Configuring an OpenID Connect Provider
KeyControl supports user authentication through an OpenID Connect provider. If a provider is configured, the KeyControl login dialog contains not only the KeyControl Sign In button but also a configurable button to start the authentication process using the provider.
Important: When the user has been authenticated via the OpenID Connect provider, the same username is used to obtain the LDAP permissions to KeyControl. Therefore, the User Principal Name (UPN) used for the OpenID Connect provider must match a configured user on the LDAP server.
Important: OpenLDAP does not support the UPN parameter. This might cause problems because the OpenID Connect provider might be unable to authenticate users if it cannot return a valid UPN. Workaround: Set the sn field in the OpenLDAP server to the UPN for the registered user. This allows you to import OpenLDAP users correctly into the provider's database. The users can then authenticate with the provider in KeyControl.
Before You Begin
The OpenID Connect provider must be configured to accept the KeyControl URLs. Each login dialog requires both a login and a logout URL, so for KeyControl, you have to configure up to six URLs for each node in the cluster. You have to configure the login and logout URL for KeyControl itself, but if multi-tenant KMIP or Secrets Vaults are not used, no URLs have to be configured for them.
In the following example of URL list for OpenID Connect provider, KC_IP is the hostname or IP address of the KeyControl agent:
<https://KC_IP/v5/oidc/callback>
<https://KC_IP/v5/kc/oidc/logout>
<https://KC_IP/kmipTenant/1.0/oidc/callback>
<https://KC_IP/kmipTenant/1.0/oidc/logout>
<https://KC_IP/vault/1.0/oidc/callback>
<https://KC_IP/vault/1.0/oidc/logout>
Procedure
- Log into the KeyControl webGUI using an account with Security Admin privileges.
- In the top menu bar, click Settings.
- In the Type drop-down, select OpenID Connect.
Specify the options you want to use. When you are done, click Apply.
Options
|
Field |
Description |
|---|---|
|
Client ID |
The organizational identity assigned by the OpenID Connect provider when you sign up for the service. |
| Client Secret |
A cryptographic component used to secure the organization's access to the OpenID Connect provider. Important: This field is write-only. It will never be displayed again after it has been initially created. It can be reentered if necessary. |
| Base URL | The URL that KeyControl will use to contact the OpenID Connect provider to present the login page. |
|
Name |
A user-defined name for theOpenID Connect provider. KeyControl displays this name on the button on the login dialogs. Only one global OIDC provider can be configured per KeyControl cluster. The same button appears and the same OIDC authentication method is used on the login dialogs to KeyControl, the KeyControl KMIP Tenant GUI, and the Secrets Vault Tenant GUI. |
What to Do Next
