (DCR) enables OIDC clients to provision themselves to an OIDC provider by sending metadata (client name, redirect URLs, etc.) to the provider, and receiving the required information to complete an authentication request for its users (client_id, client_secret, etc.).

Prerequisites

Prior to enabling Dynamic Client Registration, you will need to complete the following steps:

  • Configure an OIDC auth provider
  • Publish an OIDC app type user flow to an environment that defines the IDP for authentication, attribute provider (optional, depending on where claims are sourced), and claims needed by the app

Configuration

To configure DCR when creating an environment:

  1. On the Environment configuration page, scroll down to OIDC Provider.
  2. Click the toggle switch to enable Dynamic Client Registration.
  3. Click OK on the confirmation message.
  4. Copy the client registration endpoint: https://maverics.strata.io/register

Testing

To test DCR, you will need to have an environment and OIDC app configured and deployed before completing the following steps. You will also need to have a web app or API manager to send a POST request.

  1. Go to the environment configured with an OIDC provider, and under OIDC options, click New to create an API key.

  2. Copy the API key ID.

  3. Use an API manager or web application to send a POST request to https://maverics.strata.io/register with the following information:

    • an Authorization header with the bearer token set to your API key ID
    • OIDC app metadata in the body of the request per the OAuth 2.0 spec. redirect_uris is required, but all other fields are optional
  4. Check the result to ensure the authorization is inherited.

ℹ️
Note: The OIDC user flow will be automatically deployed once Maverics receives the POST request. We recommend that you only deploy one OIDC user flow per environment.

Evaluation environment configuration

When you create an evaluation environment for testing, no additional configuration of the environment is necessary. The following steps occur behind the scenes:

  1. An AWS storage bucket will be created.
  2. The defaults for Orchestrator URL (https://localhost), logout URL (/logout), and other settings will be configured automatically. You can change these settings by clicking the Edit button in the top right hand side.
  3. An empty maverics.tar.gz file is then pushed to the cloud storage bucket so the orchestrator will start up successfully in case there is no user flow published yet.
  4. A downloadable bundle is created with a maverics.env file preconfigured to connect to this environment.

You can only have one eval environment at a time. After you create one it removes the option to create another from the Environments right side bar. This environment is provided for tesing purposes only and may be deleted after 90 days of inactivity.

Best practices

We recommend using the following best practices when setting up your environment: