Authenticator Status Webservice

The Authenticator Status (status) webservice enables you to check the status of your authenticator. Using the Check authenticator status REST API, you can send a RESTful request and receive a response identifying if the authenticator configuration was successful. If not, the reasons for the error are returned.

 

Supports:

Configure the status webservice

Before you can check authenticator status, you must configure the status webservice.

Make sure you have the Conjur CLI (v7.x+) installed and that you are logged in. For details, see Set up the Conjur CLI.

Step 1: Create and load the webservice policy

In this step you create a policy that configures the status webservice and grants necessary permissions to the operators group. This group includes all the user groups that should have access to the status webservice.

  1. Copy the following policy:

      
    - !policy
  id: conjur/<authenticator-type>/<service-id>
  body:
  - !webservice
    id: status
    annotations:
      description: Status service to check that the authenticator is configured correctly

  - !group
    id: operators
    annotations:
      description: Group of users who can check the status of the authenticator

  - !permit
    role: !group operators
    privilege: [ read ]
    resource: !webservice status

  2. In the policy's ID, provide the following:

    authenticator-type

    The type of authenticator, for example authn-azure
    service-id

    The ID of the authenticator endpoint, for example AzureWS1.

    Not relevant for the GCP Authenticator endpoint

    The service ID does not support nesting and cannot contain a forward-slash / character. For example, you can specify qa for a service ID, but qa/test is not supported

    The status webservice policy's ID must be identical to the authenticator's policy's ID. For example, if the ID of the Azure Authenticator policy is conjur/authn-azure/AzureWS1, then the ID in this policy must also be conjur/authn-azure/AzureWS1.

    • Example for Azure:

        
      - !policy
  id: conjur/authn-azure/AzureWS1
  body:
  - !webservice
    id: status
    annotations:
      description: Status service to check that the authenticator is configured correctly
  - !group
    id: operators
    annotations:
      description: Group of users who can check the status of the authenticator
  - !permit
    role: !group operators
    privilege: [ read ]
    resource: !webservice status

    • Example of GCP

        
      - !policy
  id: conjur/authn-gcp
  body:
  - !webservice
    id: status
    annotations:
      description: Status service to check that the authenticator is configured correctly

  - !group
    id: operators
    annotations:
      description: Group of users who can check the status of the authenticator

  - !permit
    role: !group operators
    privilege: [ read ]
    resource: !webservice status

  3. Save the policy as a .yml file using the following file naming convention:

      
    <authenticator-type>-status.yml

    For example, for the Azure Authenticator:

      
    authn-azure-status.yml

  4. Load it into root:

      
    conjur policy load -b root -f <authenticator-type>-status.yml

    For example:

      
    $ conjur policy load -b root -f authn-azure-status.yml

Step 2: Define the operators group

Define and grant permissions to the user groups that should be able to check authenticator status.

  1. Copy the following operators grouping policy:

      
    - !grant
  role: !group conjur/<authenticator-type>/<service-id>/operators
  member: 
  - !group <user-group>
  - !user <user>

    Provide the following:

    authenticator-type

    The authenticator type defined in the status webservice policy above
    service-id The service ID defined in the status webservice policy above
    user-groups / user

    One or more user groups and/or users that should have access to the status webservice.

  2. Save the policy as a .yml file using the following file naming convention:

      
    <authenticator-type>-operators.yml

    For example:

      
    authn-azure-operators.yml

  3. Load it into root:

      
    conjur policy load -b root -f <authenticator-type>-operators.yml

    For example:

      
    $ conjur policy load -b root -f authn-azure-operators.yml

Authenticator Status API

Once the status webservice has been properly configured and the relevant user groups have been given permissions to access the status webservice, the users in those groups can check the status of the authenticator.

For more information, see the Check authenticator status REST API.