Deployments
Click to enlarge
The Maverics Identity Orchestration Platform employs a hybrid air-gap architecture designed to secure both cloud-based and on-premises applications. This architecture ensures that there is no runtime dependency between customer applications and Strata's services, enhancing resilience and security. Notably, Strata does not store any personally identifiable information (PII), thus simplifying compliance and data protection efforts. Additionally, Maverics' distributed air-gap design allows Identity Orchestration to be deployed closer to applications, reducing latency and improving performance by avoiding unnecessary data round trips.
There are three essential parts of this deployment model:
The Maverics Console is the user interface for defining identity orchestration configuration, managing deployments, and monitoring telemetry.
The Maverics Orchestrator is a stateless service that can be deployed in a customer’s environment whether its in the cloud or on prem. It runs on Linux, Windows, Mac, Docker and optionally run on Kubernetes.
The configuration storage provider is where the Maverics Console publishes configuration, and also where orchestrators consume that configuration. This approach ensures that identity services remain operational even if cloud connectivity is disrupted, providing continuous access to critical applications.
Deployment Manager
The Deployment Manager is the central hub for modeling, configuring, and managing your identity infrastructure. It enables administrators to define how applications interact with identity systems by organizing configuration into logical building blocks:
Application Patterns (e.g., OIDC, SAML, legacy proxies)
Identity Fabric (IDPs and attribute providers)
User Flows (authentication and authorization policies)
Service Extensions (custom logic).
These elements come together to form a complete deployment that reflects the desired identity and access behavior across environments.
Once configured, deployments are published to a configuration storage location (such as Amazon S3), making them available to orchestrator services. This publish step bundles all application, identity, and runtime settings into a structured format that orchestrators can pull and execute. Through the Deployment Manager, teams gain a centralized, version-controlled, and repeatable method to manage identity operations while supporting zero-trust principles, hybrid environments, and modern IAM patterns—all without changing the underlying applications.
Storage Configuration
Storage Configuration defines where and how the orchestrator retrieves its deployment configuration at runtime. After a deployment is modeled and published through the Deployment Manager, the full configuration is stored in a specified storage location—typically an external object storage service like Amazon S3, Google Cloud Storage, or another compatible provider.
This location acts as the Configuration Source, allowing orchestrators to pull the latest deployment bundle on startup or on a polling interval. Storage Configuration settings are critical for enabling distributed, scalable orchestrator environments and support secure access controls, versioning, and high availability of configuration data.
Storage Configuration begins with creating a deployment in Maverics, which defines the set of applications, user flows, and settings you want to publish. After the deployment is created, you configure your preferred storage provider (such as S3 or GCS) as the destination for the deployment bundle.
To ensure correct setup, follow the storage configuration guide specific to your storage provider for detailed steps and best practices. Once published, you deploy an orchestrator that reads from this storage location. The orchestrator setup includes downloading and installing the binary, configuring the host environment (via environment variables or .env files), and starting the service to fetch and apply the published configuration.
Applications
User Flows
Identity Fabric
Service Extensions
Applications in the Strata Maverics platform represent the logical configuration of how an individual app or service integrates with your identity infrastructure. Each application consists of one or more Application Patterns—such as OIDC, SAML, legacy proxy, or API endpoints—that define the protocol-level and integration-specific behavior.
These patterns are connected to User Flows, which define the authentication and authorization logic, and may optionally include Service Extensions to add custom behaviors like claim transformation, third-party API calls, or additional security checks. User Flows reference elements of the Identity Fabric—such as identity providers (IDPs) and attribute providers—to supply the authentication services and attribute data required by the application.
Applications are closely tied to Provider settings, which define how the orchestrator behaves at runtime when acting as a proxy, SAML Identity Provider, or OIDC Provider. While the Application Pattern determines how the app is modeled and which flows it follows, the Provider settings control how the orchestrator responds to protocol requests. For example, an OIDC Application defines the client and associated user flow logic, while the OIDC Provider settings specify issuer metadata, supported scopes, and token handling behavior. Together, these configurations ensure that applications are not only logically and securely integrated but also protocol-compliant and production-ready.
Orchestrator Host Configuration
Orchestrator Host Configuration refers to the runtime settings applied directly on the machine or container where a Maverics Orchestrator is deployed. These configurations define how the orchestrator starts up, communicates securely, and connects to its environment. They are typically applied through environment variables, .env files, or platform-specific setup scripts. Key components include HTTP server settings (like ports, timeouts, and headers), TLS configuration for secure traffic handling, and secrets provider integration for securely retrieving sensitive values such as API keys or tokens.
A critical part of host configuration is remote configuration retrieval, which enables the orchestrator to pull its deployment bundle from a configured storage provider, such as Amazon S3 or Google Cloud Storage. This allows orchestrators to remain stateless and fetch the latest deployment logic at startup. To correctly set up remote retrieval, refer to the Storage Configuration Guides, which provide step-by-step instructions for configuring your storage provider and ensuring secure, reliable access to published configurations. These guides are essential for enabling orchestrators to operate in alignment with the environments defined in the Deployment Manager.