Configure Maverics to use Duo as a identity provider using the SAML protocol.
.png?sv=2022-11-02&spr=https&st=2025-05-05T16%3A25%3A38Z&se=2025-05-05T16%3A36%3A38Z&sr=c&sp=r&sig=%2Byxsr0asg59sZ6l%2BGNPMbQmBfgQNvRvD%2F1eKJSN%2F2bk%3D)
Identity Fabric/Duo (SAML)→Configure Settings→Use for authentication in any type of user flow
Configure Identity Fabric
Use a Secret Provider
Production settings ought to implement a secret management system. Maverics connects with multiple secret management systems, which keep secrets that Orchestrator instances retrieve during startup. To cite a secret from your provider, enclose the name in angle brackets. (e.g. <app client-id>)
Learn more about Secret Providers
Field Name | Description | Example |
|---|---|---|
Name | A friendly name for your SAML service. |
|
Metadata URL | This is the metadata URL from the application configured in the SAML service. This setting will accept a file:/// URI if the metadata file is saved on a filesystem accessible to the Orchestrator user. |
|
Consumer Service (ACS) URL | The URL that the SAML service will use to POST the SAML response. The Maverics SAML ACS handler will be served on this URL, and it should not conflict with the path of any application resources. The path can be arbitrary (e.g. /maverics-saml or /saml-handler), but must match the service's configuration for the specified Entity ID. |
|
Logout Callback URL | The URL that the SAML server will call back once logout is successful. Ensure your SAML service's logout URL setting matches the URL value specified here. |
|
Identifier (Entity ID) | The unique application entity ID assigned to the application. |
|
Service Provider Certificate | (Optional) The path to the certificate that will be used to sign SAML authentication requests. | ./my-sp-cert.pem, <sp-cert.pem> |
Signing Private Key Path | (Optional) The path to the private key that will be used to sign SAML authentication requests. | ./my-private-key.pem, <private-key.pem> |
Name ID Format | Defines the SAML Subject NameID format specified for the app in your SAML service. |
|
IdP Initiated Login | Accept unsolicited SAML responses from the configured IDP. This is disabled by default. | |
Allowed Redirect URLs | Specifies the allowed redirect URLs for IdP-initiated login. |
|
JSON deployed to the orchestrator
{
"connectors": [
{
"name": "samlClient",
"type": "saml",
"samlEntityID": "MavericsOrchestrator",
"samlMetadataURL": "https://saml-idp.com/FederationMetadata/2007-06/FederationMetadata.xml",
"samlConsumerServiceURL": "https://orchestrator.example.com/acs",
"samlLogoutCallbackURL": "https://orchestrator.example.com/logout",
"samlNameIdFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:entity",
"samlIDPInitiatedLogin": {
"enabled": true,
"allowedRedirectURLs": [
"https://alpha-app.example.com/dashboard",
"https://beta-app.example.com/index.html"
]
}
}
]
}