> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# CyberArk (OIDC)

The CyberArk Identity OIDC connector integrates the Maverics Orchestrator with CyberArk Identity using OpenID Connect -- enabling enterprise single sign-on and privileged access management.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

The CyberArk OIDC connector uses the generic OIDC connector in the Orchestrator configuration. CyberArk Identity exposes a standard OIDC discovery endpoint, so no CyberArk-specific connector type is needed. For SAML-based federation with CyberArk, see [CyberArk (SAML)](/reference/orchestrator/identity-fabric/cyberark-saml).

## Use Cases

* **Privileged access management** -- Extend CyberArk-managed privileged identities to legacy applications that lack native CyberArk support, bridging PAM-controlled sessions with header-based or cookie-based authentication
* **Unify SSO with CyberArk Identity** -- Federate CyberArk Identity authentication across cloud and on-premises applications, creating a seamless SSO experience for organizations that centralize workforce identity in CyberArk
* **Rationalize identity platforms** -- Consolidate authentication onto CyberArk Identity by orchestrating migration from other IdPs, reducing licensing costs while extending privileged access controls
* **Authentication resilience** -- Configure CyberArk as a primary or failover identity provider alongside other IdPs, ensuring continuous access to critical applications and privileged workflows

## Setup

<Tabs>
  <Tab title="Console UI">
    To create a CyberArk OIDC connector in the Maverics Console:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **CyberArk (OIDC)**.
    3. Enter a **Name** -- this is the friendly name that identifies your provider.
    4. Enter the **OIDC Well Known URL** -- for CyberArk, this follows the pattern `https://{tenant}.id.cyberark.cloud/.well-known/openid-configuration`.
    5. Enter the **OAuth Client ID** -- the client ID from your CyberArk Identity application.
    6. Enter the **OAuth Client Secret** -- the client secret from your CyberArk Identity application.
    7. Under **Redirect URLs**, add the callback URL where CyberArk will redirect after authentication.
    8. Optionally configure **Logout Callback URLs** for single logout support.
    9. Optionally set **Scopes** (space-separated). Default scopes are typically `openid profile email`.
    10. The **PKCE** toggle is enabled by default. Disable it only if your CyberArk application is not configured to support Proof Key for Code Exchange.
    11. Optionally enable **Offline Access** for token refresh support (Proxy apps only).
    12. Click **Save**.
  </Tab>

  <Tab title="Configuration">
    ```yaml maverics.yaml theme={null}
    connectors:
      - name: cyberark
        type: oidc
        oidcWellKnownURL: "https://{{ env.CYBERARK_TENANT }}.id.cyberark.cloud/.well-known/openid-configuration"
        oauthClientID: "{{ env.CYBERARK_CLIENT_ID }}"
        oauthClientSecret: <vault.cyberark_client_secret>
        oauthRedirectURL: "https://app.example.com/oidc/callback"
    ```

    ## Configuration Reference

    | Key                 | Type   | Required | Description                                            |
    | ------------------- | ------ | -------- | ------------------------------------------------------ |
    | `name`              | string | Yes      | Unique connector identifier referenced in app policies |
    | `type`              | string | Yes      | Must be `oidc`                                         |
    | `oidcWellKnownURL`  | string | Yes      | CyberArk OIDC discovery endpoint URL                   |
    | `oauthClientID`     | string | Yes      | OAuth 2.0 client ID from CyberArk Identity             |
    | `oauthClientSecret` | string | Yes      | OAuth 2.0 client secret (use secret reference syntax)  |
    | `oauthRedirectURL`  | string | Yes      | Callback URL registered with the CyberArk application  |
    | `tls`               | string | No       | Named TLS profile for provider communication           |

    For the complete field reference including health checks, offline access, and PKCE settings, see [Identity Fabric](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify the discovery URL is accessible** from the Orchestrator host -- ensure the CyberArk tenant name is correct
* **Ensure the redirect URL matches exactly** what is registered in CyberArk Identity
* **Check that the client secret reference resolves correctly** via your secret provider

## Related Pages

<CardGroup cols={2}>
  <Card title="CyberArk (SAML)" icon="vault" href="/reference/orchestrator/identity-fabric/cyberark-saml">
    SAML connector for CyberArk Identity
  </Card>

  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Generic OIDC" icon="openid" href="/reference/orchestrator/identity-fabric/custom-oidc">
    Generic OpenID Connect connector
  </Card>

  <Card title="Generic SAML" icon="file-shield" href="/reference/orchestrator/identity-fabric/custom-saml">
    Generic SAML 2.0 connector
  </Card>
</CardGroup>
