> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Generic SAML

The Generic SAML connector provides a generic SAML 2.0 integration for any SAML-compliant identity provider -- giving you flexibility to connect providers that use the SAML protocol for federation.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

The Generic SAML connector supports SAML 2.0 SSO profiles including SP-initiated and IdP-initiated flows. It handles SAML assertion parsing, signature validation, and attribute extraction -- making it suitable for government and education SAML federations, legacy SAML systems, and any provider that speaks SAML 2.0.

## Use Cases

* **Unify SSO across non-standard IdPs** -- Connect SAML identity providers that aren't covered by dedicated connectors, bringing them into a single orchestrated sign-on experience across your hybrid environment
* **Government and education federations** -- Integrate with InCommon, eduGAIN, and other SAML-based federation services that require generic SAML 2.0 support
* **Legacy SAML modernization** -- Extend SSO to older identity systems that only support SAML 2.0, without rewriting applications or migrating users
* **IdP resilience for SAML providers** -- Pair with the Continuity connector to enable failover between SAML identity providers, ensuring authentication availability if a primary IdP becomes unreachable

## Setup

<Tabs>
  <Tab title="Console UI">
    To create a Generic SAML connector in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **Generic SAML**.
    3. Enter a **Name** -- the friendly name for your SAML provider.
    4. Enter the **Metadata URL** -- the URL of the IdP's SAML metadata document.
    5. Enter the **Consumer Service (ACS) URL** -- the Assertion Consumer Service URL where the IdP sends SAML responses.
    6. Enter the **Entity ID** -- the unique identifier for the Orchestrator as the SAML Service Provider.
    7. Optionally enter a **Logout Callback URL** for Single Logout (SLO) callback.
    8. Optionally enter the **SP Certificate Path** and **SP Private Key Path** for signing SAML requests.
    9. Optionally select a **NameID Format** to specify the NameID format used in SAML assertions.
    10. Optionally enable **IdP Initiated Login** to allow authentication flows started by the identity provider.
    11. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml maverics.yaml theme={null}
    connectors:
      - name: saml-idp
        type: saml
        samlMetadataURL: "https://idp.example.com/metadata"
        samlConsumerServiceURL: "https://orch.example.com/saml/callback"
        samlEntityID: "https://orch.example.com"
        samlNameIDFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
        tls: idp-tls
    ```

    ## Configuration Reference

    | Key                      | Type   | Required | Description                                                                                                                                            |
    | ------------------------ | ------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
    | `name`                   | string | Yes      | Unique connector identifier referenced by app policies and attribute providers                                                                         |
    | `type`                   | string | Yes      | Must be `saml`                                                                                                                                         |
    | `samlMetadataURL`        | string | Yes      | URL to the IdP's SAML metadata XML -- the Orchestrator fetches this to discover SSO endpoints and signing certificates                                 |
    | `samlConsumerServiceURL` | string | Yes      | Assertion Consumer Service (ACS) URL where the IdP sends SAML responses                                                                                |
    | `samlEntityID`           | string | No       | Service Provider entity ID that identifies the Orchestrator to the IdP                                                                                 |
    | `samlLogoutCallbackURL`  | string | No       | Logout callback URL for SAML single logout                                                                                                             |
    | `samlSPCertPath`         | string | No       | Path to the SP certificate file for signing SAML requests                                                                                              |
    | `samlSPKeyPath`          | string | No       | Path to the SP private key file for signing SAML requests                                                                                              |
    | `samlNameIDFormat`       | string | No       | Requested NameID format (e.g., `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`)                                                               |
    | `samlIDPInitiatedLogin`  | object | No       | IdP-initiated login configuration                                                                                                                      |
    | `cache`                  | string | No       | Cache name reference for SAML request data storage                                                                                                     |
    | `tls`                    | string | No       | Named TLS profile for metadata retrieval and IdP communication                                                                                         |
    | `healthCheck`            | object | No       | Health check monitoring configuration (see [Identity Fabric Configuration Reference](/reference/orchestrator/identity-fabric#configuration-reference)) |

    For the complete connector field reference including health check details, see [Identity Fabric Configuration Reference](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify SAML metadata URL is accessible** -- The Orchestrator fetches the IdP's metadata XML at startup. If the URL is unreachable or returns an error, the connector will fail to initialize. Test the URL with `curl` from the Orchestrator host.
* **Ensure entityID matches the IdP configuration** -- The `samlEntityID` value must match what is configured as the trusted Service Provider on the IdP side. Mismatched entity IDs cause the IdP to reject authentication requests.
* **Check the Assertion Consumer Service URL** -- The `samlConsumerServiceURL` must match the Orchestrator's actual callback endpoint. If behind a load balancer or reverse proxy, use the external-facing URL that the IdP will redirect to.
* **SP signing certificate errors** -- If the IdP requires signed authentication requests, ensure `samlSPCertPath` and `samlSPKeyPath` point to valid PEM files and the key matches the certificate.

## Related Pages

<CardGroup cols={2}>
  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Identity Fabric" icon="code" href="/reference/orchestrator/identity-fabric#configuration-reference">
    Complete field reference for all connector types
  </Card>

  <Card title="Generic OIDC" icon="key" href="/reference/orchestrator/identity-fabric/custom-oidc">
    Generic OpenID Connect connector
  </Card>

  <Card title="Continuity" icon="arrows-rotate" href="/reference/orchestrator/identity-fabric/continuity">
    IdP failover connector
  </Card>
</CardGroup>
