> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# SAML Provider

The SAML Provider mode configures the Maverics Orchestrator as a SAML 2.0 identity provider. It handles SAML assertion generation, attribute mapping, and protocol translation -- allowing you to federate enterprise applications that depend on SAML while connecting to modern or legacy upstream identity providers.

<Tip>
  **When to use this mode**

  * **SAML Provider** -- Choose this mode for applications that only support SAML 2.0. Best for enterprise apps with rigid SAML requirements.
  * **OIDC Provider** -- Choose this mode for modern applications that can consume OpenID Connect tokens natively.
  * **HTTP Proxy** -- Choose this mode for applications that cannot handle SAML directly or where you cannot modify authentication code.
  * **LDAP Provider** -- Choose this mode for applications that require an LDAP directory for authentication.
  * **AI Identity Gateway** -- Choose this mode for securing AI agent-to-tool communication via MCP.
</Tip>

## Use Cases

* **SAML federation for enterprise apps** -- Provide SAML 2.0 assertions to enterprise applications like Salesforce, ServiceNow, and Workday that require SAML-based single sign-on.
* **Protocol translation (OIDC-to-SAML)** -- Bridge modern OIDC identity providers to legacy SAML-dependent applications without modifying either side.
* **IdP migration for SAML-dependent apps** -- Migrate SAML service providers from one identity provider to another with zero downtime and no SP reconfiguration.
* **Attribute mapping and enrichment** -- Enrich SAML assertions with attributes sourced from multiple directories, databases, and APIs beyond what the upstream IdP provides.

## How It Works

The SAML Provider authentication flow follows these steps:

1. **SP-initiated request** -- A user accesses a SAML service provider. The SP generates a SAML AuthnRequest and redirects the user to the Orchestrator's SSO endpoint.
2. **Upstream authentication** -- The Orchestrator routes the user to the configured upstream identity provider for authentication. The upstream IdP can use any protocol (OIDC, SAML, LDAP) -- the Orchestrator handles protocol translation.
3. **Attribute enrichment** -- After authentication, the Orchestrator loads additional attributes from configured attribute providers and merges them with the authenticated identity.
4. **Assertion generation** -- The Orchestrator generates a signed SAML assertion containing the NameID and mapped claims from the authenticated identity and enriched attributes.
5. **SP receives assertion** -- The SAML response (containing the signed assertion) is POSTed to the SP's assertion consumer service URL. The SP validates the signature and establishes a session.
6. **IdP-initiated flow (optional)** -- Users can also start from the Orchestrator's IdP-initiated login URL, which generates an assertion and sends it directly to the SP without an AuthnRequest.

## Key Concepts

### Provider vs Apps

The SAML Provider has two configuration levels: provider-level settings (issuer, SSO/SLO endpoints, signing material) shared across all SAML apps, and individual app entries that each register a specific service provider with its own entity ID, ACS URL, NameID format, and claims mapping.

### Protocol Translation

The Orchestrator can translate between protocols -- an upstream OIDC identity provider can feed a downstream SAML service provider, or vice versa. The service provider only sees SAML; the identity provider only sees OIDC. This makes IdP migration possible without changing SP configurations.

### Assertion Signing

By default, both the SAML assertion and the SAML response are signed using the provider's signing material. Individual apps can override signing behavior (e.g., disable assertion signing for SPs that don't verify it) or use per-app signing keys.

### NameID and Claims

The NameID identifies the authenticated subject in the SAML assertion. Claims mapping uses the same `connector.attribute` format as OIDC, translating connector attributes into SAML assertion attributes.

### Request Verification

When service providers sign their AuthnRequest messages, the Orchestrator verifies the signature using the SP's certificate. This can be skipped for SPs that don't sign requests.

## Setup

<Tabs>
  <Tab title="Console UI">
    In the Maverics Console, SAML Provider settings are configured in the **Deployment Settings** dialog under the SAML Provider section.

