Claims Transformation for SAML and OIDC

No need to rewrite applications in order for them to accept different identity protocols

Future-proof applications in case you change SAML or OIDC providers at a later time

Allow for the addition of additional modern authentication solutions within the existing UX

Recipe summary: Claims Transformation – SAML and OIDC

This recipe demonstrates how Maverics makes it easy to incorporate SAML and OIDC to sessions and apps by abstracting the complexity of SAML or OIDC. With Maverics, you can add SAML and OIDC to apps without rewriting them. Maverics converts SAML and OIDC claims into HTTP headers that drop right into your apps. This enables applications that expect OIDC to accept SAML attributes without any need to refactor the apps themselves.

GET A DEMO ›

Recipe instructions: Claims Transformation – SAML and OIDC

1

User requests a protected application (which is expecting an OIDC exchange).
2

User's session is redirected to the Maverics Orchestrator.
3

Maverics will evaluate if a valid session exists with your Authentication provider of choice (GCP's IAP in this case)./
4

If the user hasn't authenticated yet - Maverics will redirect the user to properly authenticate using Google's identity provider.
5

[optional] Google's IAP performs whatever zero trust checks it deems appropriate for the user.
6

IAP sends a SAML assertion to Maverics.
7

Maverics consumes the SAML token and parses it's assertions.
8

[optional] Maverics can grab other attributes from other places for richer policy enforcement or additional claims.
9

Maverics provides an auth code to the user's session and redirects to the target application.
10

Target application exchanges the auth code directly with Maverics to validate.
11

User is granted access to the application.

View recipe in action: Claims Transformation – SAML and OIDC

Recipe sequence diagram: Claims Transformation — SAML and OIDC

Recipe YAML config settings: Claims Transformation — SAML and OIDC

Maverics Identity Orchestration works with a simple YAML config* (as shown in the figure to the right). No app rewrites or custom code is required. Download this recipe’s full config file below.

*Config may vary based on your environment.

DOWNLOAD CONFIG ›

Keep your employee data sovereign, local and resident. Support your multi-national operations with region-specific IDPs that give users controlled access to common apps.

Multiple IDPs

Modern Authentication

Use this recipe ›

How to add modern authentication to any app still using NTLM over LDAP for authentication

Still using Active Directory to authenticate users? Secure your legacy mission-critical apps with a modern IDP instead — without refactoring.

LDAP

Modern Authentication

Use this recipe ›

How to move from your legacy IDP to CyberArk Identity without refactoring a thing

Break up with your outdated IDP, keep the complex access policies you love, and replace it with modern authentication and passwordless protection from CyberArk Identity — all without rewriting your apps.

CyberArk

Non-standard App

Migration

Use this recipe ›

RECIPES › CLAIMS TRANSFORMATION

Claims Transformation for SAML and OIDC

No need to rewrite applications in order for them to accept different identity protocols

Future-proof applications in case you change SAML or OIDC providers at a later time

Allow for the addition of additional modern authentication solutions within the existing UX

Recipe summary: Claims Transformation – SAML and OIDC

Recipe instructions: Claims Transformation – SAML and OIDC

View recipe in action: Claims Transformation – SAML and OIDC

Recipe sequence diagram: Claims Transformation — SAML and OIDC

Recipe YAML config settings: Claims Transformation — SAML and OIDC

Similar Recipes

Ready to make identity consistent?

Share on Mastodon