Selecting an Identity Provider for Keyfactor Command

Identity providers are used to provide a method for authenticating access to Keyfactor Command. Keyfactor Command directly supports two possible identity providers:

• Active Directory

  Microsoft’s Active Directory has historically been the only identity provider supported by Keyfactor Command. With Active Directory, you can authenticate users defined in the Active Directory forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. to which the Keyfactor Command server is joined and users from forests in a trust with this forest using integrated windows authentication. Users may alternatively be authenticated to Keyfactor Command using Basic authentication when you opt for Active Directory as your identity provider. Active Directory supports user, group and computer accounts.

• Keyfactor Identity Provider

  Keyfactor Identity Provider is a lightweight application that is easily installed in the same environment as Keyfactor Command to provide standalone authentication separate from Active Directory. It may be used directly to supply authentication or it may be used to federate authentication to another open authorization (OAuth) 2.0 compliant identity provider (e.g. Okta, Ping Identity). Keyfactor Identity Provider runs in a Linux-based container (e.g. Docker). Keyfactor Identity Provider supports users and groups.

A given Keyfactor Command server may be configured with only one identity provider. If desired, you may configure an environment with multiple Keyfactor Command servers and configure a different identity provider for each Keyfactor Command server.