Skip to main content
The CyberArk Identity OIDC connector integrates the Maverics Orchestrator with CyberArk Identity using OpenID Connect — enabling enterprise single sign-on and privileged access management.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The CyberArk OIDC connector uses the generic OIDC connector in the Orchestrator configuration. CyberArk Identity exposes a standard OIDC discovery endpoint, so no CyberArk-specific connector type is needed. For SAML-based federation with CyberArk, see CyberArk (SAML).

Use Cases

  • Privileged access management — Extend CyberArk-managed privileged identities to legacy applications that lack native CyberArk support, bridging PAM-controlled sessions with header-based or cookie-based authentication
  • Unify SSO with CyberArk Identity — Federate CyberArk Identity authentication across cloud and on-premises applications, creating a seamless SSO experience for organizations that centralize workforce identity in CyberArk
  • Rationalize identity platforms — Consolidate authentication onto CyberArk Identity by orchestrating migration from other IdPs, reducing licensing costs while extending privileged access controls
  • Authentication resilience — Configure CyberArk as a primary or failover identity provider alongside other IdPs, ensuring continuous access to critical applications and privileged workflows

Configuration

To create a CyberArk OIDC connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select CyberArk (OIDC).
  3. Enter a Name — this is the friendly name that identifies your provider.
  4. Enter the OIDC Well Known URL — for CyberArk, this follows the pattern https://{tenant}.id.cyberark.cloud/.well-known/openid-configuration.
  5. Enter the OAuth Client ID — the client ID from your CyberArk Identity application.
  6. Enter the OAuth Client Secret — the client secret from your CyberArk Identity application.
  7. Under Redirect URLs, add the callback URL where CyberArk will redirect after authentication.
  8. Optionally configure Logout Callback URLs for single logout support.
  9. Optionally set Scopes (space-separated). Default scopes are typically openid profile email.
  10. The PKCE toggle is enabled by default. Disable it only if your CyberArk application is not configured to support Proof Key for Code Exchange.
  11. Optionally enable Offline Access for token refresh support (Proxy apps only).
  12. Click Save.

Troubleshooting

  • Verify the discovery URL is accessible from the Orchestrator host — ensure the CyberArk tenant name is correct
  • Ensure the redirect URL matches exactly what is registered in CyberArk Identity
  • Check that the client secret reference resolves correctly via your secret provider

CyberArk (SAML)

SAML connector for CyberArk Identity

Identity Fabric

Overview of all identity providers

Generic OIDC

Generic OpenID Connect connector

Generic SAML

Generic SAML 2.0 connector