SAML Provider

The SAML Provider mode configures the Maverics Orchestrator as a SAML 2.0 identity provider. It handles SAML assertion generation, attribute mapping, and protocol translation — allowing you to federate enterprise applications that depend on SAML while connecting to modern or legacy upstream identity providers.

Console terminology: In the Maverics Console, the combination of applications, policies, headers, and connector bindings is managed through User Flows. In YAML, these elements are configured directly within each app’s configuration block under apps[].policies[].

When to use this mode

SAML Provider — Choose this mode for applications that only support SAML 2.0. Best for enterprise apps with rigid SAML requirements.
OIDC Provider — Choose this mode for modern applications that can consume OpenID Connect tokens natively.
HTTP Proxy — Choose this mode for applications that cannot handle SAML directly or where you cannot modify authentication code.
LDAP Provider — Choose this mode for applications that require an LDAP directory for authentication.
AI Identity Gateway — Choose this mode for securing AI agent-to-tool communication via MCP.

Use Cases

SAML federation for enterprise apps — Provide SAML 2.0 assertions to enterprise applications like Salesforce, ServiceNow, and Workday that require SAML-based single sign-on.
Protocol translation (OIDC-to-SAML) — Bridge modern OIDC identity providers to legacy SAML-dependent applications without modifying either side.
IdP migration for SAML-dependent apps — Migrate SAML service providers from one identity provider to another with zero downtime and no SP reconfiguration.
Attribute mapping and enrichment — Enrich SAML assertions with attributes sourced from multiple directories, databases, and APIs beyond what the upstream IdP provides.

How It Works

The SAML Provider authentication flow follows these steps:

SP-initiated request — A user accesses a SAML service provider. The SP generates a SAML AuthnRequest and redirects the user to the Orchestrator’s SSO endpoint.
Upstream authentication — The Orchestrator routes the user to the configured upstream identity provider for authentication. The upstream IdP can use any protocol (OIDC, SAML, LDAP) — the Orchestrator handles protocol translation.
Attribute enrichment — After authentication, the Orchestrator loads additional attributes from configured attribute providers and merges them with the authenticated identity.
Assertion generation — The Orchestrator generates a signed SAML assertion containing the NameID and mapped claims from the authenticated identity and enriched attributes.
SP receives assertion — The SAML response (containing the signed assertion) is POSTed to the SP’s assertion consumer service URL. The SP validates the signature and establishes a session.
IdP-initiated flow (optional) — Users can also start from the Orchestrator’s IdP-initiated login URL, which generates an assertion and sends it directly to the SP without an AuthnRequest.

Key Concepts

Provider vs Apps

The SAML Provider has two configuration levels: provider-level settings (issuer, SSO/SLO endpoints, signing material) shared across all SAML apps, and individual app entries that each register a specific service provider with its own entity ID, ACS URL, NameID format, and claims mapping.

Protocol Translation

The Orchestrator can translate between protocols — an upstream OIDC identity provider can feed a downstream SAML service provider, or vice versa. The service provider only sees SAML; the identity provider only sees OIDC. This makes IdP migration possible without changing SP configurations.

Assertion Signing

By default, both the SAML assertion and the SAML response are signed using the provider’s signing material. Individual apps can override signing behavior (e.g., disable assertion signing for SPs that don’t verify it) or use per-app signing keys.

NameID and Claims

The NameID identifies the authenticated subject in the SAML assertion. Claims mapping uses the same connector.attribute format as OIDC, translating connector attributes into SAML assertion attributes.

Request Verification

When service providers sign their AuthnRequest messages, the Orchestrator verifies the signature using the SP’s certificate. This can be skipped for SPs that don’t sign requests.

Setup

Console UI
Configuration

In the Maverics Console, SAML Provider settings are configured in the Deployment Settings dialog under the SAML Provider section.Issuer and Endpoints

Field	Required	Description
Issuer	Yes	Unique SAML IdP identifier (Entity ID). Typically the base URL of the Orchestrator.
Generate	—	Button that auto-generates endpoint URLs from the Issuer.
Metadata	No	SAML metadata endpoint URL (auto-generated from Issuer).
Single Sign-on	Yes	SSO endpoint URL for receiving AuthnRequest messages (auto-generated).
Single Logout	Yes	SLO endpoint URL (auto-generated).

Signing

Field	Required	Description
Signing Option	Yes	Dropdown to select what is signed. Options: “Response and Assertion” (default), “Response Only”, “Assertion Only”.
Edit	—	Button to edit the private key and public key (certificate) pair used for signing SAML responses and assertions. The signature properties can be overridden per-app.

Additional Settings

Field	Required	Description
Redis Cache	No	Dropdown to select a configured Redis cache for SAML request data and provider state storage. Defaults to in-memory if not set.

The Console UI provides a subset of the full YAML configuration. Per-app signature overrides, assertion encryption settings, and advanced request verification options are configured at the app level and are only available in YAML. See the Configuration tab for the complete reference.

