Configuring OIDC for KeyControl Vault for Application Security

By default the vault is configured for local authentication. You can change the authentication method as required, but you can use only one type of authentication per vault at a time.

Note: If you want to use OIDC without AD, you can only change to that mode from the local authentication mode. If you have configured AD or OIDC with AD, you cannot change to OIDC without AD.

Each vault can be configured with a separate OIDC server or a separate application from same server.

For an example of how to configure an OIDC provider, see Example: Configuring Entrust Identity as a Service.

  1. Log into the KeyControl Vault for Application Security webGUI.

  2. Click the Settings icon at the top right of the vault page.

  3. From the Authentication Type menu, select OpenID Connect.

  4. Specify the OpenID Connect Configuration settings:

    Field

    Description

    Name

    A user-defined name for the OpenID Connect provider.

    Click the Learn more about configuring the OIDC Provider link to view the login redirect URL and the logout redirect URL for the OIDC provider.

    Client ID

    The organizational identity assigned by the OpenID Connect provider when you sign up for the service.
    Client Secret

    A cryptographic component used to secure the organization's access to the OpenID Connect provider.

    Important: This field is write-only. It will never be displayed again after it has been initially created. It can be reentered if necessary.
    Base URL The URL that KeyControl will use to contact the OpenID Connect provider to present the login page.

  5. Optional. Click Browse to upload the CA Certificate.

    Note: The certificate needs to be in base64 encoded pem format.

  6. Enter the Admin Name and Admin Email for OIDC user.

    This user will be created and will act as the Vault Administrator. They will be assigned to the admin policy and receive the email with the registration URL.

  7. Click Apply.

    The OpenID Connect Configuration window appears showing the current configuration.

  8. Click Verify and Enable.

    The OpenID Connect Successfully Configured window displays the new login URL.

  9. Copy the URL, and click Log Out and Sign in with IDP.

  10. After you are logged out, paste the URL into the browser window.

  11. Log in to the Identity Provider using the name and password that you created.