SAML apps

  • 5 minute(s) read
Prev Next

Welcome to the comprehensive guide on setting up Maverics for use with a SAML application. By using Maverics as a SAML auth provider, you can extend your modern app to any identity provider.

This guide is structured to provide both overview and detailed instructions, making it suitable for IT professionals and administrators who are tasked with setting up and managing digital identities. Whether you are new to SAML applications or looking to enhance your existing setup with Maverics, this tutorial is your gateway to a seamless integration process.

Deploy an orchestrator and set it up as a SAML auth provider

Before downloading and deploying an orchestrator, you must create an environment. Environments define cloud storage containers where you can deploy user flow configuration and the Orchestrators that will read that configuration for your applications.

SAML Auth Provider UI

Note that you must provide a URL for your orchestrator, which Maverics can use to automatically define several endpoints. The endpoints are shown in the configuration example below.

issuer: https://maverics.sonarsystems.com
    endpoints:
      wellKnown: https://maverics.sonarsystems.com/.well-known/openid-config
      jwks: https://maverics.sonarsystems.com/.well-known/jwks.json
      auth: https://maverics.sonarsystems.com/oauth2/auth
      token: https://maverics.sonarsystems.com/oauth2/token
      userinfo: https://maverics.sonarsystems.com/userinfo
      introspect: https://maverics.sonarsystems.com/introspect
      revoke: https://maverics.sonarsystems.com/revoke
      endSession: https://maverics.sonarsystems.com/oidc/logout

Additionally, you will need to provide your SAML provider certificate and private key when creating your environment.

Optionally, you can check Disable Signed Response and/or Disable Signed Assertion to allow unsigned responses and assertions.

After you’ve created your environment, you can download and install the orchestrator.

As a best practice, Strata recommends also creating a second environment for your app configurations.

Define your identity fabric

The Maverics identity fabric includes an identity provider and optional attribute providers. Maverics identity providers integrate with several OIDC and SAML legacy and cloud identity providers and leverage them as either authentication providers or attribute providers. Some identity systems act as both authentication and attribute providers.

Go to Identity Fabric and make a selection in the Identity Services panel on the right. You can select any service for use with a SAML app.

On the next page, enter your identity service’s information in the corresponding fields. The required information varies depending on the service and protocol you’ve selected. The example below is a generic OIDC IDP.

Identity Fabric UI

Configure your SAML application

From the Applications page, create a SAML app by selecting SAML-based under Application Types.

SAML App UI

Field Name

Description

Example

Name

A friendly name for your OIDC application.

ExampleApp

App Icon

Upload an image for your application to display in Maverics.

Maverics supports JPEG, PNG, or SVG, up to 2MB maximum.

Audience

Denotes who the client is. It should match the Issuer field provided by the service provider.

Consumer Service URL

The URL where SAML responses will be sent.

Duration

The duration in seconds for which this server's responses are valid.

NameID Format (Optional)

Define the NameID Format that will be used in the SAML assertion.

When not defined, a value of urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified will be used.

Certificate File

Upload a certificate file to verify the signatures of incoming requests. Supported formats: PEM, KEY.

<MY_KEY_PEM>

IDP Initiated Login: Login URL

The endpoint that the user will visit from their browser to initiate the IDP login flow.

https://maverics.sonarsystems.com/login-sonar

IDP Initiated Login: Relay State URL

The endpoint that gets passed to the service provider and is intended to be the landing page for the user after the authentication flow is complete

https://app.sonarsystems.com/index.html

JSON configuration deployed to the orchestrator

Click Create to save the configuration.

Create a service extension (optional)

Service Extensions are short Golang programs that hook into extension points within an orchestrator to modify or extend features. They give administrators the ability to customize the behavior of the orchestrator to suit the particular needs of their integration. This step is optional, and you can view documentation on service extensions below. After creating a service extension, you can select it for use when creating your user flow.

Three service extensions are available for use with SAML app flows:

  • Authentication: isAuthenticatedSE and authenticateSE service extensions are available to determine if a user is already authenticated and to control the authentication behavior.

  • Custom Claims: buildClaimsSE can customize which attributes will be added to the SAML 2.0 AttributeStatement.

  • Relay State: buildRelayStateSE can optionally be used to build the RelayState parameter in an IDP-initiated login flow. This extension can be used when the relay state is dynamic and therefore cannot be defined with a static relayStateURL.

After creating these service extensions, you can select them from Authentication and Claims on the user flow page.

Configure a SAML user flow

Next, you’ll create a user flow selecting the SAML app you’ve created.

From the dashboard, click Create user flow. Alternatively, from the sidebar, click User Flows, and click New. Enter a name for the user flow and select an application to use. Click Create.

To edit an existing user flow, click User Flows from the sidebar and click the name of the user flow you want to edit.

The name of the user flow appears at the top of the screen and can be edited. The application appears under the name. You can click the application to edit the app configuration, but you cannot change the application tied to the user flow. However, you can add other configured SAML apps to the user flow.

User Flow UI

  1. Under Authentication Provider, select an IDP you've configured.

  2. In the Attribute Providers section, select an attribute provider, a username mapping provider, and a username mapping attribute. Click Add to save your attribute. Repeat this process to add multiple attributes.

  3. The Authorization section allows you to define your access policy. By default, users are allowed access unless granted access through an authorization rule.

    • Allow all access is selected by default, and allows all users access without an authorization rule.

    • Select Use rules to define access to apply fine-grain access control and authorization. The Boolean rule builder appears after selecting this option, and allows you to add rules and conditions by provider.

    • Alternatively, you can select a service extension if you have any authorization service extensions already configured.

  4. The Claims section allows you to provide additional claims to this user. This maps claims to session attributes provided by the IDP(s) and any optionally defined AttributeProvider(s).

    1. Use the SAML Attributes section to select an attribute provider, a username mapping provider, and a username mapping attribute. Click Add to save your claim. Repeat this process to add multiple claims.

    2. Under NameID mapping, you can define custom NameID mappings in SAML responses. Select a provider and enter the attribute you want to define. Click Add to save the mapping.

    3. If you've configured Build Claims or Build Relay State service extensions, you can select them under Service Extensions.

  5. To save the complete user flow, click Commit and Deploy, at the top of the page.

  6. The Commit revision modal appears, and you have several options:

    • Select an environment and click Commit new revision and deploy to save your user flow changes, and deploy them to the selected environment.

    • Select a previous revision and an environment and click Deploy <revision name> to deploy a previous configuration to the selected environment. The Deploy button only appears after choosing a previous revision from the dropdown.

    • Click Commit & close to save the changes to the user flow and close the window (This will not deploy the user flow to an environment).

Related articles
  • Proxy
    Applications > Application patterns > Proxy
  • OIDC
    Applications > Application patterns > OIDC
  • Environments
    Appendix