Maverics set up
Configure identity fabric

Configure identity fabric

Maverics integrates with several OIDC and SAML legacy and cloud identity providers and can leverage them as either authentication providers or attribute providers, with some identity systems acting as both.

Attribute providers enable Maverics to act as a source of user attributes. Attribute providers can be leveraged to enhance a user’s profile with additional data from multiple sources to provide a richer user experience.

Once you’ve set up your identity providers and configured an app, you can then configure a user flow to connect your identity fabric to your app.

ℹ️
Production environments should use a secret management solution. Maverics integrates with various secret management solutions, which store secrets that Orchestrator instances load when starting up.

Generic OIDC and OIDC providers

Maverics requires the following information for most OIDC providers:

  • Name: A friendly name for your OIDC provider.
  • OIDC Well Known URL: The URL that returns OpenID Connect metadata about the OIDC authorization server.
  • OAuth Client ID: The client ID of the Maverics application registered in the OIDC organization.
  • OAuth Client Secret: The client secret of the Maverics application registered in the OIDC organization.
  • Redirect URL: The URL that the OIDC server will use to redirect the client back to after authentication. The Maverics OIDC handler will be served on this URL.
  • Logout Callback URL: The URL that the OIDC server will call back once logout is successful. Ensure your OIDC server’s logout url setting matches the URL value specified here.
  • Scopes: Define the scopes which are requested as part of the OIDC authentication flow. Scopes should be separated by a space. For example, openid profile email
  • Proof Key for Code Exchange (PKCE): By default, this provider follows the Authorization Code Flow with Proof Key for Code Exchange (PKCE). If your provider is not configured to support PKCE, disable this option.

Generic SAML and SAML providers

Maverics requires the following information for most SAML providers:

  • Name: A friendly name for your SAML provider.
  • Metadata URL: This is the metadata URL from the application configured in the SAML provider. This setting will accept a file:/// URI if the metadata file is saved on a filesystem accessible to the Orchestrator user.
  • Consumer Service (ACS) URL: The URL that the SAML provider will use to POST the SAML response. The Maverics SAML ACS handler will be served on this URL, and it should not conflict with the path of any application resources. The path can be arbitrary (e.g. /maverics-saml or /saml-handler), but must match the provider’s configuration for the specified Entity ID. (https://orchestrator.example.com/acs).
  • Logout Callback URL: The URL that the SAML server will call back once logout is successful. Ensure your SAML service provider’s logout URL setting matches the URL value specified here.
  • Identifier (Entity ID): The unique application entity ID assigned to the application.
  • Service Provider Certificate: (Optional) The path to the certificate that will be used to sign SAML authentication requests.
  • Signing Private Key Path: (Optional) The path to the private key that will be used to sign SAML authentication requests.
  • Name ID Format: Defines the SAML Subject NameID format specified for the app in your SAML provider.
  • IdP Initiated Login: Accept unsolicited SAML responses from the configured IDP. This is disabled by default.

LDAP Provider

Maverics requires the following information for LDAP providers.

  • Name: A friendly name for your LDAP provider.
  • URL: The URL of the LDAP server that Maverics connects with.
  • Service Account Username: The username used to connect to the LDAP server.
  • Service Account Password: The password used to connect to the LDAP server.
  • Base DN: Specifies the location in which to perform the LDAP search.
  • OUD Search Key: Key to filter on during query and bind operations.
  • Authentication Search Scope: Provide the attribute you want to use for looking up user and group data. You can select from baseObject, singleLevel, or wholeSubtree.

LDAP Attribute Provider

Maverics requires the following information for LDAP attribute providers.

  • Name: A friendly name for your LDAP attribute provider.
  • URL: The URL of the LDAP server that Maverics connects with.
  • Service Account Username: The username used to connect to the LDAP server.
  • Service Account Password: The password used to connect to the LDAP server.
  • Attribute Delimiter: (Optional) The delimiter used to separate multi-valued attributes. This field is only necessary if an attribute is multi-valued. If no value is provided, a default of “,” will be used for the delimiter.
  • Base DN: Specifies the location in which to perform the LDAP search.
  • OUD Search Key: Key to filter on during query and bind operations.

Windows Client Authenticator

You can configure Maverics to accept authentication using Integrated Windows Authentication. To use the Windows Client Authenticator App, it must be installed on the IIS server. For more information, see Windows Client Authenticator App for Maverics.

HYPR Passwordless Authentication

To set up Maverics to use HYPR for passwordless authentication, you will need the following details:

  • Name: A friendly name for your HYPR provider.
  • HYPR Domain: The base domain of the HYPR account.
  • HYPR App ID: The name of the application as defined in the HYPR Control Center.
  • Access Token: An access token configured in the HYPR Control Center.

Setting up external identity fabric services

We recommend using the following best practices when setting up your identity fabric for testing/evaluation purposes only.

Amazon Cognito Microsoft Entra ID Okta
Setting up Amazon Cognito