Microsoft Entra ID (SAML)

The Microsoft Entra ID (SAML) connector integrates the Maverics Orchestrator with Microsoft Entra ID using the SAML 2.0 protocol — providing an alternative to the OIDC-based Entra ID connector for environments that require SAML federation.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Microsoft Entra ID (SAML) connector supports SAML 2.0 SSO profiles including SP-initiated and IdP-initiated flows. For most deployments, the Microsoft Entra ID (OIDC) connector is recommended as the more common integration path. Use the SAML variant when your environment requires SAML-based federation or when integrating with applications that only support SAML assertions.

Use Cases

Unify SSO for SAML-dependent applications — Connect to Entra ID via SAML when legacy applications or compliance policies require SAML 2.0 federation instead of OIDC
Consolidate IdPs around Entra ID — Route authentication from multiple legacy IdPs to Entra ID using SAML, reducing the number of identity platforms and associated licensing costs
Multi-protocol orchestration — Combine Entra ID SAML with other SAML or OIDC connectors to deliver unified access across hybrid environments without rewriting applications
Entra ID failover with Continuity — Pair Entra ID SAML with a secondary IdP to maintain authentication availability during Entra ID service disruptions

Configuration

Console UI
Configuration

To create a Microsoft Entra ID (SAML) connector in the Maverics Console:

Navigate to Identity Fabric in the Console sidebar.
Click Create and select Microsoft Entra ID (SAML).

The Console also offers Microsoft Entra ID (OIDC) for OpenID Connect-based integration, which is the more common option. See the Entra ID (OIDC) page for details.

Enter a Name — the friendly name for your Entra ID SAML provider.
Enter the Metadata URL — the URL of the Entra ID SAML metadata document (e.g., https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml).
Enter the Consumer Service (ACS) URL — the Assertion Consumer Service URL where Entra ID sends SAML responses.
Enter the Entity ID — the unique identifier for the Orchestrator as the SAML Service Provider.
Optionally enter a Logout Callback URL for Single Logout (SLO) callback.
Optionally enter the SP Certificate Path and SP Private Key Path for signing SAML requests.
Optionally enable IdP Initiated Login to allow authentication flows started by Entra ID.
Click Save.

maverics.yaml

connectors:
  - name: entra-id-saml
    type: saml
    samlMetadataURL: "https://login.microsoftonline.com/{{ env.AZURE_TENANT_ID }}/federationmetadata/2007-06/federationmetadata.xml"
    samlConsumerServiceURL: "https://orch.example.com/saml/callback"
    samlEntityID: "https://orch.example.com"
    tls: entra-tls

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced by app policies and attribute providers
`type`	string	Yes	Must be `saml`
`samlMetadataURL`	string	Yes	URL to the Entra ID SAML federation metadata XML
`samlConsumerServiceURL`	string	Yes	Assertion Consumer Service (ACS) URL where Entra ID sends SAML responses
`samlEntityID`	string	No	Service Provider entity ID that identifies the Orchestrator to Entra ID
`samlLogoutCallbackURL`	string	No	Logout callback URL for SAML single logout
`samlSPCertPath`	string	No	Path to the SP certificate file for signing SAML requests
`samlSPKeyPath`	string	No	Path to the SP private key file for signing SAML requests
`samlIDPInitiatedLogin`	object	No	IdP-initiated login configuration
`cache`	string	No	Cache name reference for SAML request data storage
`tls`	string	No	Named TLS profile for metadata retrieval and IdP communication
`healthCheck`	object	No	Health check monitoring configuration (see Identity Fabric Configuration Reference)

For the complete connector field reference including health check details, see Identity Fabric Configuration Reference.

Troubleshooting

Verify the Entra ID metadata URL is accessible — The Orchestrator fetches the federation metadata XML at startup. Replace {tenant-id} with your Microsoft Entra ID directory (tenant) ID from the Azure portal.
Ensure the entity ID matches the Entra ID enterprise application — The samlEntityID value must match the Identifier (Entity ID) configured in the Entra ID enterprise application’s SAML configuration.
Check the Assertion Consumer Service URL — The samlConsumerServiceURL must match the Reply URL (Assertion Consumer Service URL) configured in the Entra ID enterprise application. If behind a load balancer, use the external-facing URL.
SP signing certificate errors — If the Entra ID application requires signed authentication requests, ensure samlSPCertPath and samlSPKeyPath point to valid PEM files and the key matches the certificate.

Microsoft Entra ID (OIDC)

OIDC-based Entra ID connector (recommended for most deployments)

Generic SAML

Generic SAML 2.0 connector

Identity Fabric

Overview of all identity providers

Continuity

IdP failover connector

Console Administration

Orchestration

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Microsoft Entra ID (OIDC)

Generic SAML

Identity Fabric

Continuity

Console Administration

Orchestration

​Overview

​Use Cases

​Configuration

​Configuration Reference

​Troubleshooting

​Related Pages

Microsoft Entra ID (OIDC)

Generic SAML

Identity Fabric

Continuity

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Related Pages