Okta (SAML)

The Okta (SAML) connector integrates the Maverics Orchestrator with Okta using the SAML 2.0 protocol — providing an alternative to the OIDC-based Okta connector for environments that require SAML federation.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Okta (SAML) connector supports SAML 2.0 SSO profiles including SP-initiated and IdP-initiated flows. For most deployments, the Okta (OIDC) connector is recommended as the more common integration path. Use the SAML variant when your environment requires SAML-based federation or when integrating with applications that only support SAML assertions.

Use Cases

Unify SSO for SAML-dependent applications — Connect to Okta via SAML when legacy applications or compliance policies require SAML 2.0 federation instead of OIDC
Legacy application modernization — Bridge Okta SAML assertions to header-based or cookie-based authentication for legacy applications, extending SSO without rewriting them
Rationalize identity platforms through Okta — Consolidate authentication from multiple IdPs into Okta, reducing licensing overlap and simplifying identity operations
Okta failover with Continuity — Pair Okta SAML with a secondary IdP to maintain authentication availability during Okta service disruptions

Configuration

Console UI
Configuration

To create an Okta (SAML) connector in the Maverics Console:

Navigate to Identity Fabric in the Console sidebar.
Click Create and select Okta (SAML).

The Console also offers Okta (OIDC) for OpenID Connect-based integration, which is the more common option. See the Okta (OIDC) page for details.

Enter a Name — the friendly name for your Okta SAML provider.
Enter the Metadata URL — the URL of the Okta SAML metadata document (e.g., https://{your-org}.okta.com/app/{app-id}/sso/saml/metadata).
Enter the Consumer Service (ACS) URL — the Assertion Consumer Service URL where Okta sends SAML responses.
Enter the Entity ID — the unique identifier for the Orchestrator as the SAML Service Provider.
Optionally enter a Logout Callback URL for Single Logout (SLO) callback.
Optionally enter the SP Certificate Path and SP Private Key Path for signing SAML requests.
Optionally enable IdP Initiated Login to allow authentication flows started by Okta.
Click Save.

maverics.yaml

connectors:
  - name: okta-saml
    type: saml
    samlMetadataURL: "https://{{ env.OKTA_ORG }}.okta.com/app/{{ env.OKTA_APP_ID }}/sso/saml/metadata"
    samlConsumerServiceURL: "https://orch.example.com/saml/callback"
    samlEntityID: "https://orch.example.com"
    tls: okta-tls

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced by app policies and attribute providers
`type`	string	Yes	Must be `saml`
`samlMetadataURL`	string	Yes	URL to the Okta SAML metadata XML — the Orchestrator fetches this to discover SSO endpoints and signing certificates
`samlConsumerServiceURL`	string	Yes	Assertion Consumer Service (ACS) URL where Okta sends SAML responses
`samlEntityID`	string	No	Service Provider entity ID that identifies the Orchestrator to Okta
`samlLogoutCallbackURL`	string	No	Logout callback URL for SAML single logout
`samlSPCertPath`	string	No	Path to the SP certificate file for signing SAML requests
`samlSPKeyPath`	string	No	Path to the SP private key file for signing SAML requests
`samlIDPInitiatedLogin`	object	No	IdP-initiated login configuration
`cache`	string	No	Cache name reference for SAML request data storage
`tls`	string	No	Named TLS profile for metadata retrieval and IdP communication
`healthCheck`	object	No	Health check monitoring configuration (see Identity Fabric Configuration Reference)

For the complete connector field reference including health check details, see Identity Fabric Configuration Reference.

Troubleshooting

Verify the Okta SAML metadata URL is accessible — The Orchestrator fetches the metadata XML at startup. The metadata URL is typically found in the Okta application’s Sign On settings under “Identity Provider metadata.”
Ensure the entity ID matches the Okta application — The samlEntityID value must match the Audience URI (SP Entity ID) configured in the Okta SAML application settings.
Check the Assertion Consumer Service URL — The samlConsumerServiceURL must match the Single sign on URL configured in the Okta SAML application. If behind a load balancer, use the external-facing URL.
SP signing certificate errors — If the Okta application requires signed authentication requests, ensure samlSPCertPath and samlSPKeyPath point to valid PEM files and the key matches the certificate.

Okta (OIDC)

OIDC-based Okta connector (recommended for most deployments)

Generic SAML

Generic SAML 2.0 connector

Identity Fabric

Overview of all identity providers

Continuity

IdP failover connector

Console Administration

Orchestration

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Okta (OIDC)

Generic SAML

Identity Fabric

Continuity

Console Administration

Orchestration

​Overview

​Use Cases

​Configuration

​Configuration Reference

​Troubleshooting

​Related Pages

Okta (OIDC)

Generic SAML

Identity Fabric

Continuity

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Related Pages