ADFS

The ADFS connector integrates the Maverics Orchestrator with Microsoft Active Directory Federation Services — enabling OIDC-based authentication for applications that rely on ADFS for identity federation.

Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The ADFS connector uses OpenID Connect to federate authentication with ADFS. It uses type: adfs in the connector configuration and communicates with ADFS via its OIDC endpoint. It is designed for organizations modernizing their identity infrastructure — allowing you to migrate away from ADFS without disrupting existing applications or requiring simultaneous cutover of all relying parties.

The Maverics connector communicates with ADFS using the OIDC protocol. While ADFS supports WS-Federation and SAML natively, the Orchestrator uses the ADFS OIDC endpoint for authentication flows.

Use Cases

ADFS-to-cloud migration — Gradually move relying parties from ADFS to cloud-based identity providers without downtime
ADFS modernization — Add modern authentication capabilities (MFA, conditional access) to ADFS-protected applications without modifying ADFS itself
Hybrid on-prem/cloud federation — Bridge ADFS with cloud identity providers for organizations in transition

Configuration

Console UI
Configuration

Console UI documentation is coming soon. This section will walk you through configuring this component using the Maverics Console’s visual interface, including step-by-step screenshots and field descriptions.

ADFS configuration screen in Maverics Console

connectors:
  - name: adfs
    type: adfs
    oidcWellKnownURL: "https://{{ env.ADFS_HOST }}/adfs/.well-known/openid-configuration"
    oauthClientID: "{{ env.ADFS_CLIENT_ID }}"
    oauthClientSecret: <vault.adfs_client_secret>
    oauthRedirectURL: "https://app.example.com/oidc/callback"
    scopes: "openid profile email"

Configuration Reference

Key	Type	Required	Description
`name`	string	Yes	Unique connector identifier referenced in app policies
`type`	string	Yes	Must be `adfs`
`oidcWellKnownURL`	string	Yes	OIDC discovery endpoint URL (ADFS OIDC endpoint)
`oauthClientID`	string	Yes	OAuth 2.0 client ID registered in ADFS
`oauthClientSecret`	string	Yes	OAuth 2.0 client secret (use secret reference syntax)
`oauthRedirectURL`	string	Yes	Callback URL registered in the ADFS application group
`scopes`	string	No	Space-separated OAuth scopes (default: `openid profile email`)
`oauthExtraParams`	map	No	Additional query parameters for the authorization request
`tls`	string	No	Named TLS profile for provider communication

For the complete field reference including health checks, offline access, and PKCE settings, see Identity Fabric.

Troubleshooting

Verify the oidcWellKnownURL is accessible from the Orchestrator host — the ADFS OIDC discovery endpoint is typically at {adfs-host}/adfs/.well-known/openid-configuration
Ensure the oauthRedirectURL matches exactly what is registered in the ADFS application group configuration
Check that the client secret reference resolves correctly via your secret provider

Identity Fabric

Overview of all identity providers

Custom SAML

Generic SAML 2.0 connector

Azure AD

OIDC connector for Microsoft Entra ID

Continuity

Failover connector for IdP high availability

Console Administration

Orchestration

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Identity Fabric

Custom SAML

Azure AD

Continuity

Console Administration

Orchestration

​Overview

​Use Cases

​Configuration

​Configuration Reference

​Troubleshooting

​Related Pages

Identity Fabric

Custom SAML

Azure AD

Continuity

Overview

Use Cases

Configuration

Configuration Reference

Troubleshooting

Related Pages