Skip to main content
The Generic OIDC connector provides a generic OpenID Connect integration for any OIDC-compliant identity provider — giving you flexibility to connect providers that don’t have a dedicated connector in the Orchestrator.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Generic OIDC connector supports standard OpenID Connect discovery, authorization code flow, and token validation. It works with any identity provider that publishes an OIDC discovery document — making it suitable for non-standard providers, development/testing identity servers, and custom-built identity systems.

Use Cases

  • Unify SSO with any OIDC provider — Connect identity providers that don’t have a dedicated connector, extending SSO to legacy applications through any standards-compliant IdP
  • Rationalize custom identity systems — Integrate in-house or niche identity services into a unified orchestration layer, enabling gradual migration to a strategic IdP without rewriting applications
  • Identity resilience with secondary providers — Add any OIDC-compliant provider as a failover target, ensuring authentication continuity regardless of which providers are in your Identity Fabric
  • Development and testing — Integrate with local identity servers like Dex or mock OIDC providers to validate orchestration policies before deploying to production

Setup

To create a Generic OIDC Configuration connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Generic OIDC Configuration.
  3. Enter a Name for the connector — this is the friendly name that identifies your OIDC integration.
  4. Enter the OIDC Well Known URL — the URL that returns OpenID Connect metadata about the authorization server (typically ending in /.well-known/openid-configuration). This works with any OIDC-compliant provider.
  5. Enter the OAuth Client ID — the client ID of the application registered with your identity provider.
  6. Enter the OAuth Client Secret — the client secret associated with the client ID. Use the show/hide toggle to verify the value.
  7. Add one or more Redirect URLs — the callback URL(s) where the provider redirects users after authentication. The Maverics OIDC handler will be served on this URL.
  8. Optionally add Logout Callback URLs — the URL(s) that the OIDC provider calls after a successful logout.
  9. Optionally enter Scopes — space-separated OIDC scopes to request (e.g., openid profile email). If left empty, default scopes are used.
  10. Proof Key for Code Exchange (PKCE) is enabled by default. Disable this toggle only if your provider is not configured to support PKCE.
  11. Optionally enable Offline Access if you need refresh tokens. When enabled, set your policy’s decision.lifetime slightly longer than the interval for token refreshing.
  12. Click Save.
The Generic OIDC Configuration works with any identity provider that publishes a standard OIDC discovery document — including Keycloak, Dex, IdentityServer, and other custom OIDC implementations. If your provider has a dedicated connector type in the Console (e.g., Okta, Entra ID), prefer using that instead for provider-specific optimizations.

Troubleshooting

  • Verify the oidcWellKnownURL is accessible from the Orchestrator host — confirm the provider’s discovery document returns valid JSON
  • Ensure the oauthRedirectURL matches exactly what is registered in the identity provider
  • Check that the client secret reference resolves correctly via your secret provider

Identity Fabric

Overview of all identity providers

Generic SAML

Generic SAML 2.0 connector

Microsoft Entra ID

OIDC connector for Microsoft Entra ID

Okta

OIDC connector for Okta