Documentation Suite v11.0

GET Identity Providers ID

The GET /Identity/Providers/{id} method is used to return an identity provider by ID. This method returns HTTP 200 OK on a success with details for the specified identity provider.

Tip: The following permissions (see Security Roles and Claims) are required to use this feature:

/identity_providers/read/

Table 423: GET Identity Providers{id} Input Parameters

Name	In	Description
id	Path	Required. A string indicating the Keyfactor Command reference GUID of the identity provider to retrieve. Use the GET /Identity/Providers method (see GET Identity Providers) to retrieve a list of all the identity providers to determine the provider's ID.

Name

Description

Path

Required. A string indicating the Keyfactor Command reference GUID of the identity provider to retrieve.

Use the GET /Identity/Providers method (see GET Identity Providers) to retrieve a list of all the identity providers to determine the provider's ID.

Table 424: GET Identity Providers {id} Response Data

Name

Description

A string containing the Keyfactor Command reference GUID for the identity provider.

Name

A string indicating the short name for the identity provider.

Display Name

A string indicating the display name for the identity provider.

Type

A string indicating the type of identity provider. Possible values are:

Active Directory
Generic (Keyfactor Identity Provider)

Parameters

An array of objects containing information for each parameter set for the identity provider. Show parameter details.

Name

Type

Example

Description

Admin Querying Client Id Admin Querying Client Id

1 - String

Command-API-Query

The client ID of the service account that Keyfactor Command uses to make API calls to the identity provider.

For Keyfactor Identity Provider, this is created as a client (see Service Accounts). Keyfactor recommends that you use a different client for this purpose than the client used for the main connection from Keyfactor Command to the identity provider (see Client Id).

This parameter is required.

Admin Querying Client Secret Admin Querying Client Secret

1 - String

The client secret of the service account that Keyfactor Command uses to make API calls to the identity provider.

For Keyfactor Identity Provider, this is created as a client (see Service Accounts).

This parameter is required.

Audience OIDC Audience

1 - String

Command-OIDC-Client

The audience value for the identity provider.

For Keyfactor Identity Provider, this should be set to the same value as the Client Id. For example:

Command-OIDC-Client

This parameter is required.

Auth0 API URL Auth0 API URL

1 - String

The unique identifier defined in Auth0 or a similar identity provider for the API.

This parameter only appears if Auth0 is selected as the type and is required in that case.

Authority

1 - String

https://my-keyidp-server .keyexample.com /realms /Keyfactor

The issuer/authority endpoint URL for the identity provider.

For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.

This parameter is required.

Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:

That the discovery document is reachable using the Authority value provided and can be parsed into a valid discovery document.
That the Authority URL matches the Issuer returned in the discovery document.
That all the URLs on the discovery document are using HTTPS.
That the JSONWebKeySetUri value is included on the discovery document.
That any endpoint configuration values (Authorization Endpoint, Token Endpoint, UserInfo Endpoint, JSONWebKeySetUri) that have been saved or are being saved match—including case—the values returned in the discovery document. The UserInfo Endpoint is not a required configuration field, but if a value is provided, it must match what’s in the discovery document.

If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged.

Authorization Endpoint Authorization Endpoint

1 - String

https://my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth

The authorization endpoint URL for the identity provider.

This parameter is required.

Client Id Client Id

1 - String

Command-OIDC-Client

The ID of the client application created in the identity provider for primary application use.

For Keyfactor Identity Provider, this should be:

Command-OIDC-Client

For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

Client Secret Client Secret

2 - Secret

The secret for the client application created in the identity provider for primary application use.

For Keyfactor Identity Provider, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation for help locating this. It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct.

Supported methods to store secret information are:

Store the secret information in the Keyfactor secrets table.

A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the Keyfactor Command database.
Load the secret information from a PAM provider.

See Privileged Access Management (PAM) for more information.

Value

Description

SecretValue

A string containing the secret. This parameter is used when PAM is not used as the storage location.

Parameters

An object indicating the parameters to supply for PAM authentication. These will vary depending on the PAM provider.

Provider

A string indicating the ID of the PAM provider.

Use the GET /PamProviders method (see GET PAM Providers) to retrieve a list of all the PAM providers to determine the ID.