    **Issuer and Endpoints**

    | Field          | Required | Description                                                                         |
    | -------------- | -------- | ----------------------------------------------------------------------------------- |
    | Issuer         | Yes      | Unique SAML IdP identifier (Entity ID). Typically the base URL of the Orchestrator. |
    | Generate       | --       | Button that auto-generates endpoint URLs from the Issuer.                           |
    | Metadata       | No       | SAML metadata endpoint URL (auto-generated from Issuer).                            |
    | Single Sign-on | Yes      | SSO endpoint URL for receiving AuthnRequest messages (auto-generated).              |
    | Single Logout  | Yes      | SLO endpoint URL (auto-generated).                                                  |

    **Signing**

    | Field          | Required | Description                                                                                                                                                          |
    | -------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
    | Signing Option | Yes      | Dropdown to select what is signed. Options: "Response and Assertion" (default), "Response Only", "Assertion Only".                                                   |
    | Edit           | --       | Button to edit the private key and public key (certificate) pair used for signing SAML responses and assertions. The signature properties can be overridden per-app. |

    **Additional Settings**

    | Field       | Required | Description                                                                                                                     |
    | ----------- | -------- | ------------------------------------------------------------------------------------------------------------------------------- |
    | Redis Cache | No       | Dropdown to select a configured Redis cache for SAML request data and provider state storage. Defaults to in-memory if not set. |

    <Note>
      The Console UI provides a subset of the full YAML configuration. Per-app signature overrides, assertion encryption settings, and advanced request verification options are configured at the app level and are only available in YAML. See the [Configuration tab](#setup) for the complete reference.
    </Note>
  </Tab>

  <Tab title="Configuration">
    The following example configures the Orchestrator as a SAML 2.0 identity provider with one SAML service provider application. The `samlProvider` block defines the IdP-wide settings (issuer, endpoints, signing), while each `saml` app defines a service provider registration.

    ```yaml theme={null}
    samlProvider:
      issuer: https://auth.example.com
      cache: redis-cache
      endpoints:
        metadata: https://auth.example.com/saml/metadata
        singleSignOnService: https://auth.example.com/saml/sso
        singleLogoutService: https://auth.example.com/saml/slo
      signature:
        certificate: <saml_signing_cert>
        privateKey: <saml_signing_key>

    apps:
      - name: my-saml-app
        type: saml
        entityIDs:
          - identifier: https://sp.example.com
            default: true
        consumerServiceURLs:
          - url: https://sp.example.com/acs
            default: true
        logoutServiceURL: https://sp.example.com/logout
        duration: 300
        nameID:
          format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
          attrMapping: upstream-idp.email
        requestVerification:
          skipVerification: true
        authentication:
          idps:
            - upstream-idp
        claimsMapping:
          email: upstream-idp.email
          firstName: upstream-idp.given_name
          lastName: upstream-idp.family_name
        idpInitiatedLogin:
          loginURL: https://auth.example.com/saml/sso/my-saml-app
          relayStateURL: https://sp.example.com/
    ```

    #### Configuration Reference

    The `samlProvider` top-level key configures the Orchestrator as a SAML 2.0 identity provider. This block defines the IdP issuer, SAML endpoints, signing material, and cache. All `saml` type apps require `samlProvider` to be configured.

    | Key                                | Type    | Required    | Default | Description                                                                                                                                                  |
    | ---------------------------------- | ------- | ----------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
    | `issuer`                           | string  | Yes         | --      | SAML EntityID for the identity provider. Typically the base URL of the Orchestrator (e.g., `https://auth.example.com`).                                      |
    | `endpoints.metadata`               | string  | Yes         | --      | URL where the IdP publishes SAML metadata XML.                                                                                                               |
    | `endpoints.singleSignOnService`    | string  | Yes         | --      | URL for the SAML SSO endpoint that receives `AuthnRequest` messages.                                                                                         |
    | `endpoints.singleLogoutService`    | string  | Yes         | --      | URL for the SAML Single Logout endpoint.                                                                                                                     |
    | `signature.certificate`            | string  | Conditional | --      | PEM-encoded X.509 certificate for signing SAML assertions and responses. Inline value. Mutually exclusive with `certificateFile`.                            |
    | `signature.certificateFile`        | string  | Conditional | --      | File path to the X.509 certificate. Mutually exclusive with `certificate`.                                                                                   |
    | `signature.privateKey`             | string  | Conditional | --      | PEM-encoded private key for signing. Inline value. Mutually exclusive with `privateKeyFile`.                                                                 |
    | `signature.privateKeyFile`         | string  | Conditional | --      | File path to the private key. Mutually exclusive with `privateKey`.                                                                                          |
    | `signature.disableSignedAssertion` | boolean | No          | `false` | When `true`, SAML assertions are not signed. See [Signed and Unsigned Assertions](/reference/orchestrator/applications/saml#signed-and-unsigned-assertions). |
    | `signature.disableSignedResponse`  | boolean | No          | `false` | When `true`, SAML responses are not signed. See [Signed and Unsigned Assertions](/reference/orchestrator/applications/saml#signed-and-unsigned-assertions).  |
    | `cache`                            | string  | No          | --      | Name of a configured cache (Redis or cluster) for SAML request data and provider state storage. References a `caches[]` entry by name.                       |

