SAML App

Register SAML Service Providers with the Orchestrator’s built-in SAML Provider. The Orchestrator handles SAML assertion generation, attribute mapping, and protocol translation — allowing you to federate enterprise applications that depend on SAML while connecting to modern or legacy upstream identity providers.

Console terminology: In the Maverics Console, the combination of applications, policies, headers, and connector bindings is managed through User Flows. In YAML, these elements are configured directly within each app’s configuration block under apps[].policies[].

Overview

SAML apps represent Service Providers registered with the Orchestrator’s SAML Provider mode. When a Service Provider sends a SAML authentication request, the Orchestrator authenticates the user against a configured identity provider, generates a SAML assertion with the mapped attributes, and returns it to the SP’s Assertion Consumer Service URL. This requires samlProvider to be configured in the deployment.

How It Works

The SAML Provider authentication flow follows these steps:

SP-initiated request — A user accesses a SAML service provider. The SP generates a SAML AuthnRequest and redirects the user to the Orchestrator’s SSO endpoint.
Upstream authentication — The Orchestrator routes the user to the configured upstream identity provider for authentication. The upstream IdP can use any protocol (OIDC, SAML, LDAP) — the Orchestrator handles protocol translation.
Attribute enrichment — After authentication, the Orchestrator loads additional attributes from configured attribute providers and merges them with the authenticated identity.
Assertion generation — The Orchestrator generates a signed SAML assertion containing the NameID and mapped claims from the authenticated identity and enriched attributes.
SP receives assertion — The SAML response (containing the signed assertion) is POSTed to the SP’s assertion consumer service URL. The SP validates the signature and establishes a session.
IdP-initiated flow (optional) — Users can also start from the Orchestrator’s IdP-initiated login URL, which generates an assertion and sends it directly to the SP without an AuthnRequest.

Use Cases

SAML federation for enterprise apps — register Service Providers like Salesforce, ServiceNow, and Workday so the Orchestrator acts as their SAML Identity Provider
Protocol translation (OIDC-to-SAML) — authenticate users with an OIDC provider upstream while issuing SAML assertions downstream to applications that only support SAML
IdP migration for SAML-dependent apps — migrate applications from a legacy SAML IdP to a modern identity provider without reconfiguring each Service Provider
Attribute mapping and enrichment — map and transform attributes from upstream identity providers into the SAML assertion format each Service Provider expects

Key Concepts

Protocol Translation

The Orchestrator can translate between protocols — an upstream OIDC identity provider can feed a downstream SAML service provider, or vice versa. The service provider only sees SAML; the identity provider only sees OIDC. This makes IdP migration possible without changing SP configurations.

Assertion Signing

By default, both the SAML assertion and the SAML response are signed using the provider’s signing material. Individual apps can override signing behavior (e.g., disable assertion signing for SPs that don’t verify it) or use per-app signing keys.

NameID and Claims

The NameID identifies the authenticated subject in the SAML assertion. Claims mapping uses the same connector.attribute format as OIDC, translating connector attributes into SAML assertion attributes.

Request Verification

When service providers sign their AuthnRequest messages, the Orchestrator verifies the signature using the SP’s certificate. This can be skipped for SPs that don’t sign requests.

Setup

Console UI
Configuration

Navigate to Applications

Go to Applications in the sidebar and click Create. Select SAML-based from the application type list.

Set the application name

Enter a Name to identify this SAML application.

Configure entity IDs

Enter the Default Entity ID for the Service Provider. Click Entity ID to add additional entity IDs if the SP uses multiple identifiers. Each entity ID entry has an identifier and a default flag.

Configure consumer service URLs

Enter the Default URL for the Assertion Consumer Service (ACS). Click URL to add additional ACS URLs. Each entry has a URL and a default flag.

Set the logout URL (optional)

Enter the Logout URL where SAML logout responses will be sent.

Set the unauthorized page (optional)

Enter an Unauthorized Page URL where the Orchestrator redirects users who are not authorized to access the requested resource.

