Skip to main content
The Keycloak connector integrates the Maverics Orchestrator with Keycloak — enabling OIDC-based single sign-on using the open-source identity platform.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Keycloak connector uses OpenID Connect. Keycloak publishes a standard OIDC discovery endpoint per realm, making it straightforward to integrate with the Orchestrator — whether Keycloak is self-hosted or running in a managed environment.

Use Cases

  • Unify SSO with open-source identity — Extend Keycloak authentication to legacy and enterprise applications, delivering seamless SSO for organizations that prefer open-source identity infrastructure
  • Rationalize commercial IdP costs — Use Keycloak as a cost-effective replacement for commercial identity platforms, orchestrating gradual migration without disrupting application access
  • Self-hosted identity resilience — Deploy Keycloak as a self-hosted failover IdP alongside a primary SaaS provider, ensuring authentication continuity even during cloud provider outages
  • On-premises and private-cloud identity — Connect to Keycloak deployments running in private environments where a SaaS IdP is not an option, bridging air-gapped or regulated infrastructure with modern applications

Configuration

To create a Keycloak (OIDC) connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Keycloak (OIDC).
  3. Enter a Name — this is the friendly name that identifies your provider.
  4. Enter the OIDC Well Known URL — for Keycloak, this follows the pattern https://{host}/realms/{realm}/.well-known/openid-configuration.
  5. Enter the OAuth Client ID — the client ID of the Maverics application registered in your Keycloak realm.
  6. Enter the OAuth Client Secret — the client secret from the Keycloak client configuration.
  7. Under Redirect URLs, add the callback URL where Keycloak will redirect after authentication. This URL must match the Valid Redirect URIs configured in your Keycloak client.
  8. Optionally configure Logout Callback URLs for single logout support.
  9. Optionally set Scopes (space-separated). Default scopes are typically openid profile email.
  10. The PKCE toggle is enabled by default. Disable it only if your Keycloak client is not configured to support Proof Key for Code Exchange.
  11. Optionally enable Offline Access for token refresh support (Proxy apps only).
  12. Click Save.

Troubleshooting

  • Verify the well-known URL is accessible from the Orchestrator host — ensure the Keycloak host and realm name are correct
  • Ensure the redirect URL matches exactly what is registered in the Keycloak client under Valid Redirect URIs
  • Check that the client secret reference resolves correctly via your secret provider
  • Confirm the Keycloak realm is active — disabled or misconfigured realms will cause OIDC discovery to fail

Identity Fabric

Overview of all identity providers

Generic OIDC

Generic OpenID Connect connector

Okta

OIDC connector for Okta

Microsoft Entra ID

OIDC connector for Microsoft Entra ID