OpenID Connect (OIDC) Authenticator
The CyberArk OpenID Connect (OIDC) Authenticator leverages the identity layer provided by OIDC to facilitate the following use cases:
OIDC Authenticator for application authentication: The CyberArk OIDC Authenticator leverages the identity layer provided by OIDC to enable applications to authenticate with Conjur and retrieve secrets needed for connecting to resources such as a database.
OIDC Authenticator for Conjur UI and Conjur CLI authentication: Use the OIDC Authenticator to enable users to sign in to the Conjur UI or Conjur CLI using your organization's existing identity provider (IdP) implementation. This enhances security and product experience for organizations that require single sign-on (SSO) and multi-factor authentication (MFA).
To learn more about OpenID Connect, see the OpenID Connect website.
To understand how Conjur authenticates users and hosts to retrieve secrets, see Authentication.
When working with Conjur-OIDC authentication, consider the following:
Do not set a single OIDC Identity Provider issuer (often referred to as the Entity ID or "issuer") to serve multiple tenants (two or more) as the tenants end up sharing the same signing keys, and then there is no real native ability for the issuer to distinguish between tenants. As an alternative, we highly recommend running a single issuer per tenant to avoid such multi-tenancy security risk.
When you add or remove a user from your OIDC identity provider you must respectively add or remove the user in Conjur.
Troubleshooting OIDC authentication
- Check the authenticator status using the Authenticator Status API. For details, see Authenticator Status Webservice.
- View the authenticator logs. For details, see Filter authentication errors.
Error code in logs: CONJ00044E - Concurrency limited cache reached before cache initialized
Resolution: Make sure the OIDC provider URI defined in the Authenticator policy (provider-uri) is accessible from the Follower machine.
Log in to Conjur Enterprise with the Conjur CLI and fetch the provider-uri variable:
$ conjur variable get -i
Check the communication from the Follower machine to OIDC provider.
curl -Is https://keycloak:8443/auth/realms/master | head -n 1 HTTP/1.1 200 OK
Rerun authentication requests until the following message is written in the log:
CONJ00021D - Concurrency limited cache updated successfully
Resolution: Make sure OIDC provider and Conjur Server time are aligned.
Follower, run the date command:
docker exec <Conjur-container-name> date
Validate that the returned time is aligned to the OIDC provider in one of the following ways:
- Decode a valid ID token to extract the time
- Check the time in the OIDC provider dashboard
OIDC Authenticator REST API
Once the OIDC Authenticator is configured, you can send an authentication request.
For more information, see OIDC Authenticator.
- Only users that are defined in the root policy can authenticate using the OIDC Authenticator.
The admin user is not able to authenticate using the OIDC Authenticator.
- Authentication to the Conjur CLI using OIDC authentication requires the v8.x version of the CLI.
- The OIDC Authenticator for Conjur UI currently supports only Okta and CyberArk Identity as OIDC providers.
- The OIDC Authenticator for the Conjur UI supports only the following claims:
- The OIDC Authenticator for Conjur UI use case does not support custom claims.