Skip to main content
The Okta connector integrates the Maverics Orchestrator with the Okta identity platform — enabling OIDC-based single sign-on for your applications.
Console terminology: In the Maverics Console, this section is called Identity Fabric. The YAML configuration uses the connectors key to define identity provider integrations.

Overview

The Okta connector uses OpenID Connect to federate authentication with Okta and supports standard OIDC flows — allowing you to consolidate SSO across applications and bridge Okta-managed identities with legacy applications that lack native Okta support.

Use Cases

  • Unify SSO for legacy applications — Extend Okta SSO to legacy and on-premises applications that lack native OIDC support by translating tokens into header-based or cookie-based authentication
  • Rationalize IdP sprawl — Migrate users from competing identity platforms to Okta at your own pace, reducing licensing costs while maintaining uninterrupted access to all applications
  • Authentication resilience — Pair Okta with a secondary identity provider for automatic failover, ensuring users can still authenticate if Okta experiences downtime
  • Multi-IdP orchestration — Route authentication requests to Okta alongside other identity providers based on user attributes, application requirements, or organizational policy

Setup

To create an Okta (OIDC) connector in the Maverics Console:
  1. Navigate to Identity Fabric in the Console sidebar.
  2. Click Create and select Okta (OIDC).
  3. Enter a Name — this is the friendly name that identifies your provider.
  4. Enter the OIDC Well Known URL — for Okta, this follows the pattern https://{your-org}.okta.com/.well-known/openid-configuration. If you are using a custom authorization server, use https://{your-org}.okta.com/oauth2/{server-id}/.well-known/openid-configuration.
  5. Enter the OAuth Client ID — the client ID from your Okta application integration.
  6. Enter the OAuth Client Secret — the client secret from your Okta application integration.
  7. Under Redirect URLs, add the callback URL where Okta will redirect after authentication. This URL must match the Sign-in redirect URI configured in your Okta application.
  8. Optionally configure Logout Callback URLs for single logout support.
  9. Optionally set Scopes (space-separated). Default scopes are typically openid profile email.
  10. The PKCE toggle is enabled by default. Disable it only if your Okta application is not configured to support Proof Key for Code Exchange.
  11. Optionally enable Offline Access for token refresh support (Proxy apps only).
  12. Click Save.

Troubleshooting

  • Verify the oidcWellKnownURL is accessible from the Orchestrator host — ensure the Okta org name is correct
  • Ensure the oauthRedirectURL matches exactly what is registered in the Okta application under Sign-in redirect URIs
  • Check that the client secret reference resolves correctly via your secret provider

Identity Fabric

Overview of all identity providers

Microsoft Entra ID

OIDC connector for Microsoft Entra ID

Auth0

OIDC connector for Auth0 by Okta

Generic OIDC

Generic OpenID Connect connector