Microsoft Entra ID (Azure AD)
Maverics Identity Orchestrator provides a prebuilt, no-code connector for Microsoft Entra ID. This Connector lets you create users in Entra ID using Microsoft’s Graph API and supports user authentication using either OpenID Connect or SAML.
While Microsoft has rebranded Azure AD to Entra ID, please note that the orchestrator currently only recognizes azure in the configuration.
Configuration options
The following values can be provided to the Entra ID connector via the Maverics configuration file.
Auth Type
authType defines the protocol used to authenticate against Entra ID. The Entra ID
connector supports both saml or oidc for user authentication. When not defined, a
default of oidc is used.
OIDC Well-known URL
oidcWellKnownURL defines the location at which the client requests configuration
from Azure AD’s OpenID Provider. This must be set (along with graphURL) when using the connector as an attribute provider.
OAuth Client ID
oauthClientID defines the client ID used to identify the Maverics application to Entra ID.
OAuth Client Secret
oauthClientSecret defines the client secret used to authenticate the Maverics
application with Entra ID.
OAuth Redirect URL
oauthRedirectURL defines the URL that Entra ID will use to redirect the client back to
after authentication. The Maverics callback handler will be served on this URL.
oauthRedirectURL’s path should not conflict with the path of any
application resources. The oauthRedirectURL path can be arbitrary, for
example /maverics-oidc or /oidc-handler.OIDC Logout Callback URL
oidcLogoutCallbackURL defines the URL that Entra ID will use to redirect the client
back to after a logout.
Disable PKCE
disablePKCE is an optional field used to disable the OIDC Proof Key for Code
Exchange (PKCE) extension (enabled by default).
SAML Entity ID
samlEntityID is the unique application entity ID assigned to the application.
SAML Metadata URL
samlMetadataURL is the metadata URL from the application configured in the SAML provider.
The samlMetadataURL setting will accept a file:/// URI if the metadata file is
saved on a filesystem accessible to the Orchestrator user.
SAML Consumer Service URL
samlConsumerServiceURL is the URL that the SAML provider will use to POST the SAML response back to.
The Maverics SAML ACS handler will be served on this URL, as such it should not
conflict with the path of any application resources.
The samlConsumerServiceURL path can be arbitrary (e.g. /maverics-saml or /saml-handler),
but must match the provider’s configuration for the specified samlEntityID.
SAML Logout Callback URL
samlLogoutCallbackURL is an optional field used to define the URL to which the SAML
provider will call back once logout is successful. This will
initialize an endpoint on Maverics to listen for the callback.
The URL’s domain must match the domain Maverics is on.
The samlLogoutCallbackURL path can be arbitrary (e.g. /logout-maverics-saml or /logout-saml-handler),
but must match the provider’s configuration for the specified samlEntityID.
SAML SP Cert Path
samlSPCertPath is an optional configuration to the path to the certificate that
will be used to sign SAML authentication requests. Must be used with samlSPKeyPath.
SAML SP Key path
samlSPKeyPath is an optional configuration to the path to the private key that will
be used to sign SAML authentication requests. Must be used with samlSPCertPath.
IDP-Initiated Login
samlIDPInitiatedLogin is an optional field used to define the IDP-initiated login
settings.
Enabled
enabled defines whether the connector will accept unsolicited SAML responses from
the configured IDP. IDP-initiated login is disabled by default as it is inherently
less secure
than the alternative SP-initiated flow.
Allowed Redirect URLs
allowedRedirectURLs are the set of URLs that the connector can redirect to
after processing an IDP-initiated SAML response. The IDP must pass one of the
listed URLs via the relay state when it initiates a login. For more info on why
a set of URLs are required, please see the OWASP guide on
IdP Initiated SSO
and the importance of mitigating the Open Redirect attack.
Domain Hint
domainHint is an optional field used to indicate to Entra ID that this request
should be handled by the federated IdP sign-in page, or the branded Entra ID sign-in
page for the tenant.
Graph URL
graphURL is an optional field that defines the Entra ID endpoint used to make calls to the Microsoft Graph API. The oidcWellKnownURL must also be configured.
Cache
cache is an optional field that defines the cache settings for the connector.
If left undefined, the connector will use the default in-memory cache.
Examples
SAML Connector Configuration
The Maverics Identity Orchestrator SAML Connector for Entra ID may be configured as gallery app or non-gallery web app in your Entra ID tenant. Consult the Connector Tutorial to add your SAML Connector from the Entra ID app gallery.
connectors:
- name: azure
type: azure
authType: saml
samlMetadataURL: https://login.microsoftonline.com/<tenantID>/federationmetadata/2007-06/federationmetadata.xml?appid=<appid>
samlConsumerServiceURL: https://example.com/acs
samlLogoutCallbackURL: https://example.com/logout
samlEntityID: https://example.comSAML Connector Configuration with SAML metadata file
This sample assumes the SAML metadata was downloaded and saved in /etc/maverics/samlmetadata.xml.
connectors:
- name: azure
type: azure
authType: saml
samlMetadataURL: file:///etc/maverics/samlmetadata.xml
samlConsumerServiceURL: https://example.com/acs
samlLogoutCallbackURL: https://example.com/logout
samlEntityID: https://example.com
cache: redisOIDC Connector Configuration
connectors:
- name: azure
type: azure
authType: oidc
oidcWellKnownURL: https://login.microsoftonline.com/<tenantID>/v2.0/.well-known/openid-configuration
oauthClientID: <client-id>
oauthClientSecret: <client-secret>
oauthRedirectURL: https://example.com/oidc
oidcLogoutCallbackURL: https://example.com/oidc/logout
disablePKCE: false