Documentation Suite v25.1.1

Submit Search

GET Identity Providers

The GET /Identity/Providers method is used to return the list of security identity providers configured in Keyfactor Command. Query parameters enable filtering using defined criteria, control over pagination by specifying the page number and return limit, and customization of sorting based on specified fields and order. This method returns HTTP 200 OK on a success with the details of the identity providers.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/identity_providers/read/

/identity_providers/read/#/ (where # is a reference to a specific identity provider ID)

Permissions for identity providers can be set at either the global or identity provider level. See Identity Provider Permissions for more information about global vs identity provider permissions.

Table 518: GET Identity Providers Input Parameters

Name	In	Description
QueryString	Query	A string containing a query to limit the results (e.g. field1 -eq value1 AND field2 -gt value2). The default is to return all records. Fields available for querying through the API for the most part match those that appear in the Keyfactor Command Management Portal search dropdowns for the same feature. For querying guidelines, refer to: Using the Identity Provider Search Feature. The query fields supported for this endpoint are: AuthenticationScheme AuthorizationUrl DisplayName ProviderTypes
PageReturned	Query	An integer that specifies how many multiples of the returnLimit to skip and offset by before returning results, to enable paging. The default is 1.
ReturnLimit	Query	An integer that specifies how many results to return per page. The default is 50. Very large values can result in long processing time.
SortField	Query	A string containing the property by which the results should be sorted. Fields available for sorting through the API for the most part match those that appear as sortable columns in the Keyfactor Command Management Portal. The default sort field is Provider.
SortAscending	Query	An integer that sets the sort order on the returned results. A value of 0 sorts results in ascending order while a value of 1 sorts results in descending order. The default is ascending.

Table 519: GET Identity Provider Response Data

Name Description

Authentication Enabled

A Boolean indicating whether the identity provider is enabled (true) or not (false).

Note: An identity provider cannot be disabled if the provider is used as the default identity provider for login or as the API client identity provider. Internally defined identity providers cannot be disabled. A disabled identity provider cannot be used to authenticate to Keyfactor Command.

Authentication Scheme A string indicating the authentication scheme (name) for the identity provider. This must be a unique value among identity providers.

Display Name A string indicating the display name for the identity provider. This must be a unique value among identity providers.

Id A string containing the Keyfactor Command reference GUID for the identity provider.

Parameters

An array of objects containing information for each parameter set for the identity provider. Show parameter details.

Name

Type

Example

Description

OIDC Audience

1 - String

Command- OIDC- Client

The audience value for tokens issued from the identity provider.

For Keyfactor Identity Provider, this should be set to the same value as the Client Id. For example:

Command- OIDC- Client

This parameter is required.

Auth0 API URL

1 - String

The unique identifier defined in Auth0 or a similar identity provider for the API.

This parameter only appears if Auth0 is selected as the type and is required in that case.

Authority

1 - String

https:// my-keyidp-server .keyexample.com /realms /Keyfactor

The issuer/authority endpoint URL for the identity provider.

For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.

This parameter is required.

Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:

That the discovery document is reachable using the Authority value provided and can be parsed into a valid discovery document.
That the Authority URL matches the Issuer returned in the discovery document.
That all the URLs on the discovery document are using HTTPS.
That the JSONWebKeySetUri value is included on the discovery document.
That any endpoint configuration values (Authorization Endpoint, Token Endpoint, UserInfo Endpoint, JSONWebKeySetUri) that have been saved or are being saved match—including case—the values returned in the discovery document. The UserInfo Endpoint is not a required configuration field, but if a value is provided, it must match what’s in the discovery document.

If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged.

Authorization Endpoint

1 - String

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth

The authorization endpoint URL for the identity provider.

This parameter is required.

Client Id

1 - String

Command- OIDC- Client

The ID of the client application created in the identity provider for primary application use.

For Keyfactor Identity Provider, this should be:

Command- OIDC- Client

For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

ClientSecretSecret

2 - Secret

The specific secret value.

Value

Description

Secret Value

A string containing the secret. This parameter is used when PAM is not used as the storage location.

Parameters

An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider.

Provider

An integer indicating the ID of the PAM provider.

Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID.

