Skip to main content
Identity connectors allow the Maverics Orchestrator to integrate with upstream identity providers, attribute sources, and authentication services. Each connector abstracts the protocol-specific details, giving you a unified interface for authentication flows and attribute retrieval.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Available Connectors

The following table lists all connector types supported by the Orchestrator. The type column shows the exact value used in the YAML connectors[].type field.
ConnectorTypeProtocolUse Case
Azure ADazureOIDCMicrosoft Entra ID SSO, hybrid identity
OktaoktaOIDCOkta SSO consolidation, legacy app bridging
PingFederatepingfederateOIDCPingFederate on-premises federation
Auth0auth0OIDCAuth0 SSO federation, tenant migration
ADFSadfsOIDCADFS-to-cloud migration, hybrid federation
Amazon CognitocognitoOIDCCognito user pool SSO, AWS identity
Custom OIDCoidcOIDCAny OIDC-compliant provider
Google WorkspaceoidcOIDCGoogle Workspace SSO (uses generic OIDC)
WSO2wso2OIDCWSO2 Identity Server
HYPRhyprOIDCHYPR passwordless authentication
OneKosmosonekosmosOIDCOneKosmos MFA
Custom SAMLsamlSAML 2.0Any SAML-compliant provider
LDAPldapLDAP/LDAPSLegacy directory integration, attribute lookups
Active DirectoryactivedirectoryLDAP (via AD)Active Directory integration
ContinuitycontinuityFailover aggregationIdP failover, zero-downtime migration
Windows Client AuthenticatorwindowsclientauthenticatorWindows authWindows desktop credential authentication via IIS
Connector types without dedicated pages (wso2, hypr, onekosmos) use the shared OIDC connector field set documented in the Configuration Reference section below.

Mode Compatibility

Identity Fabric connectors work with all five Orchestrator modes. The connector determines which protocol the Orchestrator uses to communicate with your identity provider. The mode determines which protocol the Orchestrator uses to communicate with your application. These are independent — an OIDC connector can feed a SAML Provider mode app, and a SAML connector can feed an OIDC Provider mode app. The Orchestrator handles all protocol translation.
  • OIDC connectors (Azure AD, Okta, Auth0, Custom OIDC) — Used with all modes. Most common for OIDC Provider and HTTP Proxy.
  • SAML connectors (Custom SAML, ADFS) — Used primarily with SAML Provider and HTTP Proxy. The Orchestrator translates SAML upstream to any downstream protocol.
  • LDAP connectors (LDAP, Active Directory) — Used primarily as attribute providers (enriching claims with directory data). Most common with HTTP Proxy and LDAP Provider modes.
  • Continuity connector — Mode-agnostic. Wraps other connectors to provide IdP failover.
See the connector compatibility matrix for the full matrix showing which connectors are commonly paired with which modes.

Configuration Reference

Connectors are defined under the connectors top-level key as an array. Each connector has a name (unique identifier) and type (connector protocol). OIDC-based connectors (azure, okta, auth0, adfs, pingfederate, wso2, cognito, and generic oidc) share a common field set. LDAP-based connectors (ldap and activedirectory) have their own field set. The Continuity connector has type-specific fields documented below, with full details on their respective integration reference pages.

Common Fields

Every connector requires a name and type.
KeyTypeRequiredDescription
connectors[].namestringYesUnique connector identifier referenced by app policies and attribute providers
connectors[].typestringYesConnector type — see the Available Connectors table above for all supported types

OIDC Connector Fields

These fields apply to connectors with type oidc, azure, okta, auth0, adfs, pingfederate, wso2, or cognito. All OIDC-based connectors share this common field set.
KeyTypeDefaultRequiredDescription
oauthClientIDstringYesOAuth 2.0 client ID issued by the identity provider
oauthClientSecretstringConditionalClient secret — use secret reference syntax <namespace.key>; mutually exclusive with oauthClientAssertion
oidcWellKnownURLstringYesOIDC discovery endpoint URL (e.g., https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration)
oauthRedirectURLstringNoOAuth redirect URL for authentication callback
oidcLogoutCallbackURLstringNoOIDC logout callback URL
scopesstring"openid profile email"NoSpace-separated OAuth scopes to request during authentication
disablePKCEbooleanfalseNoDisable Proof Key for Code Exchange (PKCE)
tlsstringNoTLS profile name for IdP communication — references a named profile under the tls top-level key
oauthClientAssertion.privateKeystringConditionalPEM-encoded private key for JWT-based client authentication (RFC 7523); mutually exclusive with oauthClientSecret
oauthClientAssertion.audiencestringNoJWT assertion audience claim
Additional OIDC connector fields (oauthLoginRedirect, oauthLogoutRedirect, offlineAccess) are available for advanced redirect and refresh token configuration. These are documented in detail on individual connector integration reference pages.

