Identity providers are used to provide a method for authenticating access to Keyfactor Command. Keyfactor Command supports Microsoft Active Directory and open authorization (OAuth) 2.0 compliant identity providers with a complete implementation of the OpenID Connect (OIDC) protocol. Keyfactor Command has been tested with the following identity providers:
-
Active Directory
Microsoft’s Active Directory has historically been the only identity provider supported by Keyfactor Command. With Active Directory, you can authenticate users defined in the Active Directory forest
An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. to which the Keyfactor Command server is joined and users from forests in a trust with this forest using integrated Windows authentication. Users may alternatively be authenticated to Keyfactor Command using Basic authentication when you opt for Active Directory as your identity provider. Active Directory supports user, group and computer accounts. -
Keyfactor Identity Provider
Keyfactor Identity Provider is a lightweight application that is easily installed in the same environment as Keyfactor Command to provide standalone authentication separate from Active Directory. It may be used directly to supply authentication or it may be used to federate authentication to another OAuth 2.0 compliant identity provider (e.g. Okta, Ping Identity). Keyfactor Identity Provider runs in a Linux-based Docker container. Keyfactor Identity Provider supports users and groups.
-
Auth0
Auth0 is a cloud-based OAuth 2.0 compliant identity and access management (IAM) solution owned by Okta.
A given Keyfactor Command server may be configured with only one type of identity provider (Active Directory or OAuth). If desired, you may configure an environment with multiple Keyfactor Command servers and configure a different type of identity provider for each Keyfactor Command server.
OAuth identity providers must meet the following requirements to work with Keyfactor Command:
-
They must be a complete implementation of OpenID Connect. For more information, see:
-
They must enforce that usernames within the realm are unique.
-
Users should not be allowed to choose their own usernames and/or email addresses for access to Keyfactor Command.
-
The identity provider must be configurable using the fields provided in Keyfactor Command.
-
The endpoint
An endpoint is a URL that enables the API to gain access to resources on a server. used to acquire a bearer token must support POST Form URL requests leveraging the client_secrets, client-id, and grant_type parameters. -
The identity provider must support front channel logout.
The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. management in Keyfactor Command with the Keyfactor Bash Orchestrator The Bash Orchestrator, one of Keyfactor's suite of orchestrators, is used to discover and manage SSH keys across an enterprise.