Configuring OIDC with Active Directory for the Cryptographic Security Platform Vault for Cloud Keys

By default the vault is configured for local authentication. You can change the authentication method as required.

Important: You cannot disable OIDC authentication once it is configured.

You must have Active Directory authentication before you can configure OIDC. Ensure that Active Directory Authentication is configured for the vault before continuing. See Configuring Active Directory for the Cryptographic Security Platform Vault for Cloud Keys.

When OIDC is configured with Active Directory, the privileges (Security admin, Cloud Admin) and permissions to various Cryptographic Security Platform Vault Groups (Cloud Admin Groups) is provided at the AD user and AD group level.

To Add the Active Directory Group: 

  1. In the top menu bar, click Security, and then select the Groups tab.
  2. On the Members tab, select Active Directory Group.
  3. Type the first three letters of the group to fetch the group name from the AD server. Select the group.

To add a single active directory user: 

  1. In the top menu bar, click Security, and then select the Groups tab.
  2. On the Members tab, select Cryptographic Security Platform Vault Managed Users.
  3. Select Actions > Create User and use the Authentication Type Active Directory.
  4. Set the privileges and add the user to the necessary Cryptographic Security Platform Vault Groups.

Note: The Security Admin privilege can not be provided to an entire AD group.

Each Cryptographic Security Platform Vault can be configured with a separate OIDC server or a separate application from the same server.

For an example of how to configure an OIDC provider, see Example: Configuring Entrust Identity as a Service.

Important: OIDC with AD is a legacy authentication mode that relies on Active Directory (AD) where the OIDC provider manages authentication and Active Directory manages identity. This option should be used only for existing OIDC configurations that are already integrated with AD. If you are not using AD, we recommend that you use OIDC without AD as your OIDC authentication method.

Procedure 

  1. Log into the Cryptographic Security Platform Vault for Cloud Keys webGUI.
  2. In the top menu bar, click Settings.
  3. In the General Settings section, click Authentication.

  4. In the Choose Authentication Type drop-down menu, select OpenID Connect (with AD).

  5. Specify the OpenID Connect Configuration settings:

    Field

    Description

    Client ID

    The organizational identity assigned by the OpenID Connect provider when you sign up for the service.
    Client Secret

    A cryptographic component used to secure the organization's access to the OpenID Connect provider.

    Important: This field is write-only. It will never be displayed again after it has been initially created. It can be reentered if necessary.
    Base URL The URL that Cryptographic Security Platform Vault will use to contact the OpenID Connect provider to present the login page.

    Name

    A user-defined name for the OpenID Connect provider. Cryptographic Security Platform Vault displays this name on the button on the login dialogs.

  6. Click Apply.

    A dialog appears showing the configuration.

  7. Select Verify and Enable.

    After the verification, a message appears confirming OpenID Connect has been successfully enabled.

    The vault is now set for OIDC authentication.

  8. Sign out from the vault and sign in to the vault as an OIDC user.

    To sign in as an OIDC user, select Sign in with IDAAS and enter your OIDC credentials.

    Important: You cannot disable OIDC authentication once it is configured. After OIDC is enabled you cannot sign in using AD credentials. However, you can sign in using local authentication credentials without any issues.