Set the response duration (optional)

Enter the Duration in seconds for which SAML responses are valid. Defaults to five minutes (300 seconds).

Configure NameID format (optional)

Enter the Name ID Format (e.g., urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress). The NameID attribute mapping is configured in the User Flow.

Configure signing

Select the Signing Options to control how SAML responses are signed. Choose Use deployment settings to inherit from the SAML Provider deployment configuration, or override with per-app signing settings.

Configure request verification (optional)

Upload a Certificate File (PEM format) to verify the signatures of incoming SAML requests from the Service Provider.

Configure IdP-initiated login (optional)

Enter a Login URL — the endpoint users visit to initiate the IdP-initiated login flow (e.g., https://maverics.example.com/login-app). Optionally enter a Relay State URL — the landing page for the user after authentication.

Save

Click Save to create the SAML application.

SAML apps are defined under the apps top-level key with type: saml:

Configuration Reference

Core Fields

Key	Type	Required	Default	Description
`name`	string	Yes	—	Unique name for the SAML app.
`type`	string	Yes	—	Must be `saml`.
`entityIDs`	array	Yes	—	Service provider entity IDs. Each entry has `identifier` (string) and `default` (boolean). At least one entry with `default: true` is required.
`consumerServiceURLs`	array	Yes	—	Assertion Consumer Service URLs. Each entry has `url` (string) and `default` (boolean). At least one entry with `default: true` is required.
`logoutServiceURL`	string	No	—	SP logout service URL for single logout.
`duration`	integer	No	`3600`	Assertion lifetime in seconds.

NameID Configuration

Key	Type	Required	Default	Description
`nameID.format`	string	No	—	SAML NameID format URN (e.g., `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`).
`nameID.attrMapping`	string	No	—	Connector attribute to use as the NameID value (e.g., `upstream-idp.email`). Uses `connector.attribute` format.

Authentication

Key	Type	Required	Default	Description
`authentication.idps`	array	Conditional	—	List of identity provider connector names for user authentication. Cannot be combined with `isAuthenticatedSE`/`authenticateSE`.
`authentication.isAuthenticatedSE`	object	Conditional	—	Service Extension for custom authentication checks. Must be defined together with `authenticateSE`.
`authentication.authenticateSE`	object	Conditional	—	Service Extension for custom authentication flows. Must be defined together with `isAuthenticatedSE`.

Authorization

Key	Type	Required	Default	Description
`authorization.allowAll`	boolean	No	—	When `true`, all authenticated users are authorized.
`authorization.rules`	array	No	—	Authorization rules using `and`/`or` conditions with `equals`, `notEquals`, `contains`, `notContains` operators. See Applications for the full rules reference.
`authorization.rulesAggregationMethod`	string	No	`"and"`	How top-level rules are combined: `"and"` (all must match) or `"or"` (any may match).
`authorization.isAuthorizedSE`	object	No	—	Service Extension for custom authorization logic. Mutually exclusive with `allowAll` and `rules`.
`authorization.unauthorizedPage`	string	No	—	Redirect URL for unauthorized users.

Claims and Attributes

Key	Type	Required	Default	Description
`claimsMapping`	object	No	—	Maps SAML assertion attribute names to connector attribute values. Keys are assertion attribute names; values use `connector.attribute` format (e.g., `email: upstream-idp.email`).
`buildClaimsSE`	object	No	—	Service Extension for custom SAML assertion claims. When defined, replaces `claimsMapping`.
`attrProviders`	array	No	—	Additional attribute providers for post-authentication attribute loading. Each entry has `connector` (string) and `usernameMapping` (string in `{{ connector.attribute }}` format).
`loadAttrsSE`	object	No	—	Service Extension for custom attribute loading logic.

Request Verification

Key	Type	Required	Default	Description
`requestVerification.certificate`	string	Conditional	—	PEM-encoded SP certificate for verifying signed `AuthnRequest` messages. Required when `skipVerification` is `false` or not set.
`requestVerification.skipVerification`	boolean	No	`false`	When `true`, skip signature verification of incoming `AuthnRequest` messages. Use when the SP does not sign its requests.

