Configuring OIDC for the KeyControl Vault for Cloud Keys

By default the vault is configured for local authentication. You can change the authentication method as required, and you can have multiple authentication modes active at the same time. However, OIDC without Active Directory cannot be used with Active Directory or OIDC with Active Directory. 

Note: If you want to use OIDC without AD, you can only change to that mode from the local authentication mode. If you have configured AD or OIDC with AD, you cannot change to OIDC without AD.

Each vault can be configured with a separate OIDC server or a separate application from same server.

For an example of how to configure an OIDC provider, see Example: Configuring Entrust Identity as a Service.

  1. Log into the KeyControl Vault for Cloud Keys webGUI.
  2. In the top menu bar, click Settings.
  3. In the General Settings section, click Authentication.

  4. In the Choose Authentication Type drop-down menu, select OpenID Connect.

    Click the Learn more about configuring the OIDC Provider link to view the login redirect URL and the logout redirect URL for the OIDC provider.

  5. Specify the OpenID Connect Configuration settings:

    Field

    Description

    Client ID

    The organizational identity assigned by the OpenID Connect provider when you sign up for the service.
    Client Secret

    A cryptographic component used to secure the organization's access to the OpenID Connect provider.

    Important: This field is write-only. It will never be displayed again after it has been initially created. It can be reentered if necessary.
    Base URL The URL that KeyControl will use to contact the OpenID Connect provider to present the login page.

    Name

    A user-defined name for the OpenID Connect provider. KeyControl displays this name on the button on the login dialogs.

  6. Optional. Click Load File to upload the CA certificate.

    Note: The certificate needs to be in base64 encoded pem format.

  7. Click Apply.

    A dialog box displays the configuration.

  8. Select Verify and Enable.

    After the verification, a message appears confirming OpenID Connect has been successfully enabled.

    The vault is now set for OIDC authentication.

  9. Sign out from the vault and sign in to the vault as an OIDC user.

    To sign in as an OIDC user, select Sign in with IDAAS and enter your OIDC credentials.

    Important: You cannot disable OIDC authentication once it is configured. After OIDC is enabled you cannot sign in using AD credentials. However, you can sign in using local authentication credentials without any issues.