Identity orchestration is a way to dynamically create remote user accounts at the time a user accesses a web resource. The first time a Hybrid Access Gateway user accesses the resource, an account will be created for that user on that service (default delivered services are Google Apps, MediaWiki and an SCIM plugin) and the user will automatically be logged in. The newly created user's credentials is saved on an SSO domain. The credentials are stored in Hybrid Access Gateway and are never exposed to the user.
First you need a plugin that is able to communicate with the desired service. Then, to enable identity orchestration, you have to create a channel. A channel is a configuration of a plugin for a specific remote service. That channel can then be used when making an access rule requiring identity orchestration. When you later add this access rule to a web resource in Hybrid Access Gateway, orchestration will be enabled.
For information about how at add an identity orchestration channel and plugin, click here.