Per-App Signature OverrideIndividual SAML apps can override the provider-level signing configuration. When a per-app signature block is defined, it takes precedence over samlProvider.signature for that specific app.

Key	Type	Required	Default	Description
`signature.certificate`	string	Conditional	—	PEM-encoded X.509 certificate for this app’s assertions.
`signature.certificateFile`	string	Conditional	—	File path to the certificate.
`signature.privateKey`	string	Conditional	—	PEM-encoded private key for this app’s signing.
`signature.privateKeyFile`	string	Conditional	—	File path to the private key.
`signature.disableSignedAssertion`	boolean	No	`false`	Disable assertion signing for this specific app.
`signature.disableSignedResponse`	boolean	No	`false`	Disable response signing for this specific app.

Deprecated Fields

The following fields are deprecated. Migrate to the replacement fields listed below.

audience — Use entityIDs instead
consumerServiceURL — Use consumerServiceURLs instead
nameIDFormat — Use nameID.format instead

Example

A SAML app registering Salesforce as a Service Provider with attribute mapping, authentication, and IdP-initiated login:

apps:
  - name: salesforce
    type: saml
    entityIDs:
      - identifier: "https://salesforce.example.com"
        default: true
    consumerServiceURLs:
      - url: "https://salesforce.example.com/saml/acs"
        default: true
    logoutServiceURL: "https://salesforce.example.com/saml/logout"
    duration: 300
    nameID:
      format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
      attrMapping: "{{ azure.email }}"
    requestVerification:
      skipVerification: true
    authentication:
      idps:
        - azure
    claimsMapping:
      email: "azure.preferred_username"
      firstName: "azure.given_name"
      lastName: "azure.family_name"
      groups: "azure.groups"
    idpInitiatedLogin:
      loginURL: "https://auth.example.com/saml/sso/salesforce"
      relayStateURL: "https://salesforce.example.com/"

Signed and Unsigned Assertions

By default, the SAML Provider signs both the SAML assertion and the SAML response using the signing material configured in samlProvider.signature. Some service providers require unsigned assertions or unsigned responses depending on their verification capabilities. Controlling signature behavior at the provider level:

Console UI
Configuration

Provider-level signing is configured in the Maverics Console under Deployment Settings in the SAML Provider section. The Console UI provides a Signing Option dropdown with options for “Response and Assertion” (default), “Response Only”, and “Assertion Only”.To override the default signing flags directly using disableSignedAssertion or disableSignedResponse, use the Configuration tab.

samlProvider:
  signature:
    certificate: <saml_signing_cert>
    privateKey: <saml_signing_key>
    # Signed assertion + signed response (default)
    disableSignedAssertion: false
    disableSignedResponse: false

Controlling signature behavior per app: Individual apps can override the provider defaults. For example, if the provider signs both but a specific SP needs unsigned assertions:

Console UI
Configuration

In the Console UI, per-app signing is configured during application setup. Select the Signing Options and choose to override the deployment-level settings. For fine-grained control over disableSignedAssertion and disableSignedResponse flags, use the Configuration tab.

apps:
  - name: unsigned-assertion-app
    type: saml
    signature:
      disableSignedAssertion: true
    # ... other fields

Request verification from the SP side: When a service provider signs its AuthnRequest messages, the Orchestrator verifies the signature using the SP’s certificate. If the SP does not sign requests, set skipVerification: true:

Console UI
Configuration

In the Console UI, request verification is configured during application setup. Upload the SP’s Certificate File (PEM format) to verify signed AuthnRequest messages. If the SP does not sign requests, leave the certificate field empty and verification will be skipped.

apps:
  # SP that sends signed AuthnRequests
  - name: saml-signed
    type: saml
    requestVerification:
      certificate: <sp_signing_cert>
    # ...