SAML Connector Fields

These fields apply to connectors with type saml.
KeyTypeDefaultRequiredDescription
samlMetadataURLstringYesSAML IdP metadata URL for automatic configuration
samlConsumerServiceURLstringYesAssertion Consumer Service (ACS) URL where the IdP sends SAML responses
samlLogoutCallbackURLstringNoLogout callback URL for SAML single logout
samlEntityIDstringNoService Provider entity ID
samlSPCertPathstringNoPath to the SP certificate file for request signing
samlSPKeyPathstringNoPath to the SP private key file for request signing
samlNameIDFormatstringNoRequested Name ID format (e.g., urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
cachestringNoCache name reference for SAML request data storage
tlsstringNoTLS profile name for IdP communication

LDAP Connector Fields

These fields apply to connectors with type ldap or activedirectory.
KeyTypeDefaultRequiredDescription
urlarrayYesLDAP server URLs (e.g., ldap://ldap.example.com:389 or ldaps://ldap.example.com:636)
serviceAccountUsernamestringYesBind DN for the service account (e.g., cn=admin,dc=example,dc=com)
serviceAccountPasswordstringYesService account password — use secret reference syntax <namespace.key>
baseDNstringYesBase DN for LDAP searches (e.g., dc=example,dc=com)
usernameSearchKeystringNoLDAP attribute used for username lookups (e.g., uid, sAMAccountName)
userRDNKeystringNoRelative Distinguished Name key for user entries
enableAuthenticationbooleanNoEnable LDAP bind authentication for end users
loginUrlstringNoURL for the LDAP login form
userAttributesarrayNoList of LDAP attributes to retrieve (e.g., ["cn", "email", "memberOf"])
objectClassesarrayNoObject classes for the LDAP search filter (e.g., ["inetOrgPerson"])
attributeMappingobjectNoMap attribute names from LDAP to internal names (e.g., email: "mail", name: "cn")
attributeDelimiterstring","NoDelimiter for multi-valued LDAP attributes
tlsstringNoTLS profile name for LDAP connection
LDAP connectors use attributeMapping to rename LDAP attributes to friendly names. OIDC connectors do not have an attribute mapping field — OIDC claims are used directly by their claim name. Attribute-to-claim mapping for applications is configured via claimsMapping on OIDC and SAML app types.

Continuity

Continuity connectors provide health-check-driven failover across multiple identity providers. The Orchestrator performs configurable health checks on each configured IdP. If health checks pass, authentication requests are routed to IdPs in the configured order. If an IdP is unhealthy (health check fails), it is skipped and the next healthy IdP handles the authentication request. This is proactive health-check-based routing, not trial-and-error login attempts.
KeyTypeRequiredDescription
strategystringYesFailover strategy — only failover is supported
failover.idpsarrayYesOrdered list of connector names. The first healthy IdP handles requests; unhealthy IdPs are skipped.
attributesarrayNoAttribute normalization rules across IDPs

Connector Health Checks

Health check monitoring is available on OIDC, SAML, and LDAP connectors. When enabled, the Orchestrator periodically probes the identity provider and tracks its availability.
KeyTypeDefaultDescription
healthCheck.enabledbooleanfalseEnable health monitoring for this connector
healthCheck.intervalstring"30s"Time between health check probes (duration string)
healthCheck.timeoutstring"5s"Timeout for each health check probe (duration string)
healthCheck.healthyThresholdinteger3Consecutive successes required to mark the connector as healthy
healthCheck.unhealthyThresholdinteger3Consecutive failures required to mark the connector as unhealthy
For advanced scenarios, healthCheck.customEndpoint allows configuring a custom HTTP health probe with specific endpoint URL, headers, TLS profile, and response matching rules (status codes, body content).

Example

Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

Connector Pages

Azure AD

OIDC connector for Microsoft Entra ID

Okta

OIDC connector for Okta platform

PingFederate

OIDC connector for Ping Identity’s PingFederate

Auth0

OIDC connector for Auth0 by Okta

ADFS

OIDC connector for Active Directory Federation Services

Amazon Cognito

OIDC connector for AWS Cognito user pools

Custom OIDC

Generic OpenID Connect connector

Google Workspace

Google Workspace SSO using generic OIDC connector

LDAP

LDAP/LDAPS directory connector

Active Directory

Active Directory connector via LDAP

Custom SAML

Generic SAML 2.0 connector

Continuity

Failover connector for IdP high availability

Windows Client Authenticator

Windows desktop credential authentication via IIS

Config Sources

Where the Orchestrator reads its configuration

Secret Providers

How the Orchestrator retrieves secrets at runtime

Sessions

Session storage options and production support status