Identity Provider Operations
On the identity providers page, you can modify existing identity providers or add new OAuth identity providers. New identity providers can also be added by re-running the Keyfactor Command configuration wizard and adding a new identity provider on the Authentication tab (see Authentication Tab). Identity providers cannot be deleted.
Permissions for identity providers can be set at either the global or identity provider level. See Identity Provider Permissions for more information about global vs identity provider permissions.
To create an identity provider or modify an existing one:
- In the Management Portal, browse to System Settings Icon
> Identity Providers.
- On the Identity Providers page, click Add to add a new identity provider, or click Edit from the top of the grid or from the right click menu to modify an existing provider.
-
On the Add/Editing Identity Provider page, fill in each tab of the dialog with the information desired for the selected identity provider.
-
On the Details tab, select a Type in the dropdown. Most identity providers can be supported with the Generic type. For Auth0, select the Auth0 type. Enter a short name for the provider in the Authentication Scheme and a longer name in the Display Name. The TypeId and Authentication Scheme cannot be modified on an edit.
Important: The value in the Authentication Scheme field must match the provider name referenced in the redirect URLs (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).Figure 401: Details for an Identity Provider
-
On the Parameters tab, select each parameter
to configure and click Edit to open the Edit <Parameter Name> Parameter dialog, the contents of which will vary depending on the parameter selected. For information about the specific parameters, see Table 80: Identity Provider Parameters.
Figure 402: Edit Parameters for an Identity Provider
-
- Click Save to save the identity provider.
Table 80: Identity Provider Parameters
Name | Type | Example |
Description |
---|---|---|---|
|
1 - String | Command- OIDC- Client |
The audience value for the identity provider. For Keyfactor Identity Provider, this should be set to the same value as the Client Id. For example: Command- OIDC- Client
This parameter is required. |
|
1 - String |
The unique identifier defined in Auth0 or a similar identity provider for the API. This parameter only appears if Auth0 is selected as the type and is required in that case. |
|
Authority | 1 - String | https:// my-keyidp-server .keyexample.com /realms /Keyfactor |
The issuer/authority endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. This parameter is required. Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:
If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged. |
|
1 - String | https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth |
The authorization endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. This parameter is required. |
|
1 - String | Command- OIDC- Client |
The ID of the client application created in the identity provider for primary application use. For Keyfactor Identity Provider, this should be: Command- OIDC- Client
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
|
2 - Secret |
The secret for the client application created in the identity provider for primary application use. For Keyfactor Identity Provider, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation for help locating this. It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. Supported methods to store secret information are:
This parameter is required. |
|
|
1 - String | https:// my-keyidp-server .keyexample.com /realms /Keyfactor /.well-known /openid-configuration |
The discovery URL for the identity provider. For Keyfactor Identity Provider, this is the link to the OpenID Endpoint Configuration page, which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). Populate this value and click Fetch to populate the remainder of the fields in this section, if desired. If you opt not to populate this field or if the discovery document does not return a valid response, the remainder of the fields in this section of the configuration will need to be configured manually. This value is not stored in the database. This field does not appear in the Management Portal identity provider configuration. |
|
1 - String | cid | A backup value used to reference the type of claim used for users in the identity provider in case the primary referenced name does not contain a value. This parameter is required. |
|
1 - String | https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs |
The JWKS (JSON Web Key Set) URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. This parameter is required. |
|
1 - String | preferred_ username |
The name used to reference the type of user claim for the identity provider. For Keyfactor Identity Provider, this should be: preferred_ username
This parameter is required. |
|
1 - String | groups |
The value used to reference the type of group claim for the identity provider. For Keyfactor Identity Provider, this should be: groups
This parameter is required. |
|
1 - String |
One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider. |
|
|
1 -String | https:// my-auth0-instance .us.auth0.com /oidc/logout |
The signout URL for the identity provider. This parameter only appears if Auth0 is selected as the type and is required in that case. |
Timeout | 1 - String | 60 | The number of seconds a request to the identity provider is allowed to process before timing out with an error. |
|
1 - String |
An audience value to be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. This value is not used for Keyfactor Identity Provider. |
|
|
1 - String | https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token |
The token endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. This parameter is required. |
|
1 - String |
One or more scopes that should be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider. |
|
|
1 - String | sub | The value used to reference the type of claim used for users in the identity provider. For Keyfactor Identity Provider, this should be (for subject): sub This parameter is required. |
|
1 - String | https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs |
The user info endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. |