Identity Provider Operations

On the identity providers page, you can modify existing identity providers or add new OAuth identity providers. New identity providers can also be added by re-running the Keyfactor Command configuration wizard and adding a new identity provider on the Authentication tab (see Authentication Tab). Identity providers cannot be deleted.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

Identity Providers > Read

Identity Providers > Modify

Permissions for identity providers can be set at either the global or identity provider level. See Identity Provider Permissions for more information about global vs identity provider permissions.

To create an identity provider or modify an existing one:

In the Management Portal, browse to System Settings Icon > Identity Providers.
On the Identity Providers page, click Add to add a new identity provider, or click Edit from the top of the grid or from the right click menu to modify an existing provider.
On the Add/Editing Identity Provider page, fill in each tab of the dialog with the information desired for the selected identity provider.
1. On the Details tab, select a Type in the dropdown. Most identity providers can be supported with the Generic type. For Auth0, select the Auth0 type.
  
  Enter a short name for the provider in the Authentication Scheme and a longer name in the Display Name. The Type and Authentication Scheme cannot be modified on an edit.
  
  Important: The value in the Authentication Scheme field must match the provider name referenced in redirect URLs.
  
  In the Permission Set dropdown, select a permission set to apply to the identity provider. For more information about permission sets, see Permission Sets.
  
  The Enable toggle only appears when editing an existing identity provider. Newly added identity providers are always enabled. Existing identity providers may be disabled, if desired. Identity providers cannot be disabled if the provider is used as the default identity provider for login or as the Identity Provider Name selected in the Identity Provider Token Credentials section of the Authentication tab in the configuration wizard. When an identity provider is disabled, the following will not be available for that identity provider:
  - Users cannot authenticate to the Keyfactor Command Management Portal or Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. using a disabled identity provider.
  - Orchestrators cannot authenticate against the Orchestrators API using a disabled identity provider.
  - On the Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. Management page, the orchestrators last seen time will not update when the orchestrator is configured to use a disabled identity provider.
  - Instances of the CA Connector The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client cannot authenticate against the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Connector API using a disabled identity provider.
  - On the Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. CA Connector page, CA connectors will display as not connected for CA Connector Clients using a disabled identity provider.
  - On the Application Settings page on the Console tab, only enabled identity providers will appear in the dropdown for the Default Identity Provider application setting.
  - In the configuration wizard, only enabled identity providers will appear in the dropdowns for the Identity Provider in the Identity Provider section and the Identity Provider Name in the Identity Provider Token Credentials section of the Authentication tab.
  Note: In order to view or edit an identity provider in the Keyfactor Command Management Portal or with the Keyfactor API, a user must be assigned a security role that has been granted the Identity Providers > Read and Identity Providers > Modify (for edits) permissions and that has the same permission set applied to it as has been applied to the identity provider.
  
  Figure 437: Details for an Identity Provider
2. On the Parameters tab, select each parameter A parameter or argument is a value that is passed into a function in an application. to configure and click Edit to open the Edit <Parameter Name> Parameter dialog, the contents of which will vary depending on the parameter selected. For information about the specific parameters, see Table 86: Identity Provider Parameters.
  
  Click Import Discovery Document to enter the discovery URL for the identity provider and automatically populate the Authority, AuthorizationEndpoint, TokenEndpoint, JSONWebKeySetUri, and UserInfoEndpoint fields. Click Fetch to retrieve the information and Save to save it to the identity provider form.
  
  Figure 438: Import Discovery Document for an Identity Provider
  
  Figure 439: Edit Parameters for an Identity Provider
Click Save to save the identity provider.

