Identity Provider Operations

On the identity providers page, you can modify existing identity providers or add new OAuth identity providers. New identity providers can also be added by re-running the Keyfactor Command configuration wizard and adding a new identity provider on the Authentication tab (see Authentication Tab). Identity providers cannot be deleted.

Tip:  The following permissions (see Security Roles and Claims) are required to use this feature:

Identity Providers > Read
Identity Providers > Modify

Permissions for identity providers can be set at either the global or identity provider level. See Identity Provider Permissions for more information about global vs identity provider permissions.

To create an identity provider or modify an existing one:

  1. In the Management Portal, browse to System Settings Icon > Identity Providers.
  2. On the Identity Providers page, click Add to add a new identity provider, or click Edit from the top of the grid or from the right click menu to modify an existing provider.
  3. On the Add/Editing Identity Provider page, fill in each tab of the dialog with the information desired for the selected identity provider.

    1. On the Details tab, select a Type in the dropdown. Most identity providers can be supported with the Generic type. For Auth0, select the Auth0 type. Enter a short name for the provider in the Authentication Scheme and a longer name in the Display Name. The TypeId and Authentication Scheme cannot be modified on an edit.

      Important:  The value in the Authentication Scheme field must match the provider name referenced in the redirect URLs (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).

      Figure 401: Details for an Identity Provider

    2. On the Parameters tab, select each parameterClosed to configure and click Edit to open the Edit <Parameter Name> Parameter dialog, the contents of which will vary depending on the parameter selected. For information about the specific parameters, see Table 80: Identity Provider Parameters.

      Figure 402: Edit Parameters for an Identity Provider

  4. Click Save to save the identity provider.

Table 80: Identity Provider Parameters

Name Type Example

Description

Audience 1 - String Command- OIDC- Client

The audience value for the identity provider.

For Keyfactor Identity Provider, this should be set to the same value as the Client Id. For example:

Command- OIDC- Client

This parameter is required.

Auth0 API URL 1 - String  

The unique identifier defined in Auth0 or a similar identity provider for the API.

This parameter only appears if Auth0 is selected as the type and is required in that case.

Authority 1 - String https:// my-keyidp-server .keyexample.com /realms /Keyfactor

The issuer/authority endpoint URL for the identity provider.

For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.

This parameter is required.

Tip:  When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:
  • That the discovery document is reachable using the Authority value provided and can be parsed into a valid discovery document.

  • That the Authority URL matches the Issuer returned in the discovery document.

  • That all the URLs on the discovery document are using HTTPS.

  • That the JSONWebKeySetUri value is included on the discovery document.

  • That any endpoint configuration values (Authorization Endpoint, Token Endpoint, UserInfo Endpoint, JSONWebKeySetUri) that have been saved or are being saved match—including case—the values returned in the discovery document. The UserInfo Endpoint is not a required configuration field, but if a value is provided, it must match what’s in the discovery document.

If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged.

Authorization Endpoint 1 - String https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth

The authorization endpoint URL for the identity provider.

For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.

This parameter is required.

Client Id 1 - String Command- OIDC- Client

The ID of the client application created in the identity provider for primary application use.

For Keyfactor Identity Provider, this should be:

Command- OIDC- Client

For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

Client Secret 2 - Secret  

The secret for the client application created in the identity provider for primary application use.

For Keyfactor Identity Provider, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation for help locating this. It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.

Supported methods to store secret information are:

  • Store the secret information in the Keyfactor secrets table.

    A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.

  • Load the secret information from a PAM provider.

    See Privileged Access Management (PAM) for more information.

This parameter is required.

Discovery Document Endpoint 1 - String https:// my-keyidp-server .keyexample.com /realms /Keyfactor /.well-known /openid-configuration

The discovery URL for the identity provider.

For Keyfactor Identity Provider, this is the link to the OpenID Endpoint Configuration page, which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). Populate this value and click Fetch to populate the remainder of the fields in this section, if desired.

If you opt not to populate this field or if the discovery document does not return a valid response, the remainder of the fields in this section of the configuration will need to be configured manually. This value is not stored in the database.

This field does not appear in the Management Portal identity provider configuration.

Fallback Unique Claim Type 1 - String cid A backup value used to reference the type of claim used for users in the identity provider in case the primary referenced name does not contain a value.

This parameter is required.

JSON Web Key Set Uri 1 - String https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs

The JWKS (JSON Web Key Set) URL for the identity provider.

For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.

This parameter is required.

Name Claim Type

1 - String preferred_ username

The name used to reference the type of user claim for the identity provider.

For Keyfactor Identity Provider, this should be:

preferred_ username

This parameter is required.

Role Claim Type

1 - String groups

The value used to reference the type of group claim for the identity provider.

For Keyfactor Identity Provider, this should be:

groups

This parameter is required.

Scope 1 - String  

One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces.

This value is not used for Keyfactor Identity Provider.

Sign Out URL 1 -String https:// my-auth0-instance .us.auth0.com /oidc/logout

The signout URL for the identity provider.

This parameter only appears if Auth0 is selected as the type and is required in that case.

Timeout 1 - String 60 The number of seconds a request to the identity provider is allowed to process before timing out with an error.
Token Audience 1 - String  

An audience value to be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client.

This value is not used for Keyfactor Identity Provider.

Token Endpoint 1 - String https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token

The token endpoint URL for the identity provider.

For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.

This parameter is required.

Token Scope 1 - String  

One or more scopes that should be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. Multiple scopes should be separated by spaces.

This value is not used for Keyfactor Identity Provider.

Unique Claim Type 1 - String sub The value used to reference the type of claim used for users in the identity provider. For Keyfactor Identity Provider, this should be (for subject):
sub

This parameter is required.

User Info Endpoint 1 - String https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs

The user info endpoint URL for the identity provider.

For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.