Managing Identity Providers
This section describes how to manage identity providers on CCKM. Identity providers can be added, viewed, modified, or deleted on the External Vaults tab of the Oracle Vaults page. Identity providers are required when adding the external vaults, refer to Managing External Vaults for details.
Creating Identity Providers
An issuer or an openId configuration URL is required to create an identity provider.
To create an identify provider:
Open the Cloud Key Manager Application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab.
Scroll down the page, go to the IDENTITY PROVIDERS section, and click Add Identity Provider. The Add Identity Provider screen is displayed.
Specify a unique Name for the provider. This is a mandatory field.
Select Provider Verifier. This is a mandatory field. The verifier can be Issuer or OpenID Configuration URL.
Note
OpenID Configuration URL is the recommended option.
If you select the Issuer option, you need to specify a combination of Issuer and jwksURL.
Make sure to provide the exact CipherTrust Manager application's credentials, as received from Oracle; otherwise, external APIs might cease to work as expected. Currently, only Oracle IDCS is supported as identity provider and the issuer should be
https://identity.oraclecloud.com/
.Click the desired tab below to view instructions.
If you select Issuer, you need to specify the combination of Issuer and JWKS URI.
Select Issuer.
Enter a valid Issuer.
Specify jwksURL.
This is the recommended option.
Select OpenId Configuration URL.
Specify the OpenId Configuration URL. The URL must be valid. It is a combination of "Identity Domain URL" and "/.well-known/openid-configuration". For example, a sample Open ID Config URL is:
https://idcs-34db4d7d06886cea8e26e0eaafb56cc6.identity.oraclecloud.com/.well-known/openid-configuration
(If Oracle IDCS is configured in the protected mode), select jwks Protected URL and specify the following:
Client ID: Client ID of the CipherTrust Manager application as registered on third-party IDP.
Client Secret: Client secret of the CipherTrust Manager application as registered on third-party IDP.
Click Add.
Click Close.
The newly created identity provider appears in the providers list. Similarly, add as many identity providers as required.
Viewing Identity Providers
The Oracle Vaults page shows the available identity providers. The IDENTITY PROVIDERS section shows the Name, Issuer, OpenID Configuration URL, and jwksURL.
To view identity providers:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab.
Navigate to IDENTITY PROVIDERS. The list of identity providers is displayed.
The following details are shown:
Column Description Name Name of the identity provider. Issuer Issuer string from the identity provider JWT. OpenID Configuration URL URL of the OpenID configuration. jwksURL URL of JWKS.
Editing Identity Providers
To edit identity providers:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab.
Navigate to IDENTITY PROVIDERS. Under Name, click the desired profile. The Edit Identity Provider screen is displayed.
Alternatively, click the overflow icon corresponding to the desired profile and click Edit.
Update the identity provider details, as appropriate.
Click Update.
Click Close.
Deleting Identity Providers
When an identity provider is no longer needed, delete it from the CipherTrust Manager. Before deleting the provider, ensure that it is not in use by any external vaults.
To delete an identify provider:
Open the Cloud Key Manager application.
In the left pane, click KMS Containers > Oracle Vaults.
Click the External Vaults tab.
Under IDENTITY PROVIDERS, click Delete corresponding to the desired provider. The Delete Identity Provider dialog box appeared on the screen.
Are you sure you want to delete? message is displayed in the dialog box.
Click Delete Identity Provider to confirm the deletion.
Note
If the issuer (identity provider) is associated with an existing external vault, you will see an Error in deleting identity provider message. You need to modify the association to delete the issuer.
A success message is displayed on the screen. The identity provider is removed from the providers list.