Table 86: Identity Provider Parameters

Name	Example	Description
Audience	Command- OIDC- Client	The audience value for tokens issued from the identity provider. For Keyfactor Identity Provider, this should be set to the same value as the Client Id. For example: Command- OIDC- Client This parameter is required.
Auth0 API URL		The unique identifier defined in Auth0 or a similar identity provider for the API. This parameter only appears if Auth0 is selected as the type and is required in that case.
Authority	https:// my-keyidp-server .keyexample.com /realms /Keyfactor	The issuer/authority endpoint URL for the identity provider. This parameter is required. Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated: That the discovery document is reachable using the Authority value provided and can be parsed into a valid discovery document. That the Authority URL matches the Issuer returned in the discovery document. That all the URLs on the discovery document are using HTTPS. That the JSONWebKeySetUri value is included on the discovery document. That any endpoint configuration values (Authorization Endpoint, Token Endpoint, UserInfo Endpoint, JSONWebKeySetUri) that have been saved or are being saved match—including case—the values returned in the discovery document. The UserInfo Endpoint is not a required configuration field, but if a value is provided, it must match what’s in the discovery document. If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged.
AuthorizationEndpoint	https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth	The authorization endpoint URL for the identity provider. This parameter is required.
ClientId	Command- OIDC- Client	The ID of the client application created in the identity provider for primary application use. For Keyfactor Identity Provider, this should be: Command- OIDC- Client For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required.
ClientSecret		The specific secret value for the load method selected. Choose from Load from Keyfactor Secrets or Load From PAM Provider. Select the Load From Keyfactor Secrets radio button if you want Keyfactor Command to encrypt and store the password in the Keyfactor Command database as a secret. Enter and confirm password in the Secret Value field. Important: Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use. Tip: A Keyfactor secret is a user-defined password or other information that is encrypted and stored securely in the Keyfactor Command database. Although Keyfactor recommends using Privileged Access Management (see Privileged Access Management (PAM)) as a more secure solution to secure information, Keyfactor Secret has historically been an option for customers that don’t already have a relationship with a PAM provider such as CyberArk or Delinea/Thycotic. More recent versions of Keyfactor Command offer Keyfactor Command local PAM databases, allowing you to store secrets in the Keyfactor Command database using PAM. Select the Load from PAM Provider radio button if you want to store the password in a Keyfactor Command local or supported third-party PAM solution (see Privileged Access Management (PAM)). The remaining fields on the dialog will vary depending on the PAM provider. For example: Keyfactor Command Local Database Select your Keyfactor Command local database provider in the Providers dropdown. The remaining field in the dialog will then be: Secret Reference Name—The name given to the secret defined in Keyfactor Command (see Managing Secrets for a Local Keyfactor Command PAM Provider). CyberArk Select your CyberArk provider in the Providers dropdown if your PAM provider is CyberArk (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be: PrivateArk Folder Name —The path and name of the folder that stores the secret (e.g. Root or Root\MyDir). PrivateArk Protected Password Name —The name of the username or password to use for this instance. Delinea/Thycotic Select your Delinea/Thycotic provider in the Providers dropdown if your PAM provider is Delinea /Thycotic (see Adding or Modifying a PAM Provider). The remaining field in the dialog will then be: Thycotic Secret ID—The numeric ID of the secret to retrieve from provider server. Hashicorp Select your Hashicorp Vault provider in the Providers dropdown if your PAM provider is Hashicorp Vault (see Adding or Modifying a PAM Provider). The remaining fields in the dialog will then be: KV Secret Key—The key of the secret to retrieve from the Hashicorp Vault. KV Secret Name—The name of the secret to retrieve from the Hashicorp Vault. This parameter is required.
Discovery Document Endpoint	https:// my-keyidp-server .keyexample.com /realms /Keyfactor /.well-known /openid-configuration	The discovery URL for the identity provider. If you opt not to populate this field or if the discovery document does not return a valid response, the remainder of the fields in this section of the configuration will need to be configured manually. This value is not stored in the database. This field does not appear in the Management Portal identity provider configuration.
Fallback Unique Claim Type	cid	A type of user claim for the identity provider containing a backup unique name for the user. This is provided in case the primary referenced name (see Unique Claim Type) does not contain a value. Some OAuth providers may provide one type of claim for users/clients of one type and another type of claim for users/clients of another type. For Keyfactor Identity Provider, this should be: cid The cid (client ID) user claim type is also commonly used by other OAuth providers. This parameter is required.
JSON Web Key Set Uri	https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs	The JWKS (JSON Web Key Set) URL for the identity provider. This parameter is required.
Name Claim Type	preferred_ username	A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in Keyfactor Command, since the value is used as the user’s display name in areas such as the requester of a certificate, actors in audit logs, and users referenced in workflow instances. It is best to avoid duplicates. For Keyfactor Identity Provider, this should be: preferred_ username For Okta, this might be preferred_names (e.g. john.smith@keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@keyexample.com). This parameter is required. Tip: The value in this field is used as the first choice to populate the username in the Keyfactor Command Management Portal header, if available. This is not the value to use when logging into Keyfactor Command. For that, see Unique Claim Type.
Role Claim Type	groups	The value used to reference the type of group claim for the identity provider. For Keyfactor Identity Provider, this should be: groups This parameter is required.
Scope		One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider.
Sign Out URL	https:// my-auth0-instance .us.auth0.com /oidc/logout	The signout URL for the identity provider. This parameter only appears if Auth0 is selected as the type and is required in that case.
Timeout	60	The number of seconds a request to the identity provider is allowed to process before timing out with an error.
Token Audience		An audience value to be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. This value is not used for Keyfactor Identity Provider.
Token Endpoint	https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token	The token endpoint URL for the identity provider. This parameter is required.
Token Scope		One or more scopes that should be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider.
Unique Claim Type	sub	A type of user claim for the identity provider containing a unique name for the user. For Keyfactor Identity Provider, this should be: sub In Keyfactor Identity Provider, this is a GUID uniquely identifying the user. The sub (subject) user claim type is also commonly used by other OAuth providers. See also Fallback Unique Claim Type. This parameter is required. Tip: The value in this field is used as the second choice to populate the username in the Keyfactor Command Management Portal header if the Name Claim Type does not contain a value in the token. The value in this field is the one to use when logging into Keyfactor Command.
User Info Endpoint	https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs	The user info endpoint URL for the identity provider.

Version v24.4

On this page: