OpenID Connect (OIDC) Authenticator

The CyberArk OpenID Connect (OIDC) Authenticator leverages the identity layer provided by OIDC to facilitate the following use cases:

  • OIDC Authenticator for application authentication: The CyberArk OIDC Authenticator leverages the identity layer provided by OIDC to enable applications to authenticate with Conjur and retrieve secrets needed for connecting to resources such as a database.

  • OIDC Authenticator for Conjur UI and Conjur CLI authentication: Use the OIDC Authenticator to enable users to sign in to the Conjur UI or Conjur CLI using your organization's existing identity provider (IdP) implementation. This enhances security and product experience for organizations that require single sign-on (SSO) and multi-factor authentication (MFA).

OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol that enables clients, including web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. Its purpose is to give an end-user one login to multiple applications.

 

To learn more about OpenID Connect, see the OpenID Connect website.

Conjur authentication

To understand how Conjur authenticates users and hosts to retrieve secrets, see Authentication.

Security considerations

When working with Conjur-OIDC authentication, consider the following:

  • Do not set a single OIDC Identity Provider issuer (often referred to as the Entity ID or "issuer") to serve multiple tenants (two or more) as the tenants end up sharing the same signing keys, and then there is no real native ability for the issuer to distinguish between tenants. As an alternative, we highly recommend running a single issuer per tenant to avoid such multi-tenancy security risk.

  • When you add or remove a user from your OIDC identity provider you must respectively add or remove the user in Conjur.

Troubleshooting OIDC authentication

  1. Check the authenticator status using the Authenticator Status API. For details, see Authenticator Status Webservice.
  2. View the authenticator logs. For details, see Filter authentication errors.

Error code in logs: CONJ00044E - Concurrency limited cache reached before cache initialized

Resolution: Make sure the OIDC provider URI defined in the Authenticator policy (provider-uri) is accessible from the Follower machine.

For example:

  1. Log in to Conjur Enterprise with the Conjur CLI and fetch the provider-uri variable:

      
    $ conjur variable get -i conjur/authn-oidc/keycloak/provider-uri
https://keycloak:8443/auth/realms/master

  2. Check the communication from the Follower machine to OIDC provider.

      
    curl -Is https://keycloak:8443/auth/realms/master | head -n 1
HTTP/1.1 200 OK

  3. Rerun authentication requests until the following message is written in the log:

    CONJ00021D - Concurrency limited cache updated successfully

Resolution: Make sure OIDC provider and Conjur Server time are aligned.

For example:

  1. On the Follower, run the date command:

      
    docker exec <Conjur-container-name> date

  2. Validate that the returned time is aligned to the OIDC provider in one of the following ways:

    • Decode a valid ID token to extract the time
    • Check the time in the OIDC provider dashboard

OIDC Authenticator REST API

Once the OIDC Authenticator is configured, you can send an authentication request.

For more information, see OIDC Authenticator.

Limitations

  • Only users that are defined in the root policy can authenticate using the OIDC Authenticator.

  • The admin user is not able to authenticate using the OIDC Authenticator.

  • Authentication to the Conjur CLI using OIDC authentication requires the v8.x version of the CLI.
  • The OIDC Authenticator for Conjur UI currently supports only Okta and CyberArk Identity as OIDC providers.
  • The OIDC Authenticator for the Conjur UI supports only the following claims:
    • email
    • preferred_username
  • The OIDC Authenticator for Conjur UI use case does not support custom claims.