Configure environments
Environments define cloud storage containers where you can deploy user flow configuration and the Orchestrators that will read that configuration for your applications. Create environments (e.g. dev, test, staging, and production), configure cloud storage containers, and assign orchestrators to those environments.
For additional information on environment variables that can be used in the configuration, see Environment Variables.
Create a new environment
From the sidebar, click Environments, and click the + icon next to the type of storage you would like to configure. If you are creating an evaluation environment, skip to Evaluation environment configuration.
The environment and orchestrator support the app you configure. If you are going to use the environment with a SAML app, you must include the SAML provider details in your environment configuration. If you are using the environment with an OIDC app, include the OIDC provider and, optionally, OIDC cache details in your environment configuration.
Settings are divided by section as follows.
General Settings
- Name: A friendly name for your environment. For this example, let’s use AWS-staging.
- Description: Additional description of the environment.
- Production: This checkbox denotes that this will be used as a Production environment.
Orchestrator Settings
- Cookie Domain: This field is optional and specifies the hosts to which the session cookie will be sent.
- Max Lifetime Seconds: This field is optional and represents the maximum number of seconds that can elapse post-authentication before the session’s authentication state becomes invalid.
- Orchestrator URL: This field is required when configuring the orchestrator as an OIDC or SAML provider. The orchestrator URL is used to define additional OIDC endpoints and SAML endpoints.
- Logout Endpoint: This optional field is the endpoint clients may call to trigger logout from all applications and IDPs. Maverics can automatically populate this based on the Orchestrator URL.
- Post-Logout Redirect URL: This field is optional and represents the URL to redirect the client to after the single logout process is complete.Maverics can automatically populate this based on the Orchestrator URL.
- Telemetry: When enabled, orchestrators send telemetry data to Maverics. You can view this on the Orchestrator Telemetry page. After you have started your Orchestrator, click Redeploy on a user flow to refresh. This option is turned on by default.
Container configuration details
- Additional configuration details will depend on the cloud storage environment you have selected. This usually includes bucket names, access keys, tokens, and configuration file paths. For more information on configuraiton details, see Best practices.
SAML Provider
Configure the following fields if you will be using this environment for a SAML provider (for use with a SAML application).
- Certificate: The x509 certificate used by clients to validate the signature of SAML assertions.
- Private Key: The RSA256 private key used to sign SAML assertions.
- Disable Signed Response: By checking this box, responses will not need to be signed.
- Disable Signed Assertion: By checking this box, assertions will not need to be signed.
For more information on configuring a SAML provider, see Set up a SAML app.
OIDC Provider
Configure the following fields if you will be using this environment for a OIDC provider (for use with an OIDC application).
- Dynamic Client Registration: Dynamic client registration (DCR) enables OIDC clients to provision themselves to an OIDC provider by sending metadata (client name, redirect URLs, etc.) to the provider, and receiving the required information to complete an authentication request for its users (client_id, client_secret, etc.). For more information on DCR, see Configuring Dynamic Client Registration.
- Certificate: The x509 certificate used by clients to validate the signature of OIDC assertions.
- Private Key: The RSA256 private key used to sign OIDC assertions.
For more information on configuring an OIDC provider, see Set up an OIDC app.
OIDC Cache
External caches may be defined and used with the orchestrator to enable high availability for OIDC providers/applications. Currently OIDC Cache only supports Redis 6.0 or greater. You will need to configure the following:
- Addresses: Your Redis server addresses.
- Username and password: The username and password must be generated via access control list (ACL) in Redis.
- CA Path: (Optional) The path to your certificate authority when using self signed certs.
- Encryption Keys: List of 32 byte encryption keys from oldest to newest. Keys can be created with OpenSSL (for example: openssl rand -hex 32).
Click Create. The details of your environment will appear on the next page.
Best practices
We recommend using the following best practices when setting up your environment:
Environment details page
The environment details page appears after you’ve created the environment. You can also navigate to this page by selecting an environment on the Environments page.
The details page is divided into several categories.
Orchestrator or Orchestrator Evaluation Bundle
Download the installer based on your OS and follow the documentation to install and setup.
For evaluation environments, this section provides an evaluation bundle. This bundle contains everything you need to connect to this environment, including public keys and certificate files, an environment file, and an orchestrator. After downloading the file appropriate for your OS, you can then run the orchestrator included in the bundle.
Resources
From this section, you can download the public key for your environment. You can also download the Windows Client Authenticator installer.
Deployed User Flows
This table shows the user flows that have been deployed to this environment, including the revision number and the user. Click Download configuration to download a maverics.tar.gz bundle of the full configuration, including service extensions. Click Redeploy to refresh all user flows in the environment.
OIDC options
OIDC options appear on environments set up for use with an OIDC app. For more information on OIDC options and DCR, see Configuring Dynamic Client Registration.
For more information on configuring an OIDC provider, see Set up an OIDC app.
SAML details
SAML options appear on environments set up for use with a SAML app.You can download the SAML signing certificate and SAML metadata in these sections to set up a SAML service provider.
For more information on configuring a SAML provider, see Set up a SAML app.
Configuring OIDC Provider and Dynamic Client Registration
Dynamic client registration (DCR) enables OIDC clients to provision themselves to an OIDC provider by sending metadata (client name, redirect URLs, etc.) to the provider, and receiving the required information to complete an authentication request for its users (client_id, client_secret, etc.).
Prerequisites
Prior to enabling Dynamic Client Registration, you will need to complete the following steps:
- Configure an OIDC auth provider
- Publish an OIDC app type user flow to an environment that defines the IDP for authentication, attribute provider (optional, depending on where claims are sourced), and claims needed by the app
Configuration
To configure DCR when creating an environment:
- On the Environment configuration page, scroll down to OIDC Provider.
- Click the toggle switch to enable Dynamic Client Registration.
- Click OK on the confirmation message.
- Copy the client registration endpoint: https://maverics.strata.io/register
Testing
To test DCR, you will need to have an environment and OIDC app configured and deployed before completing the following steps. You will also need to have a web app or API manager to send a POST request.
Go to the environment configured with an OIDC provider, and under OIDC options, click New to create an API key.
Copy the API key ID.
Use an API manager or web application to send a POST request to https://maverics.strata.io/register with the following information:
- an Authorization header with the bearer token set to your API key ID
- OIDC app metadata in the body of the request per the OAuth 2.0 spec.
redirect_urisis required, but all other fields are optional
Check the result to ensure the authorization is inherited.
Evaluation environment configuration
When you create an evaluation environment for testing, no additional configuration of the environment is necessary. The following steps occur behind the scenes:
- An AWS storage bucket will be created.
- The defaults for Orchestrator URL (https://localhost), logout URL (/logout), and other settings will be configured automatically. You can change these settings by clicking the Edit button in the top right hand side.
- An empty maverics.tar.gz file is then pushed to the cloud storage bucket so the orchestrator will start up successfully in case there is no user flow published yet.
- A downloadable bundle is created with a maverics.env file preconfigured to connect to this environment.
You can only have one eval environment at a time. After you create one it removes the option to create another from the Environments right side bar. This environment is provided for tesing purposes only and may be deleted after 90 days of inactivity.
For a step-by-step walkthrough, use the Learning Center topic, “Getting Started: Evaluation Environment.”
Orchestrator resources
For more information on setting up environments, we recommend the following Orchestrator reference topics: