Configuring OIDC with Active Directory for KeyControl

By default the KeyControl Vault Management application is configured for local authentication. You can change the authentication method as required.

This topic explains how to configure OIDC authentication.

Active Directory authentication is a prerequisite for OIDC. Ensure Active Directory Authentication is configured for the vault before configuring OIDC. See Specifying an LDAP/AD Authentication Server. For OpenID Connect login to be successful across all vaults, you must provide AD/OpenLDAP service credentials, and the credentials must be active.

Each vault can be configured with a separate OIDC server or a separate application from same server.

For an example of how to configure an OIDC provider, see Example: Configuring Entrust Identity as a Service.

Important: OIDC with AD is a legacy authentication mode that relies on Active Directory (AD) where the OIDC provider manages authentication and Active Directory manages identity. This option should be used only for existing OIDC configurations that are already integrated with AD. If you are not using AD, we recommend that you use OIDC without AD as your OIDC authentication method.

Procedure 

1. Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges.
2. In the top right, click the Switch to Appliance Management link.
3. In the top menu bar, click Settings.
4. In the General Settings section, click Authentication.
5. In the Choose Authentication Type drop-down list, select OpenID Connect (with LDAP).

6. Specify the OpenID Connect Configuration settings:

   Field	Description
   Name	A user-defined name for the OpenID Connect provider. KeyControl displays this name on the button on the login dialogs.
   Client ID	The organizational identity assigned by the OpenID Connect provider when you sign up for the service.
   Client Secret	A cryptographic component used to secure the organization's access to the OpenID Connect provider. Important: This field is write-only. It will never be displayed again after it has been initially created. It can be reentered if necessary.
   Base URL	The URL that KeyControl will use to contact the OpenID Connect provider to present the login page.

7. Click Browse to upload the CA Certificate.

   Note: The certificate needs to be in base64 encoded pem format.

8. Click Apply.

   A dialog box displays the configuration.

9. Click Verify and Enable.

10. After the verification, ensure the OpenID Connector Configuration Status is set to Enabled.

11. The vault is now set for OIDC authentication.