Set up a SAML app

Welcome to the comprehensive guide on setting up Maverics for use with a SAML application. By using Maverics as a SAML auth provider, you can extend your modern app to any identity provider.

This guide is structured to provide both overview and detailed instructions, making it suitable for IT professionals and administrators who are tasked with setting up and managing digital identities. Whether you are new to SAML applications or looking to enhance your existing setup with Maverics, this tutorial is your gateway to a seamless integration process. We’ll cover the following steps:

• Deploy an orchestrator and set it up as a SAML auth provider
• Define your identity fabric
• Configure your SAML application
• Create a service extension (optional)
• Configure your user flow

Deploy an orchestrator and set it up as a SAML auth provider

Before downloading and deploying an orchestrator, you must create an environment. Environments define cloud storage containers where you can deploy user flow configuration and the Orchestrators that will read that configuration for your applications.

For detailed information on how to set up an environment with different cloud storage services, see Configure environments.

Note that you must provide a URL for your orchestrator, which Maverics can use to automatically define several endpoints. The endpoints are shown in the configuration example below.

  issuer: https://maverics.sonarsystems.com
  endpoints:
    metadata: https://maverics.sonarsystems.com/idp/saml/metadata.xml
    singleSignOnService: https://maverics.sonarsystems.com/sso
    singleLogoutService: https://maverics.sonarsystems.com/slo

Additionally, you will need to provide your SAML provider certificate and private key when creating your environment. Optionally, you can check Disable Signed Response and/or Disable Signed Assertion to allow unsigned responses and assertions.

After you’ve created your environment, you can download and install the orchestrator. See Install an orchestrator.

As a best practice, Strata recommends also creating a second environment for your app configurations.

Define your identity fabric

The Maverics identity fabric includes an identity provider and optional attribute providers. Maverics identity providers integrate with several OIDC and SAML legacy and cloud identity providers and leverage them as either authentication providers or attribute providers. Some identity systems act as both authentication and attribute providers.

Go to Identity Fabric and make a selection in the Identity Services panel on the right. You can select any service for use with a SAML app.

On the next page, enter your identity service’s information in the corresponding fields. The required information varies depending on the service and protocol you’ve selected. The example below is a generic OIDC IDP.

For more information on setting up an identity fabric, see Configure identity fabric.

Configure your SAML application

From the Applications page, create a SAML app by selecting SAML-based under Application Types.

Define the following:

• Name: The friendly name of your application.
• App icon: Upload an image for your application to display in Maverics. Maverics supports JPEG, PNG, or SVG, up to 2MB maximum.
• Audience: Denotes who the client is. It should match the Issuer field provided by the service provider.
• Consumer Service URL: The URL where SAML responses will be sent.
• Duration: The duration in seconds for which this server’s responses are valid.
• NameID Format: (Optional) Define the NameID Format that will be used in the SAML assertion. When not defined, a value of urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified will be used.
• Certificate File: Upload a certificate file to verify the signatures of incoming requests. Supported formats: PEM, KEY.
• IDP Initiated Login:
  • Login URL: The endpoint that the user will visit from their browser to initiate the IDP login flow. (https://maverics.sonarsystems.com/login-sonar)
  • Relay State URL: The endpoint that gets passed to the service provider and is intended to be the landing page for the user after the authentication flow is complete. (https://app.sonarsystems.com/index.html)

Click Create to save the configuration.

Create a service extension (optional)

Service Extensions are short Golang programs that hook into extension points within an orchestrator to modify or extend features. They give administrators the ability to customize the behavior of the orchestrator to suit the particular needs of their integration. This step is optional, and you can view documentation on service extensions below. After creating a service extension, you can select it for use when creating your user flow.

Three service extensions are available for use with SAML app flows:

• Authentication: isAuthenticatedSE and authenticateSE service extensions are available to determine if a user is already authenticated and to control the authentication behavior.
• Custom Claims: buildClaimsSE can customize which attributes will be added to the SAML 2.0 AttributeStatement.
• Relay State: buildRelayStateSE can optionally be used to build the RelayState parameter in an IDP-initiated login flow. This extension can be used when the relay state is dynamic and therefore cannot be defined with a static relayStateURL.

After creating these service extensions, you can select them from Authentication and Claims on the user flow page.

Configure your user flow

Next, you’ll create a user flow selecting the SAML app you’ve created.

From the dashboard, click Create user flow. Alternatively, from the sidebar, click User Flows, and click New. Enter a name for the user flow and select an application to use. Click Create.

To edit an existing user flow, click User Flows from the sidebar and click the name of the user flow you want to edit.

The name of the user flow appears at the top of the screen and can be edited. The application appears under the name. You can click the application to edit the app configuration, but you cannot change the application tied to the user flow. However, you can add other configured SAML apps to the user flow.

1. Under Authentication Provider, select an IDP you’ve configured.
2. In the Attribute Providers section, select an attribute provider, a username mapping provider, and a username mapping attribute. Click Add to save your attribute. Repeat this process to add multiple attributes.
3. The Authorization section allows you to define your access policy. By default, users are allowed access unless granted access through an authorization rule.
   • Allow all access is selected by default, and allows all users access without an authorization rule.
   • Select Use rules to define access to apply fine-grain access control and authorization. The Boolean rule builder appears after selecting this option, and allows you to add rules and conditions by provider.
   • Alternatively, you can select a service extension if you have any authorization service extensions already configured.
4. The Claims section allows you to provide additional claims to this user. This maps claims to session attributes provided by the IDP(s) and any optionally defined AttributeProvider(s).
   1. Use the SAML Attributes section to select an attribute provider, a username mapping provider, and a username mapping attribute. Click Add to save your claim. Repeat this process to add multiple claims.
   2. Under NameID mapping, you can define custom NameID mappings in SAML responses. Select a provider and enter the attribute you want to define. Click Add to save the mapping.
   3. If you’ve configured Build Claims or Build Relay State service extensions, you can select them under Service Extensions.
5. To save the complete user flow, clickCommit and Deploy, at the top of the page.
6. The Commit revision modal appears, and you have several options:

• Select an environment and click Commit new revision and deploy to save your user flow changes, and deploy them to the selected environment.
• Select a previous revision and an environment and click Deploy to deploy a previous configuration to the selected environment. The Deploy button only appears after choosing a previous revision from the dropdown.
• Click Commit & close to save the changes to the user flow and close the window (This will not deploy the user flow to an environment).

By following the steps outlined in this guide, you have successfully set up Maverics for use with a SAML application, laying the groundwork for a robust and secure identity management system. As you proceed, remember that each component plays a crucial role in enhancing the security and efficiency of your SAML application integration, ensuring that your organization’s identity management framework is both resilient and adaptable. With Maverics, you’re now equipped to navigate the complexities of digital identity management, fostering a secure and user-friendly environment for your users.