Console terminology: In the Maverics Console, this section is called
Identity Fabric. The YAML configuration uses the
connectors key to define
identity provider integrations.Overview
The Custom SAML connector (type: saml) supports SAML 2.0 SSO profiles including SP-initiated and IdP-initiated flows. It handles SAML assertion parsing, signature validation, and attribute extraction — making it suitable for government and education SAML federations, legacy SAML systems, and any provider that speaks SAML 2.0.
Use Cases
- Non-standard SAML IdPs — Connect SAML identity providers that aren’t covered by the dedicated connectors (ADFS, etc.)
- Government and education federations — Integrate with InCommon, eduGAIN, and other SAML-based federation services
- Legacy SAML systems — Connect to older identity systems that only support SAML 2.0 for federation
Configuration
- Console UI
- Configuration
Console UI documentation is coming soon. This section will walk you
through configuring this component using the Maverics Console’s visual
interface, including step-by-step screenshots and field descriptions.
Configuration Reference
| Key | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Unique connector identifier referenced by app policies and attribute providers |
type | string | Yes | Must be saml |
samlMetadataURL | string | Yes | URL to the IdP’s SAML metadata XML — the Orchestrator fetches this to discover SSO endpoints and signing certificates |
samlConsumerServiceURL | string | Yes | Assertion Consumer Service (ACS) URL where the IdP sends SAML responses |
samlEntityID | string | No | Service Provider entity ID that identifies the Orchestrator to the IdP |
samlLogoutCallbackURL | string | No | Logout callback URL for SAML single logout |
samlSPCertPath | string | No | Path to the SP certificate file for signing SAML requests |
samlSPKeyPath | string | No | Path to the SP private key file for signing SAML requests |
samlNameIDFormat | string | No | Requested NameID format (e.g., urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) |
samlIDPInitiatedLogin | object | No | IdP-initiated login configuration |
cache | string | No | Cache name reference for SAML request data storage |
tls | string | No | Named TLS profile for metadata retrieval and IdP communication |
healthCheck | object | No | Health check monitoring configuration (see Identity Fabric Configuration Reference) |
Troubleshooting
- Verify SAML metadata URL is accessible — The Orchestrator fetches the IdP’s metadata XML at startup. If the URL is unreachable or returns an error, the connector will fail to initialize. Test the URL with
curlfrom the Orchestrator host. - Ensure entityID matches the IdP configuration — The
samlEntityIDvalue must match what is configured as the trusted Service Provider on the IdP side. Mismatched entity IDs cause the IdP to reject authentication requests. - Check the Assertion Consumer Service URL — The
samlConsumerServiceURLmust match the Orchestrator’s actual callback endpoint. If behind a load balancer or reverse proxy, use the external-facing URL that the IdP will redirect to. - SP signing certificate errors — If the IdP requires signed authentication requests, ensure
samlSPCertPathandsamlSPKeyPathpoint to valid PEM files and the key matches the certificate.