Claims

During installation, two claims are created to provide initial access to the AnyCAGateway REST portal. The client authentication certificate or OAuth credentials specified for the SuperAdmin parameterClosed A parameter or argument is a value that is passed into a function in an application. in the installation command are used to generate both an admin and a user claim for the portal (see -Super Admin Value). To accommodate different users, you can create additional claims using separate authentication certificates or OAuth credentials.

Figure 766: Claims Tab with OAuth Authentication

Important:  In order for Keyfactor Command to perform synchronization of certificates from the gateway to Keyfactor Command, the OAuth client or client authentication certificate (see Keyfactor Command Connect Client Authentication Certificate) you configure in Keyfactor Command on the gateway CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. record must be created as a claim in the gateway and granted the user role. This must be completed before configuring the gateway as a CA in Keyfactor Command (see Configuring the AnyCAGateway REST with Keyfactor Command). This same claim is used for enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). and revocation requests made to the gateway through Keyfactor Command.
Roles

There are two roles available for assigning security on the AnyCAGateway REST portal.

Tip:  If users and/or services will make requests to the gateway for enrollment and/or revocation outside of Keyfactor Command, they will need a role, and a new claim should be created for each of these users and services with the user role, since these do not need the admin role for these functions.
Claims

To view an existing claim:

  1. Navigate to the AnyCAGateway REST portal.
  2. Select the Claims Tab.
  3. Double-click an existing claim to open the Claim Details.
  4. Click Close.
Note:  Claims cannot be edited.

To create a new claim:

  1. Navigate to the AnyCAGateway REST portal.
  2. Select the Claims Tab.
  3. Select Add from the menu bar.
  4. Select the Role for the claim from the drop down (Admin or User). See Roles.

  5. Select the Provider for the claim.

    The dropdown will be populated based on your installed IdP providers, either through the install script, the upgrade process, or through additional IdPs added via the API.

    • Client Certificate Authentication CA (Client Cert Auth) is the provider created by the AnyCA Gateway for client certificate authentication claims.

    • Auth0 is available to chose for the claim provider if an Auth0 IdP has been added.

    • Keycloak is an example of an installed Generic OAuth provider.

      Tip:  The provider name is defined as either Client Certificate Auth or the -IdentityProviderName parameter provided to the PowerShell install script.

  6. Enter a Description for the new claim. This might be the user, service account, or group name.
  7. Select how you want to identify the claim by choosing the claim Type. If you’re using client certificate authentication, you’ll be offered the choices of Thumbprint or Serial Number from the dropdown. If you’re using OAuth token authentication, this will be a text field in which you might enter sub or aud.
  8. Enter the security Value of the certificate or OAuth identity you want to use for this claim based on your selection for Type.
  9. Click Save.
Note:  Claims cannot be edited.

Figure 767: Add an OAuth Claim

Note:  You cannot delete a claim if by deleting it you would be deleting your own admin permissions. You will receive an error message if you attempt to do so which will prevent the operation.
  1. Navigate to the AnyCAGateway REST portal.
  2. Select the Claims Tab.

  3. Highlight an existing claim and select Delete from the menu bar or the right click menu.

    Note:  The SuperAdmin claim is required and cannot be deleted.
  4. Click OK.