| Authentication Enabled |
A Boolean indicating whether the identity provider is enabled (true) or not (false). Note: An identity provider cannot be disabled if the provider is used as the default identity provider for login or as the API client identity provider. Internally defined identity providers cannot be disabled. A disabled identity provider cannot be used to authenticate to Keyfactor Command. |
| Authentication Scheme |
A string indicating the authentication scheme (name) for the identity provider. This must be a unique value among identity providers. |
| Display Name |
A string indicating the display name for the identity provider. This must be a unique value among identity providers. |
| Id |
A string containing the Keyfactor Command reference GUID for the identity provider. |
| Parameters |
An array of objects containing information for each parameter set for the identity provider.  Show parameter details.
Each parameter (Table 536: Identity Provider Parameters) contains the data shown in Table 539: Identity Provider Response Parameter Structure.
Table 538: Identity Provider Parameters
| Name |
Type |
Example |
Description
|
|
|
1 - String |
Command- OIDC- Client |
The audience value for tokens issued from the identity provider.
For Keycloak, this should be set to the same value as the Client Id. For example:
Command- OIDC- Client
This parameter is required.
|
|
|
1 - String |
|
The unique identifier defined in Auth0 or a similar identity provider for the API.
This parameter only appears if Auth0 is selected as the type and is required in that case.
|
|
|
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor |
The issuer/authority endpoint URL for the identity provider.
For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.
This parameter is required.
Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:
That the discovery document is reachable using the Authority value provided and can be parsed into a valid discovery document. That the Authority URL matches the Issuer returned in the discovery document. That all the URLs on the discovery document are using HTTPS. That the JSONWebKeySetUri value is included on the discovery document. That any endpoint configuration values (Authorization Endpoint, Token Endpoint, UserInfo Endpoint, JSONWebKeySetUri) that have been saved or are being saved match—including case—the values returned in the discovery document. The UserInfo Endpoint is not a required configuration field, but if a value is provided, it must match what’s in the discovery document.
If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged.
|
|
|
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth |
The authorization endpoint URL for the identity provider.
For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.
This parameter is required.
|
|
|
1 - String |
Command- OIDC- Client |
The ID of the client application created in the identity provider for primary application use.
For Keycloak, this should be:
Command- OIDC- Client
For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).
This parameter is required.
|
|
|
2 - Secret |
|
The client secret for the client you created in the identity provider to provide the primary authentication from Keyfactor Command to the identity provider.
| Secret Value |
A string containing the secret. This parameter is used when PAM is not used as the storage location.
|
| Parameters |
An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider. |
| Provider |
An integer indicating the ID of the PAM provider.
Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID.
|
For example, a username stored as a Keyfactor secret will look like:
Copy
{
"SecretValue": "KEYEXAMPLE\svc_MyServiceName"
}
For example, a password stored as a Keyfactor secret will look like:
Copy
{
"SecretValue": "MySuperSecretPassword"
}
A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record):
Copy
{
"Provider": "1",
"Parameters":{
"Safe":"MySafeName",
"Folder":"MyFolderName",
"Object":"MyObjectName"
}
}
A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose):
Copy
{
"Provider": "2",
"Parameters":{
"SecretId":"MyId"
"SecretFieldName":"MyReferenceName"
}
}
This parameter is required.
|
|
|
1 - String |
cid |
A type of user claim for the identity provider containing a backup unique name for the user. This is provided in case the primary referenced name (see Unique Claim Type) does not contain a value. Some OAuth providers may provide one type of claim for users/clients of one type and another type of claim for users/clients of another type. For Keycloak, this should be:
cid
The cid (client ID) user claim type is also commonly used by other OAuth providers.
This parameter is required.
|
|
|
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs |
The JWKS (JSON Web Key Set) URL for the identity provider.
For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.
This parameter is required.
|
|
|
1 - String |
preferred_ username |
A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in Keyfactor Command, since the value is used as the user’s display name in areas such as the requester of a certificate, actors in audit logs, and users referenced in workflow instances. It is best to avoid duplicates.
For Keycloak, this should be:
preferred_ username
For Okta, this might be preferred_names (e.g. john.smith@keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@keyexample.com).
This parameter is required.
Tip: The value in this field is used as the first choice to populate the username in the Keyfactor Command Management Portal header, if available. This is not the value to use when logging into Keyfactor Command. For that, see Unique Claim Type.
|
|
|
1 - String |
groups |
The value used to reference the type of group claim for the identity provider.
For Keycloak, this should be:
groups
This parameter is required.
|
|
|
1 - String |
|
One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces.
This value is not typically used for Keycloak.
|
|
|
1 -String |
https:// my-auth0-instance .us.auth0.com /oidc/logout |
The signout URL for the identity provider.
This parameter only appears if Auth0 is selected as the type and is required in that case.
|
|
|
1 - String |
60 |
The number of seconds a request to the identity provider is allowed to process before timing out with an error. The default is 60. |
|
TokenEndpoint
|
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token |
The token endpoint URL for the identity provider.
For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.
This parameter is required.
|
|
|
1 - String |
sub |
A type of user claim for the identity provider containing a unique name for the user. For Keycloak, this should be:
sub
In Keycloak, this is a GUID uniquely identifying the user.
The sub (subject) user claim type is also commonly used by other OAuth providers.
See also FallbackUniqueClaimType.
This parameter is required.
Tip: The value in this field is used as the second choice to populate the username in the Keyfactor Command Management Portal header if the Name Claim Type does not contain a value in the token. The value in this field is the one to use when logging into Keyfactor Command.
|
|
|
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs |
The user info endpoint URL for the identity provider.
For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.
|
Table 539: Identity Provider Response Parameter Structure
| Id |
An integer indicating the Keyfactor Command reference ID for the parameter. |
| Name |
A string indicating the short reference name for the parameter (e.g. NameClaimType). |
| Display Name |
A string indicating the display name for the parameter (e.g. Name Claim Type). |
| Required |
A Boolean indicating whether the parameter is required (true) or not (false). |
| Data Type |
An integer indicating the data type for the parameter. Possible values are:
-
1 - String
-
2 - Secret
-
3 - Boolean
|
| Value |
A string indicating the value set for the parameter, for parameters of type 1 or 3. |
| Secret Value |
A string indicating the value set for the parameter, for parameters of type 2.
Due to its sensitive nature, this value is not returned in responses.
|
|
| PermissionSetId |
A string indicating the Keyfactor Command reference ID of the permission set applied to the identity provider.
Note: In order to view or edit an identity provider in the Keyfactor Command Management Portal or with the Keyfactor API, a user must be assigned a security role that has been granted the /identity_providers/read/ and /identity_providers/modify/ (for edits) permissions and that has the same permission set applied to it as has been applied to the identity provider.
|
| TypeId |
A string indicating the Keyfactor Command reference GUID for the type of identity provider. Possible values include:
-
DFB94650-E4EB-402A- B807-4F3CC91F712D (Active Directory)
-
F96B6464-11B7-4499- BEA7-B5AA6BA1571D (Generic—select this for Keycloak)
-
5AA04122-CD7C-48BA- AC11-F39E30AE8720 (Auth0)
|
) at the top of the Management Portal page next to the Log Out button.