For example, a username stored as a Keyfactor secret will look like:

Copy

{
   "SecretValue": "KEYEXAMPLE\svc_MyServiceName"
}

For example, a password stored as a Keyfactor secret will look like:

Copy

{
   "SecretValue": "MySuperSecretPassword"
}

A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record):

Copy

{
   "Provider": "1",
   "Parameters":{
      "Safe":"MySafeName",
      "Folder":"MyFolderName",
      "Object":"MyObjectName"
   }
}

A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose):

Copy

{
   "Provider": "2",
   "Parameters":{
      "SecretId":"MyId"
      "SecretFieldName":"MyReferenceName"
   }
}

This parameter is required.

Fallback Unique Claim Type

1 - String

cid

A type of user claim for the identity provider containing a backup unique name for the user. This is provided in case the primary referenced name (see Unique Claim Type) does not contain a value. Some OAuth providers may provide one type of claim for users/clients of one type and another type of claim for users/clients of another type. For Keyfactor Identity Provider, this should be:

cid

The cid (client ID) user claim type is also commonly used by other OAuth providers.

This parameter is required.

JSON Web Key Set Uri

1 - String

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs

The JWKS (JSON Web Key Set) URL for the identity provider.

This parameter is required.

Name Claim Type

1 - String

preferred_ username

A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in Keyfactor Command, since the value is used as the user’s display name in areas such as the requester of a certificate, actors in audit logs, and users referenced in workflow instances. It is best to avoid duplicates.

For Keyfactor Identity Provider, this should be:

preferred_ username

For Okta, this might be preferred_names (e.g. john.smith@keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@keyexample.com).

This parameter is required.

Tip: The value in this field is used as the first choice to populate the username in the Keyfactor Command Management Portal header, if available. This is not the value to use when logging into Keyfactor Command. For that, see Unique Claim Type.

Role Claim Type

1 - String

groups

The value used to reference the type of group claim for the identity provider.

For Keyfactor Identity Provider, this should be:

groups

This parameter is required.

Timeout 1 - String 60 The number of seconds a request to the identity provider is allowed to process before timing out with an error. The default is 60.

Token Endpoint

1 - String

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token

The token endpoint URL for the identity provider.

This parameter is required.

Unique Claim Type

1 - String

sub

A type of user claim for the identity provider containing a unique name for the user. For Keyfactor Identity Provider, this should be:

sub

In Keyfactor Identity Provider, this is a GUID uniquely identifying the user.

The sub (subject) user claim type is also commonly used by other OAuth providers.

See also Fallback Unique Claim Type.

This parameter is required.

Tip: The value in this field is used as the second choice to populate the username in the Keyfactor Command Management Portal header if the Name Claim Type does not contain a value in the token.

The value in this field is the one to use when logging into Keyfactor Command.

User Info Endpoint

1 - String

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs

The user info endpoint URL for the identity provider.

Name	Description
Id	An integer indicating the Keyfactor Command reference ID for the parameter.
Name	A string indicating the short reference name for the parameter (e.g. NameClaimType).
Display Name	A string indicating the display name for the parameter (e.g. Name Claim Type).
Required	A Boolean indicating whether the parameter is required (true) or not (false).
Data Type	An integer indicating the data type for the parameter. Possible values are: 1 - String 2 - Secret 3 - Boolean
Value	A string indicating the value set for the parameter, for parameters of type 1 or 3.
Secret Value	A string indicating the value set for the parameter, for parameters of type 2. Due to its sensitive nature, this value is not returned in responses.

PermissionSetId

A string indicating the Keyfactor Command reference ID of the permission set applied to the identity provider.

Note: In order to view or edit an identity provider in the Keyfactor Command Management Portal or with the Keyfactor API, a user must be assigned a security role that has been granted the /identity_providers/read/ and /identity_providers/modify/ (for edits) permissions and that has the same permission set applied to it as has been applied to the identity provider.

TypeId

A string indicating the Keyfactor Command reference GUID for the type of identity provider. Possible values include:

DFB94650-E4EB-402A- B807-4F3CC91F712D (Active Directory)
F96B6464-11B7-4499- BEA7-B5AA6BA1571D (Generic—select this for Keyfactor Identity Provider)
5AA04122-CD7C-48BA- AC11-F39E30AE8720 (Auth0)

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In Keyfactor Command, it refers to the workflow builder, which allows you to automate event-driven tasks such as when a certificate is requested, revoked or found in a certificate store. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: