| ID |
A string containing the AnyCAGateway REST reference GUID for the identity provider. |
| Authentication Scheme |
A string indicating the authentication scheme (reference name) for the identity provider. This must be a unique value among identity providers. |
| Display Name |
A string indicating the display name for the identity provider. This must be a unique value among identity providers. |
| TypeId |
A string indicating the reference GUID for the type of identity provider. Possible values include:
|
| AuthenticationEnabled |
Optional, but set to true by default if not explicitly set through POST. A boolean that allows users to disable and (re-)enable identity providers in the AnyCAGateway REST.
Note: Identity providers cannot be False/disabled if the provider is used as the default identity provider for login in the appsettings.json file. Users cannot authenticate with identity providers that are False/disabled. Internally defined identity providers cannot be disabled (e.g. AD, client certificates, unknown, internal use).
|
| Parameters |
An array of objects containing information for each parameter set for the identity provider.  Show parameter details.
Each parameter (Table 1055: Identity Provider Parameters) contains the data shown in Table 1056: Identity Provider Response Parameter Structure.
Table 1055: Identity Provider Parameters
| Auth0 API URL |
1 - String
|
|
The unique identifier defined in Auth0 or a similar identity provider for the API.
This parameter only appears if Auth0 is selected as the type and is required in that case.
|
| Authority |
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor |
The issuer/authority endpoint URL for the identity provider.
For Keyfactor_IdP, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (seeConfiguring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).
This parameter is required.
Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:
That the discovery document is reachable using the Authority value provided and can be parsed into a valid discovery document. That the Authority URL matches the Issuer returned in the discovery document. That all the URLs on the discovery document are using HTTPS. That the JSONWebKeySetUri value is included on the discovery document. That any endpoint configuration values (Authorization Endpoint, Token Endpoint, UserInfo Endpoint, JSONWebKeySetUri) that have been saved or are being saved match—including case—the values returned in the discovery document. The UserInfo Endpoint is not a required configuration field, but if a value is provided, it must match what’s in the discovery document.
If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged.
|
| Authorization Endpoint |
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth |
The authorization endpoint URL for the identity provider.
For Keyfactor_IdP, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (seeConfiguring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).
This parameter is required.
|
| Client Id |
1 - String |
Gateway- OIDC- Client |
The ID of the client application created in the identity provider for primary application use.
For more information, seeConfiguring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation.
This parameter is required.
|
| Client Secret |
2 - Secret |
|
The secret for the client application created in the identity provider for primary application use. A Keyfactor secret is a user-defined username or password that is encrypted and stored securely in the database.
For Keyfactor_IdP, seeConfiguring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation.
This parameter is required.
|
| Disable Bearer Token Scope Requirement |
3 - Boolean |
|
A Boolean that disables checking for a client scope of keyfactor-anyca-gateway configured in the identity provider for this Authentication Scheme (true/yes) or not (false/no).
Tip: You will need to set this to True/Yes if your identity provider does not provide a scope. Some identity providers do not offer the option to include a scope value (e.g. Azure AD). Other identity providers offer this option but do not include the scope by default (e.g. Keyfactor Identity Provider).
Important: If you configure the Disable Bearer Token Scope Requirement option to false (no), you must either configure the client you’re using to connect from Keyfactor Command to the gateway to always include the scope keyfactor-anyca-gateway in the token or you must configure the keyfactor-anyca-gateway scope on the authentication methods tab when configuring the CA record in Keyfactor Command. Your OAuth identity provider needs to be configured to recognize keyfactor-anyca-gateway as a scope.
|
| JSON Web Key Set Uri |
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs |
The JWKS (JSON Web Key Set) URL for the identity provider.
For Keyfactor_IdP, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (seeConfiguring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).
This parameter is required.
|
|
Name Claim Type
|
1 - String |
preferred_ username |
A type of user claim for the identity provider containing a friendly name for the user.
For Keyfactor_IdP this should be:
preferred_ username
For Okta, this might be preferred_names (e.g. john.smith@keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@keyexample.com).
This parameter is required.
Tip: The value in this field is used to populate the username in the AnyCAGateway REST portal header.
|
| OIDC Audience |
1 - String |
|
The audience value for tokens issued from the identity provider.
Claims are rejected unless they include the audience defined by this parameter, provided that a value has been specified. Only one audience may be specified. This parameter applies to OpenID Connect tokens only.
This parameter is optional.
|
| SignOut URL |
1 -String |
https:// my-auth0-instance .us.auth0.com /oidc/logout |
The signout URL for the identity provider.
This parameter only appears if Auth0 is selected as the type and is required in that case.
|
| Timeout |
1 - String |
60 |
The number of seconds a request to the OAuth identity provider is allowed to process before timing out with an error. |
| Token Endpoint |
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token |
The token endpoint URL for the identity provider.
For Keyfactor_IdP, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (seeConfiguring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).
This parameter is required.
|
| User Info Endpoint |
1 - String |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs |
The user info endpoint URL for the identity provider.
For Keyfactor_IdP, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (seeConfiguring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation).
|
Table 1056: Identity Provider Response Parameter Structure
| Id |
An integer indicating the Keyfactor Command reference ID for the parameter. |
| Name |
A string indicating the short reference name for the parameter (e.g. NameClaimType). |
| Display Name |
A string indicating the display name for the parameter (e.g. Name Claim Type). |
| Required |
A Boolean indicating whether the parameter is required (true) or not (false). |
| Data Type |
An integer indicating the data type for the parameter. Possible values are:
-
1 - String
-
2 - Secret
-
3 - Boolean
|
| Value |
A string indicating the value set for the parameter, for parameters of type 1 or 3. |
| Secret Value |
A string indicating the value set for the parameter, for parameters of type 2.
Due to its sensitive nature, this value is not returned in responses.
|
|
