OIDC
OIDC connections to the CipherTrust Manager can be configured using the following:
Caution
The only product supported for user-created OIDC connection is CTE.
If you create an OIDC connection for CipherTrust Manager users through Access Management, a duplicate connection manager OIDC connection is visible, with no product. This duplicate is created for secure storage of credentials. We strongly recommend managing OIDC connections to authenticate CipherTrust Manager users through the Access Management UI menus and ksctl connections commands, and not Connection Manager.
Managing OIDC Connections using GUI
-
OIDC Provider: URL of the host server where an OIDC connection exists.
-
Client ID: this is an Application ID of the OIDC application. It is used with Client Secret to authenticate the application.
The Client ID is a unique field and cannot be updated after the connection is established.
-
Client Secret: this authentication method uses the application password of the Client ID to enable communication between OIDC and CipherTrust Manager.
Click Next to move to the next step.
Managing OIDC Connections using ksctl
You can use ksctl to manage OIDC connections to authenticate CTE agents.
OIDC connections to authenticate CipherTrust Manager users are configured outside of connection manager.
The following operations can be performed:
-
Create/Get/Update/Delete an OIDC connection
-
List all OIDC connections
Creating an OIDC Connection
To create an OIDC connection, run:
Syntax
ksctl connectionmgmt oidc create --name <connection-name> --description <description> --products <products-name> --meta <key:value> --clientid <client-id> --secret <client-secret> --conn-url <URL>
The clientid is a unique field and cannot be updated after the connection is established.
Example Request
ksctl connectionmgmt oidc create --name oidc-connection --clientid 2cc2d7db155c472fb2484ca4072d1bb3 --secret client_secret --conn-url www.oidc-test-connection.com
Example Response
{
"id": "901c9158-9ea1-4715-a92c-882c4a9828ee",
"uri": "kylo:kylo:connectionmgmt:connections:oidc-connection-901c9158-9ea1-4715-a92c-882c4a9828ee",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-05-16T05:21:20.725493705Z",
"updatedAt": "2022-05-16T05:21:20.723628387Z",
"service": "OIDC",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "oidc-connection",
"client_id": "2cc2d7db155c472fb2484ca4072d1bb3",
"url": "www.oidc-test-connection.com",
"checksum": "87de71462a719f4de23cbec7be6e22f5390705a009e0dd0516ddd8be17cad187"
}
The checksum is a SHA256 checksum value generated from the client_secret and url parameters. It will be updated if any of these two parameter values get changed.
Getting Details of an OIDC Connection
To get details of an OIDC connection, run:
Syntax
ksctl connectionmgmt oidc get <connection-name/ID>
Example Request
ksctl connectionmgmt oidc get --id 901c9158-9ea1-4715-a92c-882c4a9828ee
Example Response
{
"id": "901c9158-9ea1-4715-a92c-882c4a9828ee",
"uri": "kylo:kylo:connectionmgmt:connections:oidc-connection-901c9158-9ea1-4715-a92c-882c4a9828ee",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-05-16T05:21:20.725494Z",
"updatedAt": "2022-05-16T05:21:20.723628Z",
"service": "OIDC",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "oidc-connection",
"client_id": "2cc2d7db155c472fb2484ca4072d1bb3",
"url": "www.oidc-test-connection.com",
"checksum": "87de71462a719f4de23cbec7be6e22f5390705a009e0dd0516ddd8be17cad187"
}
Updating an OIDC Connection
To update an OIDC connection, run:
Syntax
ksctl connectionmgmt oidc modify --id <connection-name/ID> --description <description> --products <products-name> --meta <key:value> --secret <client-secret> --conn-url <URL>
Example Request
ksctl connectionmgmt oidc modify --id 901c9158-9ea1-4715-a92c-882c4a9828ee --conn-url https://new-oidc-url/ --secret new_secret
Example Response
{
"id": "901c9158-9ea1-4715-a92c-882c4a9828ee",
"uri": "kylo:kylo:connectionmgmt:connections:oidc-connection-901c9158-9ea1-4715-a92c-882c4a9828ee",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-05-16T05:21:20.725494Z",
"updatedAt": "2022-05-16T05:29:02.230980966Z",
"service": "OIDC",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "oidc-connection",
"client_id": "2cc2d7db155c472fb2484ca4072d1bb3",
"url": "https://new-oidc-url/",
"checksum": "6277c08784599bda9d4ccb0c6b0c9ed87b6f5add00c3babc2858a290cdc70523"
}
Deleting an OIDC Connection
To delete an OIDC connection, run:
Syntax
ksctl connectionmgmt oidc delete --id <connection-name/Id> --force
Example Request 1
If connection is not being used currently, run;
ksctl connectionmgmt oidc delete --id 901c9158-9ea1-4715-a92c-882c4a9828ee
There will be no response if the OIDC connection is deleted successfully.
Example Request 2
If connection is in-use, run:
ksctl connectionmgmt oidc delete --id 901c9158-9ea1-4715-a92c-882c4a9828ee --force
There will be no response if the OIDC connection is deleted successfully.
Getting List of OIDC Connections
To list all the OIDC connections, run:
Syntax
ksctl connectionmgmt oidc list
Example Request
ksctl connectionmgmt oidc list
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "901c9158-9ea1-4715-a92c-882c4a9828ee",
"uri": "kylo:kylo:connectionmgmt:connections:oidc-connection-901c9158-9ea1-4715-a92c-882c4a9828ee",
"account": "kylo:kylo:admin:accounts:kylo",
"createdAt": "2022-05-16T05:21:20.725494Z",
"updatedAt": "2022-05-16T05:21:20.723628Z",
"service": "OIDC",
"category": "IdP",
"last_connection_ok": null,
"last_connection_at": "0001-01-01T00:00:00Z",
"name": "oidc-connection",
"client_id": "2cc2d7db155c472fb2484ca4072d1bb3",
"url": "www.oidc-test-connection.com"
}
]
}