Configuring OIDC for KeyControl

By default, the KeyControl Vault Management application is configured for local authentication. You can change the authentication method as required, but you can use only one type of authentication per vault at a time.

Note: If you want to use OIDC without AD, you can only change to that mode from the local authentication mode. If you have configured AD or OIDC with AD, you cannot change to OIDC without AD.

Each vault can be configured with a separate OIDC server or a separate application from same server.

For an example of how to configure an OIDC provider, see Example: Configuring Entrust Identity as a Service.

Important: OIDC without AD is the recommended mode of OIDC authentication method where the OIDC provider independently manages identity and authentication. For new OIDC setups, this is the preferred option.

Procedure 

  1. Log into the KeyControl Vault Management webGUI using an account with Security Admin privileges.
  2. In the top right, click the Switch to Appliance Management link.
  3. In the top menu bar, click Settings.
  4. In the General Settings section, click Authentication.
  5. In the Choose Authentication Type drop-down list, select OpenID Connect.

  6. Specify the OpenID Connect Configuration settings:

    Field

    Description

    Name

    A user-defined name for the OpenID Connect provider. KeyControl displays this name on the button on the login dialogs.

    Client ID

    The organizational identity assigned by the OpenID Connect provider when you sign up for the service.
    Client Secret

    A cryptographic component used to secure the organization's access to the OpenID Connect provider.

    Important: This field is write-only. It will never be displayed again after it has been initially created. It can be reentered if necessary.
    Base URL The URL that KeyControl will use to contact the OpenID Connect provider to present the login page.

  7. Click Browse to upload the CA Certificate.

    Note: The certificate needs to be in base64 encoded pem format.

  8. Optional. Click Browse to upload the CA Certificate.

    Note: The certificate needs to be in base64 encoded pem format.

  9. Enter the Admin Name and Admin Email for OIDC user.

    This user will be created and will act as the Vault Administrator. They will be assigned to the admin policy and receive the email with the registration URL.

  10. Click Apply.

    The OpenID Connect Configuration window appears showing the current configuration.

  11. Click Verify and Enable.

    The OpenID Connect Successfully Configured window displays the new login URL.

  12. Copy the URL, and click Log Out and Sign in with IDP.

  13. After you are logged out, paste the URL into the browser window.

  14. Log in to the Identity Provider using the name and password that you created.