Set up a SAML app

Welcome to the comprehensive guide on setting up Maverics for use with a SAML application. By using Maverics as a SAML auth provider, you can extend your modern app to any identity provider.

SAML app flow

This guide is structured to provide both overview and detailed instructions, making it suitable for IT professionals and administrators who are tasked with setting up and managing digital identities. Whether you are new to SAML applications or looking to enhance your existing setup with Maverics, this tutorial is your gateway to a seamless integration process. We’ll cover the following steps:

Deploy an orchestrator and set it up as a SAML auth provider

Before downloading and deploying an orchestrator, you must create an environment. Environments define cloud storage containers where you can deploy user flow configuration and the Orchestrators that will read that configuration for your applications.

For detailed information on how to set up an environment with different cloud storage services, see Configure environments.

SAML environment configuration

Note that you must provide a URL for your orchestrator, which Maverics can use to automatically define several endpoints. The endpoints are shown in the configuration example below.


Additionally, you will need to provide your SAML provider certificate and private key when creating your environment. Optionally, you can check Disable Signed Response and/or Disable Signed Assertion to allow unsigned responses and assertions.

After you’ve created your environment, you can download and install the orchestrator. See Install an orchestrator.

As a best practice, Strata recommends also creating a second environment for your app configurations.

Define your identity fabric

The Maverics identity fabric includes an identity provider and optional attribute providers. Maverics identity providers integrate with several OIDC and SAML legacy and cloud identity providers and leverage them as either authentication providers or attribute providers. Some identity systems act as both authentication and attribute providers.

Go to Identity Fabric and make a selection in the Identity Services panel on the right. You can select any service for use with a SAML app.

On the next page, enter your identity service’s information in the corresponding fields. The required information varies depending on the service and protocol you’ve selected. The example below is a generic OIDC IDP.

Generic OIDC IDP configuration

For more information on setting up an identity fabric, see Configure identity fabric.

Configure your SAML application

From the Applications page, create a SAML app by selecting SAML-based under Application Types.

SAML app configuration

Define the following:

  • Name: The friendly name of your application.
  • App icon: Upload an image for your application to display in Maverics. Maverics supports JPEG, PNG, or SVG, up to 2MB maximum.
  • Audience: Denotes who the client is. It should match the Issuer field provided by the service provider.
  • Consumer Service URL: The URL where SAML responses will be sent.
  • Duration: The duration in seconds for which this server’s responses are valid.
  • NameID Format: (Optional) Define the NameID Format that will be used in the SAML assertion. When not defined, a value of urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified will be used.
  • Certificate File: Upload a certificate file to verify the signatures of incoming requests. Supported formats: PEM, KEY.
  • IDP Initiated Login:

Click Create to save the configuration.

Create a service extension (optional)

Service Extensions are short Golang programs that hook into extension points within an orchestrator to modify or extend features. They give administrators the ability to customize the behavior of the orchestrator to suit the particular needs of their integration. This step is optional, and you can view documentation on service extensions below. After creating a service extension, you can select it for use when creating your user flow.

Three service extensions are available for use with SAML app flows:

  • Authentication: isAuthenticatedSE and authenticateSE service extensions are available to determine if a user is already authenticated and to control the authentication behavior.
  • Custom Claims: buildClaimsSE can customize which attributes will be added to the SAML 2.0 AttributeStatement.
  • Relay State: buildRelayStateSE can optionally be used to build the RelayState parameter in an IDP-initiated login flow. This extension can be used when the relay state is dynamic and therefore cannot be defined with a static relayStateURL.

After creating these service extensions, you can select them from Authentication and Claims on the user flow page.

SAML service extensions

Configure your user flow

Next, you’ll create a user flow selecting the SAML app you’ve created.

From the dashboard, click Create user flow. Alternatively, from the sidebar, click User Flows, and click New. Enter a name for the user flow and select an application to use. Click Create.

To edit an existing user flow, click User Flows from the sidebar and click the name of the user flow you want to edit.

The name of the user flow appears at the top of the screen and can be edited. The application appears under the name. You can click the application to edit the app configuration, but you cannot change the application tied to the user flow. However, you can add other configured SAML apps to the user flow.

SAML user flow

  1. Under Authentication Provider, select an IDP you’ve configured.
  2. In the Attribute Providers section, select an attribute provider, a username mapping provider, and a username mapping attribute. Click Add to save your attribute. Repeat this process to add multiple attributes.
  3. The Claims section allows you to provide additional claims to this user. This maps claims to session attributes provided by the IDP(s) and any optionally defined AttributeProvider(s).
    1. Use the SAML Attributes section to select an attribute provider, a username mapping provider, and a username mapping attribute. Click Add to save your claim. Repeat this process to add multiple claims.
    2. Under NameID mapping, you can define custom NameID mappings in SAML responses. Select a provider and enter the attribute you want to define. Click Add to save the mapping.
    3. If you’ve configured Build Claims or Build Relay State service extensions, you can select them under Service Extensions.
  4. To save the complete user flow, click Deploy… at the top of the page.
  5. The Choose revision and environment modal appears. The Revision field reflects the latest number. Select an environment to deploy to and click Preview.
  6. On the Deployment Preview screen, you can view the revision history and a diff view of the current user flow against the new user flow (if you’re editing an existing user flow).
  7. Click Deploy at the top of the screen to deploy the latest revision to your selected environment.

By following the steps outlined in this guide, you have successfully set up Maverics for use with a SAML application, laying the groundwork for a robust and secure identity management system. As you proceed, remember that each component plays a crucial role in enhancing the security and efficiency of your SAML application integration, ensuring that your organization’s identity management framework is both resilient and adaptable. With Maverics, you’re now equipped to navigate the complexities of digital identity management, fostering a secure and user-friendly environment for your users.