Generic SAML

The Generic SAML connector provides a generic SAML 2.0 integration for any SAML-compliant identity provider — giving you flexibility to connect providers that use the SAML protocol for federation.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Generic SAML connector supports SAML 2.0 SSO profiles including SP-initiated and IdP-initiated flows. It handles SAML assertion parsing, signature validation, and attribute extraction — making it suitable for government and education SAML federations, legacy SAML systems, and any provider that speaks SAML 2.0.

Use Cases

Unify SSO across non-standard IdPs — Connect SAML identity providers that aren’t covered by dedicated connectors, bringing them into a single orchestrated sign-on experience across your hybrid environment
Government and education federations — Integrate with InCommon, eduGAIN, and other SAML-based federation services that require generic SAML 2.0 support
Legacy SAML modernization — Extend SSO to older identity systems that only support SAML 2.0, without rewriting applications or migrating users
IdP resilience for SAML providers — Pair with the Continuity connector to enable failover between SAML identity providers, ensuring authentication availability if a primary IdP becomes unreachable

Setup

Console UI
Configuration

To create a Generic SAML connector in the Maverics Console:

Navigate to Identity Fabric in the Console sidebar.
Click Create and select Generic SAML.
Enter a Name — the friendly name for your SAML provider.
Enter the Metadata URL — the URL of the IdP’s SAML metadata document.
Enter the Consumer Service (ACS) URL — the Assertion Consumer Service URL where the IdP sends SAML responses.
Enter the Entity ID — the unique identifier for the Orchestrator as the SAML Service Provider.
Optionally enter a Logout Callback URL for Single Logout (SLO) callback.
Optionally enter the SP Certificate Path and SP Private Key Path for signing SAML requests.
Optionally select a NameID Format to specify the NameID format used in SAML assertions.
Optionally enable IdP Initiated Login to allow authentication flows started by the identity provider.
Click Save.

maverics.yaml

connectors:
  - name: saml-idp
    type: saml
    samlMetadataURL: "https://idp.example.com/metadata"
    samlConsumerServiceURL: "https://orch.example.com/saml/callback"
    samlEntityID: "https://orch.example.com"
    samlNameIDFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    tls: idp-tls

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced by app policies and attribute providers
`type`	string	Yes	Must be `saml`
`samlMetadataURL`	string	Yes	URL to the IdP’s SAML metadata XML — the Orchestrator fetches this to discover SSO endpoints and signing certificates
`samlConsumerServiceURL`	string	Yes	Assertion Consumer Service (ACS) URL where the IdP sends SAML responses
`samlEntityID`	string	No	Service Provider entity ID that identifies the Orchestrator to the IdP
`samlLogoutCallbackURL`	string	No	Logout callback URL for SAML single logout
`samlSPCertPath`	string	No	Path to the SP certificate file for signing SAML requests
`samlSPKeyPath`	string	No	Path to the SP private key file for signing SAML requests
`samlNameIDFormat`	string	No	Requested NameID format (e.g., `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`)
`samlIDPInitiatedLogin`	object	No	IdP-initiated login configuration
`cache`	string	No	Cache name reference for SAML request data storage
`tls`	string	No	Named TLS profile for metadata retrieval and IdP communication
`healthCheck`	object	No	Health check monitoring configuration (see Identity Fabric Configuration Reference)

For the complete connector field reference including health check details, see Identity Fabric Configuration Reference.

Troubleshooting

Verify SAML metadata URL is accessible — The Orchestrator fetches the IdP’s metadata XML at startup. If the URL is unreachable or returns an error, the connector will fail to initialize. Test the URL with curl from the Orchestrator host.
Ensure entityID matches the IdP configuration — The samlEntityID value must match what is configured as the trusted Service Provider on the IdP side. Mismatched entity IDs cause the IdP to reject authentication requests.
Check the Assertion Consumer Service URL — The samlConsumerServiceURL must match the Orchestrator’s actual callback endpoint. If behind a load balancer or reverse proxy, use the external-facing URL that the IdP will redirect to.
SP signing certificate errors — If the IdP requires signed authentication requests, ensure samlSPCertPath and samlSPKeyPath point to valid PEM files and the key matches the certificate.

Identity Fabric

Overview of all identity providers

Identity Fabric

Complete field reference for all connector types

Generic OIDC

Generic OpenID Connect connector

Continuity

IdP failover connector

Console Administration

Orchestration

Overview

Use Cases

Setup

Configuration Reference

Troubleshooting

Identity Fabric

Identity Fabric

Generic OIDC

Continuity

Console Administration

Orchestration

​Overview

​Use Cases

​Setup

​Configuration Reference

​Troubleshooting

​Related Pages

Identity Fabric

Identity Fabric

Generic OIDC

Continuity

Overview

Use Cases

Setup

Configuration Reference

Troubleshooting

Related Pages