Configure identity fabric
Maverics integrates with several OIDC and SAML legacy and cloud identity services and can leverage them as either authentication providers or attribute stores, with some identity systems acting as both.
Attribute providers enable Maverics to act as a source of user attributes. Attribute providers can be leveraged to enhance a user’s profile with additional data from multiple sources to provide a richer user experience.
Once you’ve set up your identity services and configured an app, you can then configure a user flow to connect your identity fabric to your app.
Generic OIDC and OIDC services
Maverics requires the following information for most OIDC services:
- Name: A friendly name for your OIDC services.
- OIDC Well Known URL: The URL that returns OpenID Connect metadata about the OIDC authorization server.
- OAuth Client ID: The client ID of the Maverics application registered in the OIDC organization.
- OAuth Client Secret: The client secret of the Maverics application registered in the OIDC organization.
- Redirect URL: The URL that the OIDC server will use to redirect the client back to after authentication. The Maverics OIDC handler will be served on this URL.
- Logout Callback URL: The URL that the OIDC server will call back once logout is successful. Ensure your OIDC server’s logout url setting matches the URL value specified here.
- Scopes: Define the scopes which are requested as part of the OIDC authentication flow. Scopes should be separated by a space. For example,
openid profile email
- Proof Key for Code Exchange (PKCE): By default, this service follows the Authorization Code Flow with Proof Key for Code Exchange (PKCE). If your service is not configured to support PKCE, disable this option.
Generic SAML and SAML services
Maverics requires the following information for most SAML services:
- Name: A friendly name for your SAML service.
- Metadata URL: This is the metadata URL from the application configured in the SAML service. This setting will accept a file:/// URI if the metadata file is saved on a filesystem accessible to the Orchestrator user.
- Consumer Service (ACS) URL: The URL that the SAML service will use to POST the SAML response. The Maverics SAML ACS handler will be served on this URL, and it should not conflict with the path of any application resources. The path can be arbitrary (e.g. /maverics-saml or /saml-handler), but must match the service’s configuration for the specified Entity ID. (https://orchestrator.example.com/acs).
- Logout Callback URL: The URL that the SAML server will call back once logout is successful. Ensure your SAML service service’s logout URL setting matches the URL value specified here.
- Identifier (Entity ID): The unique application entity ID assigned to the application.
- Service Provider Certificate: (Optional) The path to the certificate that will be used to sign SAML authentication requests.
- Signing Private Key Path: (Optional) The path to the private key that will be used to sign SAML authentication requests.
- Name ID Format: Defines the SAML Subject NameID format specified for the app in your SAML service.
- IdP Initiated Login: Accept unsolicited SAML responses from the configured IDP. This is disabled by default.
LDAP authentication provider
Maverics requires the following information for LDAP authentication providers.
- Name: A friendly name for your LDAP service.
- URL: The URL of the LDAP server that Maverics connects with.
- Service Account Username: The username used to connect to the LDAP server.
- Service Account Password: The password used to connect to the LDAP server.
- Base DN: Specifies the location in which to perform the LDAP search.
- OUD Search Key: Key to filter on during query and bind operations.
- Authentication Search Scope: Provide the attribute you want to use for looking up user and group data. You can select from
baseObject
,singleLevel
, orwholeSubtree
.
Identity Service Health Monitoring
Identity Service Health Monitoring is a feature used as part of Identity Continuity™ and is available for OIDC, SAML, and LDAP identity services. When enabled, this feature allows the orchestrator to continuously poll the identity service and trigger an alert if it can’t be reached.
You will need to configure Identity Service Health Monitoring for each identity service used in your continuity strategy.
When this feature is enabled, the following fields can be configured:
- Polling frequency: The interval between each health check of the identity service. This can be set in seconds, minutes, or hours.
- Timeout: The maximum wait time for a response. This can be set in seconds, minutes, or hours.
- Failover threshold: The number of consecutive negative (down) health check results to trigger a failover.
- Fallback threshold: The number of consecutive positive (up) health check results to trigger a fallback.
- Custom health check endpoint: (Optional) A custom endpoint to control failover and fallback actions (e.g., https://example.com/health).
- Expected status codes: (Optional) The http status codes that the custom heath check returns to be considered healthy. Accepts comma seperated values (e.g., 200, 300, 400).
- Response body matcher: (Optional) A matcher that verifies the expected value in the response body of a health check (e.g., ‘Up’ or ‘Down’).
LDAP Attribute Provider
LDAP attribute providers only pull user attributes, groups, and other attributes using the LDAP protocol, and cannot be used as an identity provider or authentication service. Maverics requires the following information for LDAP attribute providers.
- Name: A friendly name for your LDAP attribute provider.
- URL: The URL of the LDAP server that Maverics connects with.
- Service Account Username: The username used to connect to the LDAP server.
- Service Account Password: The password used to connect to the LDAP server.
- Attribute Delimiter: (Optional) The delimiter used to separate multi-valued attributes. This field is only necessary if an attribute is multi-valued. If no value is provided, a default of “,” will be used for the delimiter.
- Base DN: Specifies the location in which to perform the LDAP search.
- OUD Search Key: Key to filter on during query and bind operations.
Setting up identity services for use with Maverics
Windows Client Authenticator
You can configure Maverics to accept authentication using Integrated Windows Authentication. To use the Windows Client Authenticator App, it must be installed on the IIS server. For more information, see Windows Client Authenticator App for Maverics.
HYPR Passwordless Authentication
To set up Maverics to use HYPR for passwordless authentication, you will need the following details:
- Name: A friendly name for your HYPR provider.
- HYPR Domain: The base domain of the HYPR account.
- HYPR App ID: The name of the application as defined in the HYPR Control Center.
- Access Token: An access token configured in the HYPR Control Center.
Setting up external identity fabric services
We recommend using the following best practices when setting up your identity fabric for testing/evaluation purposes only.