  # SP that does not sign AuthnRequests
  - name: saml-unverified
    type: saml
    requestVerification:
      skipVerification: true
    # ...

IdP-initiated login allows users to start a SAML flow from the identity provider rather than from the service provider. When configured, the Orchestrator exposes a login URL that generates a SAML response and sends it directly to the SP’s assertion consumer service.

Key	Type	Required	Default	Description
`idpInitiatedLogin.loginURL`	string	Yes	—	URL that triggers the IdP-initiated flow. Users or portals navigate to this URL to start the login.
`idpInitiatedLogin.relayStateURL`	string	No	—	URL included as the SAML `RelayState` parameter. The SP redirects the user here after consuming the assertion.
`idpInitiatedLogin.buildRelayStateSE`	object	No	—	Service Extension for dynamically building the relay state value.

Example:

Console UI
Configuration

In the Console UI, IdP-initiated login is configured during application setup. Enter a Login URL — the endpoint users visit to start the IdP-initiated flow (e.g., https://auth.example.com/saml/sso/portal-app). Optionally enter a Relay State URL — the landing page for the user after authentication.

apps:
  - name: portal-app
    type: saml
    idpInitiatedLogin:
      loginURL: https://auth.example.com/saml/sso/portal-app
      relayStateURL: https://portal.example.com/
    # ...

When a user navigates to https://auth.example.com/saml/sso/portal-app, the Orchestrator authenticates them (if not already authenticated), builds a SAML assertion, and POSTs it to the app’s assertion consumer service URL with the relay state set to https://portal.example.com/.

Assertion Encryption

SAML assertion encryption protects assertion content during transit by encrypting the assertion XML before embedding it in the SAML response. The SP decrypts the assertion using its private key.

Key	Type	Required	Default	Description
`encryption.keyEncryptMethod`	string	Yes	—	XML encryption method for encrypting the symmetric key (e.g., `http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p`).
`encryption.dataEncryptMethod`	string	Yes	—	XML encryption method for encrypting the assertion data (e.g., `http://www.w3.org/2001/04/xmlenc#aes256-cbc`).
`encryption.digestMethod`	string	No	—	Digest method for key encryption (e.g., `http://www.w3.org/2001/04/xmlenc#sha256`).
`encryption.certificate`	string	Yes	—	PEM-encoded SP certificate (public key) used to encrypt the assertion. The SP holds the corresponding private key for decryption.

Example:

Console UI
Configuration

Assertion encryption settings are configured per-app via YAML only. The Console UI does not currently expose encryption fields. See the Configuration tab for the full reference.

apps:
  - name: encrypted-app
    type: saml
    encryption:
      keyEncryptMethod: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
      dataEncryptMethod: "http://www.w3.org/2001/04/xmlenc#aes256-cbc"
      digestMethod: "http://www.w3.org/2001/04/xmlenc#sha256"
      certificate: <sp_encryption_cert>
    # ...

Troubleshooting

Assertion signature validation fails at the SP

Symptoms: The SP rejects the SAML response with “invalid signature”, “signature verification failed”, or “unable to validate assertion”.Causes:

The signing certificate configured in the Orchestrator (samlProvider.signature.certificate) does not match the certificate the SP has on file.
The signing certificate has expired.
A signing algorithm mismatch between the Orchestrator and the SP’s expected algorithm.

Resolution:

Export the samlProvider.signature.certificate and provide it to the SP via metadata exchange or manual upload.
Verify the certificate is not expired by checking its Not After date.
If using per-app signature overrides, ensure the app-level certificate is the one provided to the SP.

NameID format mismatch

Symptoms: The SP accepts the assertion but cannot identify the user, or rejects the assertion with “invalid NameID format” or “unrecognized subject”.Causes:

The nameID.format does not match what the SP expects (e.g., the SP expects emailAddress but the Orchestrator sends unspecified).
The nameID.attrMapping references an attribute that is empty or not returned by the upstream IdP.

