On the identity providers page, you can modify existing identity providers, but you cannot add new identity providers. New identity providers should be added by re-running the Keyfactor Command Configuration Wizard and adding a new identity provider on the Authentication tab (see Authentication Tab). Identity providers cannot be deleted.
To modify an identity provider:
- In the Management Portal, browse to System Settings Icon
> Identity Providers. - On the Identity Providers page, highlight a row and click Edit from the top of the grid or from the right click menu to modify an existing provider.
-
On the Editing Identity Provider page, fill in each tab of the dialog with the information desired for the selected identity provider.
-
On the Details tab, enter a short Name and Display Name for the provider. The TypeId cannot be edited.
Important: The value in the Name field must match the provider name referenced in the redirect URLs (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).
Figure 402: Details for an Identity Provider
-
On the Parameters tab, select each parameter
A parameter or argument is a value that is passed into a function in an application. to configure and click Edit to open the Edit <Parameter Name> Parameter dialog, the contents of which will vary depending on the parameter selected. For information about the specific parameters, see Table 78: Identity Provider Parameters.
Figure 403: Edit Parameters for an Identity Provider
-
- Click Save to save the role.
Table 78: Identity Provider Parameters
| Name | Type | Example |
Description |
|---|---|---|---|
|
|
1 - String | Command-API-Query |
The client ID of the service account that Keyfactor Command uses to make API calls to the identity provider. For Keyfactor Identity Provider, this is created as a client (see Service Accounts). Keyfactor recommends that you use a different client for this purpose than the client used for the main connection from Keyfactor Command to the identity provider (see Client Id). This parameter is required. |
|
|
1 - String |
The client secret of the service account that Keyfactor Command uses to make API calls to the identity provider. For Keyfactor Identity Provider, this is created as a client (see Service Accounts). This parameter is required. |
|
|
|
1 - String | Command-OIDC-Client |
The audience value for the identity provider. For Keyfactor Identity Provider, this should be set to the same value as the Client Id. For example: Command-OIDC-Client
This parameter is required. |
|
|
1 - String |
The unique identifier defined in Auth0 or a similar identity provider for the API. This parameter only appears if Auth0 is selected as the type and is required in that case. |
|
| Authority | 1 - String | https://my-keyidp-server .keyexample.com /realms /Keyfactor |
The issuer/authority endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. This parameter is required. Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:
If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged. |
|
|
1 - String | https://my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth |
The authorization endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. This parameter is required. |
|
|
1 - String | Command-OIDC-Client |
The ID of the client application created in the identity provider for primary application use. For Keyfactor Identity Provider, this should be: Command-OIDC-Client
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
|
|
2 - Secret |
The secret for the client application created in the identity provider for primary application use. For Keyfactor Identity Provider, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation for help locating this. It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. Supported methods to store secret information are:
This parameter is required. |
|
|
|
1 - String | https://my-keyidp-server .keyexample.com /realms /Keyfactor /.well-known /openid-configuration |
The discovery URL for the identity provider. For Keyfactor Identity Provider, this is the link to the OpenID Endpoint Configuration page, which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). Populate this value and click Fetch to populate the remainder of the fields in this section, if desired. If you opt not to populate this field or if the discovery document does not return a valid response, the remainder of the fields in this section of the configuration will need to be configured manually. This value is not stored in the database. |
|
|
1 - String | cid | A backup value used to reference the type of claim used for users in the identity provider in case the primary referenced name does not contain a value. This parameter is required. |
|
|
1 - String | https://my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs |
The JWKS (JSON Web Key Set) URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. This parameter is required. |
|
|
1 - String | preferred_username |
The name used to reference the type of user claim for the identity provider. For Keyfactor Identity Provider, this should be: preferred_username
This parameter is required. |
|
|
1 - String | groups |
The value used to reference the type of group claim for the identity provider. For Keyfactor Identity Provider, this should be: groups
This parameter is required. |
|
|
1 - String |
One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider. |
|
|
|
1 -String | https://my-auth0-instance .us.auth0.com /oidc/logout |
The signout URL for the identity provider. This parameter only appears if Auth0 is selected as the type and is required in that case. |
| Timeout | 1 - String | 60 | The number of seconds a request to the identity provider is allowed to process before timing out with an error. |
|
|
1 - String |
An audience value to be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. This value is not used for Keyfactor Identity Provider. |
|
|
|
1 - String | https://my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token |
The token endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. This parameter is required. |
|
|
1 - String |
One or more scopes that should be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider. |
|
|
|
1 - String | sub | The value used to reference the type of claim used for users in the identity provider. For Keyfactor Identity Provider, this should be (for subject): sub This parameter is required. |
|
|
1 - String | https://my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs |
The user info endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). It is automatically returned by the Discovery Document Endpoint Fetch step. Review it to confirm that it appears correct. |