Microsoft ADFS (SAML)

The ADFS connector integrates the Maverics Orchestrator with Microsoft Active Directory Federation Services — enabling authentication for applications that rely on ADFS for identity federation.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The ADFS connector integrates with ADFS using the SAML 2.0 protocol. It is designed for organizations modernizing their identity infrastructure — allowing you to migrate away from ADFS without disrupting existing applications or requiring simultaneous cutover of all relying parties.

Use Cases

ADFS-to-cloud migration — Gradually move relying parties from ADFS to a modern cloud IdP without downtime, reducing ADFS licensing and infrastructure costs
Unify SSO across ADFS and cloud IdPs — Bridge ADFS with cloud identity providers so users get seamless access across on-prem and cloud applications during migration
ADFS modernization without rip-and-replace — Add modern authentication capabilities like MFA and conditional access to ADFS-protected applications without modifying ADFS itself
ADFS failover and resilience — Pair ADFS with a backup IdP through the Continuity connector so authentication continues if the ADFS farm becomes unavailable

Setup

Console UI
Configuration

To create a Microsoft ADFS (SAML) connector in the Maverics Console:

Navigate to Identity Fabric in the Console sidebar.
Click Create and select Microsoft ADFS (SAML).
Enter a Name — the friendly name for your ADFS provider.
Enter the Metadata URL — the ADFS federation metadata endpoint (typically https://{adfs-host}/FederationMetadata/2007-06/FederationMetadata.xml).
Enter the Consumer Service (ACS) URL — the URL where ADFS sends SAML responses after authentication.
Enter the Entity ID — the unique identifier for the Orchestrator as the SAML Service Provider.
Optionally enter a Logout Callback URL for Single Logout (SLO) callback.
Optionally enter the SP Certificate Path and SP Private Key Path if your ADFS configuration requires signed SAML requests.
Optionally enable IdP Initiated Login if authentication flows will be started from the ADFS side.
Click Save.

maverics.yaml

connectors:
  - name: adfs
    type: adfs
    samlMetadataURL: "https://{{ env.ADFS_HOST }}/FederationMetadata/2007-06/FederationMetadata.xml"
    samlConsumerServiceURL: "https://orch.example.com/saml/callback"
    samlEntityID: "https://orch.example.com"
    tls: adfs-tls

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced in app policies
`type`	string	Yes	Must be `adfs`
`samlMetadataURL`	string	Yes	URL to the ADFS federation metadata XML (typically `https://{adfs-host}/FederationMetadata/2007-06/FederationMetadata.xml`)
`samlConsumerServiceURL`	string	Yes	Assertion Consumer Service (ACS) URL where ADFS sends SAML responses
`samlEntityID`	string	No	Service Provider entity ID that identifies the Orchestrator to ADFS
`samlLogoutCallbackURL`	string	No	Logout callback URL for SAML single logout
`samlSPCertPath`	string	No	Path to the SP certificate file for signing SAML requests
`samlSPKeyPath`	string	No	Path to the SP private key file for signing SAML requests
`samlIDPInitiatedLogin`	object	No	IdP-initiated login configuration
`cache`	string	No	Cache name reference for SAML request data storage
`tls`	string	No	Named TLS profile for metadata retrieval and IdP communication
`healthCheck`	object	No	Health check monitoring configuration (see Identity Fabric Configuration Reference)

For the complete connector field reference including health check details, see Identity Fabric Configuration Reference.

Troubleshooting

Verify the ADFS federation metadata URL is accessible — The Orchestrator fetches the ADFS metadata XML at startup. The metadata URL is typically https://{adfs-host}/FederationMetadata/2007-06/FederationMetadata.xml. Test the URL with curl from the Orchestrator host.
Ensure the entity ID matches ADFS relying party configuration — The samlEntityID value must match the Relying Party Trust identifier configured in ADFS. Mismatched entity IDs cause ADFS to reject authentication requests.
Check the Assertion Consumer Service URL — The samlConsumerServiceURL must match the Orchestrator’s actual callback endpoint. If behind a load balancer or reverse proxy, use the external-facing URL that ADFS will redirect to.
SP signing certificate errors — If ADFS requires signed authentication requests, ensure samlSPCertPath and samlSPKeyPath point to valid PEM files and the key matches the certificate.

Identity Fabric

Overview of all identity providers

Generic SAML

Generic SAML 2.0 connector

Microsoft Entra ID

OIDC connector for Microsoft Entra ID

Continuity

Failover connector for IdP high availability

Console Administration

Orchestration

Overview

Use Cases

Setup

Configuration Reference

Troubleshooting

Identity Fabric

Generic SAML

Microsoft Entra ID

Continuity

Console Administration

Orchestration

​Overview

​Use Cases

​Setup

​Configuration Reference

​Troubleshooting

​Related Pages

Identity Fabric

Generic SAML

Microsoft Entra ID

Continuity

Overview

Use Cases

Setup

Configuration Reference

Troubleshooting

Related Pages