OpenID Connect (OIDC) Authenticator

The CyberArk OpenID Connect (OIDC) Authenticator leverages the identity layer provided by OIDC to facilitate the following use cases:

  • OIDC Authenticator for application authentication: The CyberArk OIDC Authenticator leverages the identity layer provided by OIDC to enable applications to authenticate with Conjur and retrieve secrets needed for connecting to resources such as a database.

  • OIDC Authenticator for Conjur UI and Conjur CLI authentication: Use the OIDC Authenticator to enable users to sign in to the Conjur UI or Conjur CLI using your organization's existing identity provider (IdP) implementation. This enhances security and product experience for organizations that require single sign-on (SSO) and multi-factor authentication (MFA).

OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol that enables clients, including web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. Its purpose is to give an end-user one login to multiple applications.

 

To learn more about OpenID Connect, see the OpenID Connect website.

Conjur authentication

To understand how Conjur authenticates users and hosts to retrieve secrets, see Authentication.

Security considerations

When working with Conjur-OIDC authentication, consider the following:

  • Do not set a single OIDC Identity Provider issuer (often referred to as the Entity ID or "issuer") to serve multiple tenants (two or more) as the tenants end up sharing the same signing keys, and then there is no real native ability for the issuer to distinguish between tenants. As an alternative, we highly recommend running a single issuer per tenant to avoid such multi-tenancy security risk.

  • When you add or remove a user from your OIDC identity provider you must respectively add or remove the user in Conjur.

Troubleshooting OIDC authentication

OIDC Authenticator REST API

Once the OIDC Authenticator is configured, you can send an authentication request.

For more information, see Authenticate using OIDC Authenticator.

Limitations

  • Only users that are defined in the root policy can authenticate using the OIDC Authenticator.
  • The admin user is not able to authenticate using the OIDC Authenticator.

  • Authentication to the Conjur CLI using OIDC authentication requires the v8.x version of the CLI.
  • The OIDC Authenticators for the Conjur UI and CLI support only the following claims:
    • email
    • preferred_username
  • The OIDC Authenticators for the Conjur UI and CLI do not support custom claims.