The following example configures the Orchestrator as a SAML 2.0 identity provider with one SAML service provider application. The samlProvider block defines the IdP-wide settings (issuer, endpoints, signing), while each saml app defines a service provider registration.

samlProvider:
  issuer: https://auth.example.com
  cache: redis-cache
  endpoints:
    metadata: https://auth.example.com/saml/metadata
    singleSignOnService: https://auth.example.com/saml/sso
    singleLogoutService: https://auth.example.com/saml/slo
  signature:
    certificate: <saml_signing_cert>
    privateKey: <saml_signing_key>

apps:
  - name: my-saml-app
    type: saml
    entityIDs:
      - identifier: https://sp.example.com
        default: true
    consumerServiceURLs:
      - url: https://sp.example.com/acs
        default: true
    logoutServiceURL: https://sp.example.com/logout
    duration: 300
    nameID:
      format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      attrMapping: upstream-idp.email
    requestVerification:
      skipVerification: true
    authentication:
      idps:
        - upstream-idp
    claimsMapping:
      email: upstream-idp.email
      firstName: upstream-idp.given_name
      lastName: upstream-idp.family_name
    idpInitiatedLogin:
      loginURL: https://auth.example.com/saml/sso/my-saml-app
      relayStateURL: https://sp.example.com/

Configuration Reference

The samlProvider top-level key configures the Orchestrator as a SAML 2.0 identity provider. This block defines the IdP issuer, SAML endpoints, signing material, and cache. All saml type apps require samlProvider to be configured.

Key	Type	Required	Default	Description
`issuer`	string	Yes	—	SAML EntityID for the identity provider. Typically the base URL of the Orchestrator (e.g., `https://auth.example.com`).
`endpoints.metadata`	string	Yes	—	URL where the IdP publishes SAML metadata XML.
`endpoints.singleSignOnService`	string	Yes	—	URL for the SAML SSO endpoint that receives `AuthnRequest` messages.
`endpoints.singleLogoutService`	string	Yes	—	URL for the SAML Single Logout endpoint.
`signature.certificate`	string	Conditional	—	PEM-encoded X.509 certificate for signing SAML assertions and responses. Inline value. Mutually exclusive with `certificateFile`.
`signature.certificateFile`	string	Conditional	—	File path to the X.509 certificate. Mutually exclusive with `certificate`.
`signature.privateKey`	string	Conditional	—	PEM-encoded private key for signing. Inline value. Mutually exclusive with `privateKeyFile`.
`signature.privateKeyFile`	string	Conditional	—	File path to the private key. Mutually exclusive with `privateKey`.
`signature.disableSignedAssertion`	boolean	No	`false`	When `true`, SAML assertions are not signed. See Signed and Unsigned Assertions.
`signature.disableSignedResponse`	boolean	No	`false`	When `true`, SAML responses are not signed. See Signed and Unsigned Assertions.
`cache`	string	No	—	Name of a configured cache (Redis or cluster) for SAML request data and provider state storage. References a `caches[]` entry by name.

Signing material must be provided as either inline values (certificate + privateKey) or file paths (certificateFile + privateKeyFile). Use secret references (e.g., <saml_signing_cert>) for inline values to avoid storing credentials in config files.

SAML App Configuration

Each SAML Service Provider is registered under the apps array with type: saml. App configuration includes entity IDs, assertion consumer service URLs, NameID format, claims mapping, signing overrides, request verification, IdP-initiated login, and assertion encryption.

SAML App

Full configuration reference, Console UI setup steps, and troubleshooting for SAML apps

The SAML Provider mode works with all Identity Fabric connectors. The Orchestrator translates between any upstream IdP protocol and SAML assertions for your applications. These are the most commonly used pairings:

Microsoft Entra ID

Microsoft Entra ID for enterprise SSO

Okta

Okta SSO consolidation

Generic SAML

Any SAML 2.0-compliant provider

Generic OIDC

Any OIDC provider (protocol translated to SAML)

Continuity

IdP failover and migration

See the connector compatibility matrix for all supported pairings and the Identity Fabric overview for the full connector list. The SAML Provider also pairs with:

Secret Providers — Store signing certificates and encryption keys securely

SAML App

SAML app configuration reference, Console UI setup, and troubleshooting

OIDC Provider

Configure the Orchestrator as an OpenID Connect authorization server

Identity Fabric

Connect upstream identity providers to the Orchestrator

Architecture and Concepts

Understand how modes fit into the Orchestrator architecture

HTTP Proxy

Protect applications without code modification using reverse proxy mode

Console Administration

Orchestration

Use Cases

How It Works

Key Concepts

Provider vs Apps

Protocol Translation

Assertion Signing

NameID and Claims

Request Verification

Setup

Configuration Reference

SAML App Configuration

SAML App

Microsoft Entra ID

Okta

Generic SAML

Generic OIDC

Continuity

SAML App

OIDC Provider

Identity Fabric

Architecture and Concepts

HTTP Proxy

Console Administration

Orchestration

​Use Cases

​How It Works

​Key Concepts

​Provider vs Apps

​Protocol Translation

​Assertion Signing

​NameID and Claims

​Request Verification

​Setup

​Configuration Reference

​SAML App Configuration

SAML App

​Related Integrations

Microsoft Entra ID

Okta

Generic SAML

Generic OIDC

Continuity

​Related Pages

SAML App

OIDC Provider

Identity Fabric

Architecture and Concepts

HTTP Proxy

Use Cases

How It Works

Key Concepts

Provider vs Apps

Protocol Translation

Assertion Signing

NameID and Claims

Request Verification

Setup

Configuration Reference

SAML App Configuration

Related Integrations

Related Pages