    <Note>
      Signing material must be provided as either inline values (`certificate` + `privateKey`) or file paths (`certificateFile` + `privateKeyFile`). Use secret references (e.g., `<saml_signing_cert>`) for inline values to avoid storing credentials in config files.
    </Note>

    #### SAML App Configuration

    Each SAML Service Provider is registered under the `apps` array with `type: saml`. App configuration includes entity IDs, assertion consumer service URLs, NameID format, claims mapping, signing overrides, request verification, IdP-initiated login, and assertion encryption.

    <Card title="SAML App" icon="shield-halved" href="/reference/orchestrator/applications/saml">
      Full configuration reference, Console UI setup steps, and troubleshooting for SAML apps
    </Card>
  </Tab>
</Tabs>

## Related Integrations

The SAML Provider mode works with all Identity Fabric connectors. The Orchestrator translates between any upstream IdP protocol and SAML assertions for your applications. These are the most commonly used pairings:

<CardGroup cols={3}>
  <Card title="Microsoft Entra ID" icon="microsoft" href="/reference/orchestrator/identity-fabric/azure-ad">
    Microsoft Entra ID for enterprise SSO
  </Card>

  <Card title="Okta" icon="key" href="/reference/orchestrator/identity-fabric/okta">
    Okta SSO consolidation
  </Card>

  <Card title="Generic SAML" icon="file-shield" href="/reference/orchestrator/identity-fabric/custom-saml">
    Any SAML 2.0-compliant provider
  </Card>

  <Card title="Generic OIDC" icon="openid" href="/reference/orchestrator/identity-fabric/custom-oidc">
    Any OIDC provider (protocol translated to SAML)
  </Card>

  <Card title="Continuity" icon="arrows-rotate" href="/reference/orchestrator/identity-fabric/continuity">
    IdP failover and migration
  </Card>
</CardGroup>

See the [connector compatibility matrix](/guides/authentication/choosing-a-mode#connector-compatibility) for all supported pairings and the [Identity Fabric overview](/reference/orchestrator/identity-fabric) for the full connector list.

The SAML Provider also pairs with:

* **[Secret Providers](/reference/orchestrator/configuration/secret-providers)** -- Store signing certificates and encryption keys securely

## Related Pages

<CardGroup cols={2}>
  <Card title="SAML App" icon="shield-halved" href="/reference/orchestrator/applications/saml">
    SAML app configuration reference, Console UI setup, and troubleshooting
  </Card>

  <Card title="OIDC Provider" icon="openid" href="/reference/modes/oidc-provider">
    Configure the Orchestrator as an OpenID Connect authorization server
  </Card>

  <Card title="Identity Fabric" icon="plug" href="/reference/orchestrator/identity-fabric">
    Connect upstream identity providers to the Orchestrator
  </Card>

  <Card title="Architecture and Concepts" icon="diagram-project" href="/introduction/architecture">
    Understand how modes fit into the Orchestrator architecture
  </Card>

  <Card title="HTTP Proxy" icon="server" href="/reference/modes/http-proxy">
    Protect applications without code modification using reverse proxy mode
  </Card>
</CardGroup>