For example, a username stored as a Keyfactor secret will look like:

{
   "SecretValue": "KEYEXAMPLE\svc_MyServiceName"
}

For example, a password stored as a Keyfactor secret will look like:

{
   "SecretValue": "MySuperSecretPassword"
}

A secret stored as a CyberArk PAM secret will look like (where the Provider value—1 in this example—is the Id value from GET PAM Providers and the Safe, Folder, and Object reference the information in the CyberArk safe needed for this record):

{
   "Provider": "1",
   "Parameters":{
      "Safe":"MySafeName",
      "Folder":"MyFolderName",
      "Object":"MyObjectName"
   }
}

A secret stored as a Delinea PAM secret will look like (where the Provider value—2 in this example—is the Id value from GET PAM Providers and the SecretId and SecretFieldName contain the information created in the Delinea secret server for this purpose):

{
   "Provider": "2",
   "Parameters":{
      "SecretId":"MyId"
      "SecretFieldName":"MyReferenceName"
   }
}

This parameter is required.

Discovery Document Endpoint Discovery Document Endpoint

1 - String

https://my-keyidp-server .keyexample.com /realms /Keyfactor /.well-known /openid-configuration

The discovery URL for the identity provider.

For Keyfactor Identity Provider, this is the link to the OpenID Endpoint Configuration page, which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). Populate this value and click Fetch to populate the remainder of the fields in this section, if desired.

If you opt not to populate this field or if the discovery document does not return a valid response, the remainder of the fields in this section of the configuration will need to be configured manually. This value is not stored in the database.

Fallback Unique Claim Type Fallback Unique Claim Type

1 - String

cid

A backup value used to reference the type of claim used for users in the identity provider in case the primary referenced name does not contain a value.

This parameter is required.

JSON Web Key Set Uri JSON Web Key Set Uri

1 - String

https://my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs

The JWKS (JSON Web Key Set) URL for the identity provider.

This parameter is required.

Name Claim Type Name Claim Type

1 - String

preferred_username

The name used to reference the type of user claim for the identity provider.

For Keyfactor Identity Provider, this should be:

preferred_username

This parameter is required.

Role Claim Type Role Claim Type

1 - String

groups

The value used to reference the type of group claim for the identity provider.

For Keyfactor Identity Provider, this should be:

groups

This parameter is required.

Scope OIDC Scope

1 - String

One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces.

This value is not used for Keyfactor Identity Provider.

Sign Out URL SignOut URL

1 -String

https://my-auth0-instance .us.auth0.com /oidc/logout

The signout URL for the identity provider.

This parameter only appears if Auth0 is selected as the type and is required in that case.

Timeout

1 - String

The number of seconds a request to the identity provider is allowed to process before timing out with an error.

Token Audience Token Audience

1 - String

An audience value to be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client.

This value is not used for Keyfactor Identity Provider.

Token Endpoint Token Endpoint

1 - String

https://my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token

The token endpoint URL for the identity provider.

This parameter is required.

Token Scope Token Scope

1 - String

One or more scopes that should be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. Multiple scopes should be separated by spaces.

This value is not used for Keyfactor Identity Provider.

Unique Claim Type Unique Claim Type

1 - String

sub

The value used to reference the type of claim used for users in the identity provider. For Keyfactor Identity Provider, this should be (for subject):

sub

This parameter is required.

User Info Endpoint User Info Endpoint

1 - String

https://my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs

The user info endpoint URL for the identity provider.

Name	Description
Id	An integer indicating the Keyfactor Command reference ID for the parameter.
Name	A string indicating the short reference name for the parameter (e.g. NameClaimType).
Display Name	A string indicating the display name for the parameter (e.g. Name Claim Type).
Required	A Boolean indicating whether the parameter is required (true) or not (false).
DataType	An integer indicating the data type for the parameter. Possible values are: 1 - String 2 - Secret 3 - Boolean
Value	A string indicating the value set for the parameter, for parameters of type 1 or 3.
Secret Value	A string indicating the value set for the parameter, for parameters of type 2. Due to its sensitive nature, this value is not returned in responses.

Tip: See the Keyfactor API Reference and Utility which provides a utility through which the Keyfactor API

A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. endpoints can be called and results returned. It is intended to be used primarily for validation, testing and workflow

A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. development. It also serves secondarily as documentation for the API. The link to the Keyfactor API Reference and Utility is in the dropdown from the help icon (

) at the top of the Management Portal page next to the Log Out button.

Version 11.0

On this page: