> ## Documentation Index
> Fetch the complete documentation index at: https://docs.strata.io/llms.txt
> Use this file to discover all available pages before exploring further.

# WSO2 Identity Server (OIDC)

The WSO2 connector integrates the Maverics Orchestrator with WSO2 Identity Server -- enabling OIDC-based single sign-on for applications that rely on WSO2 for identity management.

<Note>
  **Console terminology:** In the Maverics Console, this section is called
  **Identity Fabric**. The YAML configuration uses the `connectors` key to define
  identity provider integrations.
</Note>

## Overview

The WSO2 connector uses OpenID Connect to federate authentication with WSO2 Identity Server. It supports standard OIDC authorization code flows -- allowing you to extend WSO2-managed identities to legacy and modern applications through the Maverics Orchestrator.

## Use Cases

* **Unify SSO with WSO2-managed identities** -- Extend WSO2 Identity Server authentication to legacy applications by translating OIDC tokens into header-based or cookie-based authentication
* **Rationalize identity infrastructure** -- Orchestrate a phased migration from WSO2 to a target IdP, reducing the cost and complexity of maintaining open-source identity server deployments
* **Authentication resilience** -- Pair WSO2 with a secondary identity provider for automatic failover, ensuring users retain access to critical applications if WSO2 becomes unavailable
* **Multi-IdP orchestration** -- Route authentication to WSO2 alongside commercial identity providers, enabling coexistence in complex enterprise environments

## Setup

<Tabs>
  <Tab title="Console UI">
    WSO2 is not available as a dedicated option in the Maverics Console. To configure WSO2, use the **Generic OIDC Configuration** option:

    1. Navigate to **Identity Fabric** in the Console sidebar.
    2. Click **Create** and select **Generic OIDC Configuration**.
    3. Enter a **Name** for the connector (e.g., `wso2`).
    4. Enter the **OIDC Well Known URL** -- for WSO2, this follows the pattern `https://{wso2-host}/oauth2/oidcdiscovery/.well-known/openid-configuration`.
    5. Enter the **OAuth Client ID** -- the client ID from your WSO2 service provider registration.
    6. Enter the **OAuth Client Secret** -- the client secret from your WSO2 service provider registration.
    7. Under **Redirect URLs**, add the callback URL where WSO2 will redirect after authentication.
    8. Optionally configure **Logout Callback URLs** for single logout support.
    9. Optionally set **Scopes** (space-separated). Default scopes are typically `openid profile email`.
    10. The **PKCE** toggle is enabled by default. Disable it only if your WSO2 service provider is not configured to support Proof Key for Code Exchange.
    11. Optionally enable **Offline Access** for token refresh support.
    12. Click **Save**.

    <Note>
      When using the Generic OIDC Configuration in the Console, the deployment configuration will use `type: oidc`. For the WSO2-specific `type: wso2`, use the YAML Configuration tab approach instead.
    </Note>
  </Tab>

  <Tab title="Configuration">
    ```yaml maverics.yaml theme={null}
    connectors:
      - name: wso2
        type: wso2
        oidcWellKnownURL: "https://{{ env.WSO2_HOST }}/oauth2/oidcdiscovery/.well-known/openid-configuration"
        oauthClientID: "{{ env.WSO2_CLIENT_ID }}"
        oauthClientSecret: <vault.wso2_client_secret>
        oauthRedirectURL: "https://app.example.com/oidc/callback"
    ```

    ## Configuration Reference

    | Key                 | Type   | Required | Description                                                      |
    | ------------------- | ------ | -------- | ---------------------------------------------------------------- |
    | `name`              | string | Yes      | Unique connector identifier referenced in app policies           |
    | `type`              | string | Yes      | Must be `wso2`                                                   |
    | `oidcWellKnownURL`  | string | Yes      | OIDC discovery endpoint URL for WSO2 Identity Server             |
    | `oauthClientID`     | string | Yes      | OAuth 2.0 client ID from the WSO2 service provider configuration |
    | `oauthClientSecret` | string | Yes      | OAuth 2.0 client secret (use secret reference syntax)            |
    | `oauthRedirectURL`  | string | Yes      | Callback URL registered with the WSO2 service provider           |
    | `tls`               | string | No       | Named TLS profile for provider communication                     |

    For the complete field reference including health checks, offline access, and PKCE settings, see [Identity Fabric](/reference/orchestrator/identity-fabric#configuration-reference).
  </Tab>
</Tabs>

## Troubleshooting

* **Verify the well-known URL is accessible** from the Orchestrator host -- WSO2's OIDC discovery URL may vary by deployment; confirm the correct path
* **Ensure the `oauthRedirectURL` matches exactly** what is registered in the WSO2 service provider configuration
* **Check that the client secret reference resolves correctly** via your secret provider
* **PKCE errors** -- If WSO2 returns errors during the authorization flow, verify that PKCE is enabled on both the Orchestrator and the WSO2 service provider

## Related Pages

<CardGroup cols={2}>
  <Card title="Identity Fabric" icon="id-badge" href="/reference/orchestrator/identity-fabric">
    Overview of all identity providers
  </Card>

  <Card title="Generic OIDC" icon="key" href="/reference/orchestrator/identity-fabric/custom-oidc">
    Generic OpenID Connect connector
  </Card>

  <Card title="Okta" icon="shield-halved" href="/reference/orchestrator/identity-fabric/okta">
    OIDC connector for Okta
  </Card>

  <Card title="Auth0" icon="lock" href="/reference/orchestrator/identity-fabric/auth0">
    OIDC connector for Auth0
  </Card>
</CardGroup>
