Skip to main content
The WSO2 connector integrates the Maverics Orchestrator with WSO2 Identity Server — enabling OIDC-based single sign-on for applications that rely on WSO2 for identity management.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The WSO2 connector uses OpenID Connect to federate authentication with WSO2 Identity Server. It supports standard OIDC authorization code flows — allowing you to extend WSO2-managed identities to legacy and modern applications through the Maverics Orchestrator.

Use Cases

  • Unify SSO with WSO2-managed identities — Extend WSO2 Identity Server authentication to legacy applications by translating OIDC tokens into header-based or cookie-based authentication
  • Rationalize identity infrastructure — Orchestrate a phased migration from WSO2 to a target IdP, reducing the cost and complexity of maintaining open-source identity server deployments
  • Authentication resilience — Pair WSO2 with a secondary identity provider for automatic failover, ensuring users retain access to critical applications if WSO2 becomes unavailable
  • Multi-IdP orchestration — Route authentication to WSO2 alongside commercial identity providers, enabling coexistence in complex enterprise environments

Configuration

WSO2 is not available as a dedicated option in the Maverics Console. To configure WSO2, use the Generic OIDC Configuration option:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Generic OIDC Configuration.
  3. Enter a Name for the connector (e.g., wso2).
  4. Enter the OIDC Well Known URL — for WSO2, this follows the pattern https://{wso2-host}/oauth2/oidcdiscovery/.well-known/openid-configuration.
  5. Enter the OAuth Client ID — the client ID from your WSO2 service provider registration.
  6. Enter the OAuth Client Secret — the client secret from your WSO2 service provider registration.
  7. Under Redirect URLs, add the callback URL where WSO2 will redirect after authentication.
  8. Optionally configure Logout Callback URLs for single logout support.
  9. Optionally set Scopes (space-separated). Default scopes are typically openid profile email.
  10. The PKCE toggle is enabled by default. Disable it only if your WSO2 service provider is not configured to support Proof Key for Code Exchange.
  11. Optionally enable Offline Access for token refresh support.
  12. Click Save.
When using the Generic OIDC Configuration in the Console, the deployment configuration will use type: oidc. For the WSO2-specific type: wso2, use the YAML Configuration tab approach instead.

Troubleshooting

  • Verify the well-known URL is accessible from the Orchestrator host — WSO2’s OIDC discovery URL may vary by deployment; confirm the correct path
  • Ensure the oauthRedirectURL matches exactly what is registered in the WSO2 service provider configuration
  • Check that the client secret reference resolves correctly via your secret provider
  • PKCE errors — If WSO2 returns errors during the authorization flow, verify that PKCE is enabled on both the Orchestrator and the WSO2 service provider

Identity Fabric

Overview of all identity providers

Generic OIDC

Generic OpenID Connect connector

Okta

OIDC connector for Okta

Auth0

OIDC connector for Auth0