Resolution:

Check the SP’s metadata or documentation for the required NameID format.
Set nameID.format to the matching URN (e.g., urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
Verify that nameID.attrMapping points to an attribute that is populated for all users (e.g., upstream-idp.email).

Claims/attributes missing from assertion

Symptoms: The SP receives the assertion but expected attributes (e.g., email, groups, department) are empty or absent.Causes:

The claimsMapping references a wrong connector name or an attribute that does not exist on the upstream identity.
Attribute providers (attrProviders) are not configured, so enrichment attributes are not loaded.
The upstream IdP does not return the expected claims in its response.

Resolution:

Verify that connector names in claimsMapping match the connectors[].name values exactly.
If enrichment is needed, confirm attrProviders entries are configured with the correct connector names and usernameMapping.
Test the upstream IdP directly to confirm it returns the expected attributes.

SP-initiated login fails with "unable to verify request"

Symptoms: The login flow fails immediately after the SP redirect, with an error about request verification or signature validation.Causes:

The SP signs its AuthnRequest, but the Orchestrator does not have the SP’s signing certificate for verification.
The SP’s certificate in requestVerification.certificate is expired or does not match the key the SP uses.

Resolution:

If the SP signs its AuthnRequests, provide the SP’s signing certificate in requestVerification.certificate.
If the SP does not sign requests, set requestVerification.skipVerification: true.
If the SP recently rotated its signing key, update the certificate in the app configuration.

IdP-initiated login returns "unknown service provider"

Symptoms: Navigating to the IdP-initiated login URL returns an error about an unknown or unregistered service provider.Causes:

The idpInitiatedLogin.loginURL path does not match any configured app.
The app’s entityIDs are missing or do not match what the SP expects.

Resolution:

Verify the login URL matches the configured app name in the URL path (e.g., /saml/sso/my-app for an app named my-app).
Confirm that entityIDs contains at least one entry with default: true.
Check that the consumerServiceURLs are correctly configured for the target SP.

Assertion encryption fails

Symptoms: The SP cannot decrypt the assertion, reporting errors like “unable to decrypt”, “decryption failed”, or “invalid key”.Causes:

The encryption.certificate is not the SP’s encryption certificate (it might be the signing cert instead).
An algorithm mismatch — keyEncryptMethod or dataEncryptMethod does not match the SP’s supported algorithms.

Resolution:

Verify that encryption.certificate is the SP’s public encryption certificate (not its signing certificate — these are often different).
Confirm that keyEncryptMethod and dataEncryptMethod match the algorithms the SP supports (check SP metadata or documentation).
If the SP specifies a digestMethod, ensure it is also set in the app configuration.

Applications

Overview of application types, route patterns, and shared configuration

SAML Provider

SAML Provider mode configuration for SAML app deployments

Identity Fabric

Configure the identity providers referenced in app policies

Single Logout (SLO)

Configure Single Logout for SAML applications

Console Administration

Orchestration

Overview

How It Works

Use Cases

Key Concepts

Protocol Translation

Assertion Signing

NameID and Claims

Request Verification

Setup

Configuration Reference

Example

Signed and Unsigned Assertions

Assertion Encryption

Troubleshooting

Applications

SAML Provider

Identity Fabric

Single Logout (SLO)

Console Administration

Orchestration

​Overview

​How It Works

​Use Cases

​Key Concepts

​Protocol Translation

​Assertion Signing

​NameID and Claims

​Request Verification

​Setup

​Configuration Reference

​Example

​Signed and Unsigned Assertions

​IdP-Initiated Login

​Assertion Encryption

​Troubleshooting

​Related Pages

Applications

SAML Provider

Identity Fabric

Single Logout (SLO)

Overview

How It Works

Use Cases

Key Concepts

Protocol Translation

Assertion Signing

NameID and Claims

Request Verification

Setup

Configuration Reference

Example

Signed and Unsigned Assertions

IdP-Initiated Login

Assertion Encryption

Troubleshooting

Related Pages