Using Keyfactor Identity Provider

To add roles and groups in Keyfactor Identity Provider:

1. Use a browser to open the Keyfactor Identity Provider management interface. For example:

   https://appsrvr18.keyexample.com:1443

   Click the Administration Console link and sign in with an administrative user and password (see Installing Using Docker Compose).

2. In the Keyfactor Identity Provider Administration Console, select Keyfactor in the realm dropdown.

   

   Figure 502: Select a Realm in the Keyfactor Identity Provider Administration Console

3. In the Keyfactor Identity Provider Administration Console, browse to Realm roles. Click Create role to add a new role to be used to grant permissions in Keyfactor Command. Enter a Role name and Description.

   Note:  The Role name is used when referencing the role from Keyfactor Command to create a claim and map it to a security role to grant permissions to users.

   

   Figure 503: Add a Keyfactor Identity Provider Role

   Repeat this step for each role that you will use from Keyfactor Command. For example, administrators, power users, and limited access users.

4. If desired, you can organize your roles into groups. This can simplify the process of assigning the roles to your users. To create a group, in the Keyfactor Identity Provider Administration Console, browse to Groups. Click Create group to add a new organizational group. Enter a Name for the group.

   

   Figure 504: Add a Keyfactor Identity Provider Group

5. Once the group creation is complete, open the group details. In the group details on the Role mapping tab, click Assign role and select the role or roles to assign to this group.

   

   Figure 505: Assign a Role to a Group in Keyfactor Identity Provider

   Repeat these two steps for each group that you will use to manage roles in Keyfactor Identity Provider.

Be sure to create your roles and groups before adding your users.

To add users in Keyfactor Identity Provider:

1. Use a browser to open the Keyfactor Identity Provider management interface. For example:

   https://appsrvr18.keyexample.com:1443

   Click the Administration Console link and sign in with an administrative user and password (see Installing Using Docker Compose).

2. In the Keyfactor Identity Provider Administration Console, select Keyfactor in the realm dropdown.

   

   Figure 506: Select a Realm in the Keyfactor Identity Provider Administration Console

3. In the Keyfactor Identity Provider Administration Console, browse to Users. Click Add user to add a user. Enter at minimum a Username, and click Join Groups. In the Select groups to join dialog, select an appropriate group for this user and click Join.

   Tip:  By joining a group, your user now inherits the roles of this group.

   

   Figure 507: Add a Keyfactor Identity Provider User

4. Once the user creation is complete, open the user details. In the user details on the Credentials tab, click Set password and set a temporary password for the new user. The user will be prompted to set a new password on initial logon unless you toggle the Temporary option to Off.

   Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

   

   Figure 508: Set a Password for the Keyfactor Identity Provider User

   Repeat these steps for each user who will access Keyfactor Command using an identity provider other than Active Directory.

5. If you prefer to add roles directly rather than via groups, in the user details on the Role mapping tab, click Assign role and select a role for the new user.

   Tip:  Roles assigned via group membership won’t appear on the Role mapping tab unless you uncheck the Hide inherited roles checkbox.

   

   Figure 509: Assign a Role to a Keyfactor Identity Provider User

Keyfactor Command uses client records in Keyfactor Identity Provider to provide some service account functions. You will or may need this type of service account if you plan to:

• Install Keyfactor Command (a service account is added to allow Keyfactor Command to make API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. requests to Keyfactor Identity Provider)

• Use the Keyfactor API

• Use the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with servers and devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can provide certificate management capabilities on a variety of platforms and devices (e.g. Amazon Web Services (AWS) resources, Citrix\NetScaler devices, F5 devices, IIS stores, JKS keystores, PEM stores, and PKCS#12 stores) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux servers or Linux containers.

To add clients for service account in Keyfactor Identity Provider:

1. Use a browser to open the Keyfactor Identity Provider management interface. For example:

   https://appsrvr18.keyexample.com:1443

   Click the Administration Console link and sign in with an administrative user and password (see Installing Using Docker Compose).

2. In the Keyfactor Identity Provider Administration Console, select Keyfactor in the realm dropdown.

   

   Figure 510: Select a Realm in the Keyfactor Identity Provider Administration Console

3. In the Keyfactor Identity Provider Administration Console, browse to Clients. Click Create client to add a service account. On the General Settings tab, select a Client type of OpenIdConnect and enter a unique Client ID. This Client ID will be how you will reference the service account from Keyfactor Command. It should not contain spaces. Give the client a Name and Description. Toggle the Always display in UI option to On to allow the account to always appear in the UI even when it’s not in active use. Click Next.

   

   Figure 511: Add a Keyfactor Identity Provider Service Account (Client): General

4. On the Capability config tab, toggle Client authentication to On and in the Authentication flow section, uncheck everything except Service accounts roles. Click Next.

   

   Figure 512: Add a Keyfactor Identity Provider Service Account (Client): Capabilities

5. On the Login settings tab, click Save. You do not need to populate any of the data on this tab.

6. In the Client details on the Credentials tab, click the Copy button next to the Client secret field to copy the unmasked version of the client secret to the clipboard (you do not need to display it unmasked first) and save this in a secure location. For the service account Keyfactor Command uses to make API requests, you will need this and the Client ID during the Keyfactor Command configuration.

   

   Figure 513: Copy the Keyfactor Identity Provider Service Account (Client) Secret