Using Keyfactor Identity Provider
Once you have finished configuring Keyfactor Identity Provider, you’re ready to add roles, optional groups, users, and service accounts into it to be used for authentication to Keyfactor Command. Alternatively, you may choose to federate to an additional OAuth provider (see Federating from Keyfactor Identity Provider), in which case you don’t need to add users in Keyfactor Identity Provider, but you will still need roles, optional groups, and service accounts, since it’s the roles in Keyfactor Identity Provider that are used to create claims in Keyfactor Command to grant access to users holding these roles.
To add roles and groups in Keyfactor Identity Provider:
-
Use a browser to open the Keyfactor Identity Provider management interface. For example:
https://appsrvr18.keyexample.com:1443Click the Administration Console link and sign in with an administrative user and password (see Installing Using Docker Compose).
-
In the Keyfactor Identity Provider Administration Console, select Keyfactor in the realm dropdown.
Figure 460: Select a Realm in the Keyfactor Identity Provider Administration Console
-
In the Keyfactor Identity Provider Administration Console, browse to Realm roles. Click Create role to add a new role to be used to grant permissions in Keyfactor Command. Enter a Role name and Description.
Note: The Role name is used when referencing the role from Keyfactor Command to create a claim and map it to a security role to grant permissions to users.Figure 461: Add a Keyfactor Identity Provider Role
Repeat this step for each role that you will use from Keyfactor Command. For example, administrators, power users, and limited access users.
-
If desired, you can organize your roles into groups. This can simplify the process of assigning the roles to your users. To create a group, in the Keyfactor Identity Provider Administration Console, browse to Groups. Click Create group to add a new organizational group. Enter a Name for the group.
Figure 462: Add a Keyfactor Identity Provider Group
-
Once the group creation is complete, open the group details. In the group details on the Role mapping tab, click Assign role and select the role or roles to assign to this group.
Figure 463: Assign a Role to a Group in Keyfactor Identity Provider
Repeat these two steps for each group that you will use to manage roles in Keyfactor Identity Provider.
Be sure to create your roles and groups before adding your users.
To add users in Keyfactor Identity Provider:
-
Use a browser to open the Keyfactor Identity Provider management interface. For example:
https://appsrvr18.keyexample.com:1443Click the Administration Console link and sign in with an administrative user and password (see Installing Using Docker Compose).
-
In the Keyfactor Identity Provider Administration Console, select Keyfactor in the realm dropdown.
Figure 464: Select a Realm in the Keyfactor Identity Provider Administration Console
-
In the Keyfactor Identity Provider Administration Console, browse to Users. Click Add user to add a user. Enter at minimum a Username, and click Join Groups. In the Select groups to join dialog, select an appropriate group for this user and click Join.
Tip: By joining a group, your user now inherits the roles of this group.Figure 465: Add a Keyfactor Identity Provider User
-
Once the user creation is complete, open the user details. In the user details on the Credentials tab, click Set password and set a temporary password for the new user. The user will be prompted to set a new password on initial logon unless you toggle the Temporary option to Off.
Important: Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.Figure 466: Set a Password for the Keyfactor Identity Provider User
Repeat these steps for each user who will access Keyfactor Command using Keyfactor Identity Provider as an identity provider.
-
If you prefer to add roles directly rather than via groups, in the user details on the Role mapping tab, click Assign role and select a role for the new user.
Tip: Roles assigned via group membership won’t appear on the Role mapping tab unless you uncheck the Hide inherited roles checkbox.Figure 467: Assign a Role to a Keyfactor Identity Provider User
Keyfactor Command uses client records in Keyfactor Identity Provider to provide some service account functions. You may need this type of service account if you plan to:
-
Use substitutable special text tokens in alerts or workflow A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked.
To add clients for service account in Keyfactor Identity Provider:
-
Use a browser to open the Keyfactor Identity Provider management interface. For example:
https://appsrvr18.keyexample.com:1443Click the Administration Console link and sign in with an administrative user and password (see Installing Using Docker Compose).
-
In the Keyfactor Identity Provider Administration Console, select Keyfactor in the realm dropdown.
Figure 468: Select a Realm in the Keyfactor Identity Provider Administration Console
-
In the Keyfactor Identity Provider Administration Console, browse to Clients. Click Create client to add a service account. On the General Settings tab, select a Client type of OpenIdConnect and enter a unique Client ID. This Client ID will be how you will reference the service account from Keyfactor Command. It should not contain spaces. Give the client a Name and Description. Toggle the Always display in UI option to On to allow the account to always appear in the UI even when it’s not in active use. Click Next.
Figure 469: Add a Keyfactor Identity Provider Service Account (Client): General
-
On the Capability config tab, toggle Client authentication to On and in the Authentication flow section, uncheck everything except Service accounts roles. Click Next.
Figure 470: Add a Keyfactor Identity Provider Service Account (Client): Capabilities
-
On the Login settings tab, click Save. You do not need to populate any of the data on this tab.
-
Once the initial client creation is complete, you will be returned to the main client details.
For the substitutable special text token service account, in the client details on the Service account roles tab, click Assign role. In the filter dropdown, select Filter by clients, locate the manage-users role, and assign this role to the client. You may find it helpful to search for this role in the Search by role name box, since there are multiple pages of roles.
Figure 471: Assign a Role to the Keyfactor Identity Provider Service Account (Client)
Service accounts used for the Keyfactor Universal Orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. and the Keyfactor API do not typically need to be granted any service account roles.
-
In the Client details on the Credentials tab click the Copy button next to the Client secret field to copy the unmasked version of the client secret to the clipboard (you do not need to display it unmasked first) and save this in a secure location. For the substitutable special text token service account, you will need this and the Client ID during the Keyfactor Command configuration.
Figure 472: Copy the Keyfactor Identity Provider Service Account (Client) Secret