Group Mapping
Group maps extend group-based configuration of CipherTrust Manager users to Lightweight Directory Access Protocol (LDAP) or OpenID Connect (OIDC) groups, associated with the Access Management LDAP or OIDC connection. A group map associates an LDAP or OIDC group belonging to a specific connection to a CipherTrust Manager group.
For example, an LDAP group can be mapped to the system defined `Key Users` group in order to allow the LDAP group's members to encrypt data. Alternatively, an LDAP or OIDC group can be mapped to a newly created CipherTrust Manager group where group-based key permissions can be configured.
Group maps are specific to a CipherTrust Manager domain.
Connection Requirements
To set up group maps, the LDAP or OIDC connection must be configured with information to find a given user's group membership on the external server. LDAP connections require six fields to allow group maps. OIDC connections can rely on default or explicit configuration, as described in Determination of OIDC Group Membership.
Note
Group maps are not applicable to the LDAP or OIDC connection available through connection manager.
Determination of OIDC Group Membership
By default, the OIDC connection is set up to allow, but not require, group mapping. CipherTrust Manager checks for group membership in the ID token or returned from the UserInfo Endpoint. If no group membership can be obtained from either source, no CipherTrust Manager group is assigned.
By default, CipherTrust Manager checks the groups
claim field in the ID token. When you create the OIDC connection, you can specify another claim field in the ID token which contains the group membership.
CipherTrust Manager first checks the claim field parameter in the ID token. If no group membership is found in the claim, and the OIDC connection is configured for authorization code flow, CipherTrust Manager then attempts to get group membership from the identity provider's UserInfo Endpoint. This attempt to get group membership from the UserInfo Endpoint is not supported for implicit flow.
CipherTrust Manager obtains the UserInfo endpoint from the configured Discovery URI, so there is no need to provide the UserInfo endpoint value. There is an optional --userinfo-endpoint
parameter in the ksctl CLI to override this behavior, which is intended for test deployments only, and not for use in production.
Create a Group Map
Login to CipherTrust Manager as
admin
or another user in the User Admins group to the desired domain.Navigate to Access Management>Groups.
Click the desired group name.
Click + Add Group Map.
Provide the following configuration details:
Strategy - select
ldap
oroidc
from the drop-down menu.Connection Name - select the desired OIDC or LDAP connection from the drop-down menu.
Connection Group Name - type in the name for the OIDC or LDAP group.
Click Add Group Map to confirm.
View and Delete Group Maps for a Group
Login to CipherTrust Manager as
admin
or another user in the User Admins group to the desired domain.Navigate to Access Management>Groups.
Click the desired group name.
View the currently mapped groups in the Connection groups mapped to the <CipherTrust Manager group name> group.
If desired, delete a groupmap by clicking the trash can icon to the right of the groupmap row.
Example Use Cases
The utility of group mappings is illustrated by the following examples. LDAP groups are shown in the examples, but OIDC groups can also apply to these scenarios.
Making All Users in a Specific LDAP Group Members of Key Users Group
Assume that there is a LDAP connection named bababini containing a group named IT. All users in the IT group should have the ability to create keys. This can be achieved by creating a group map that maps the LDAP IT group into the built-in CipherTrust Manager 'Key Users' group:
Login to CipherTrust Manager as
admin
or another user in the User Admins group.Navigate to Access Management>Groups.
Click the 'Key Users' group name.
Click + Add Group Map.
Provide the following configuration details:
Strategy - select
ldap
from the drop-down menu.Connection Name - select the
bababini
connection from the drop-down menu.Connection Group Name - type in
IT
.
Click Add Group Map to confirm.
Users in the LDAP group IT can now create keys.
Two LDAP Groups Share Keys
Assume that there is a LDAP connection named bababini containing two groups: IT and Engineering. It is desired to share cryptographic keys between the two LDAP groups. This can be achieved by the following steps:
Create a user-defined group on CipherTrust Manager called
it-engg-shared-keys
.Create cryptographic keys and allow all users in the
it-engg-shared-keys
group access to those keys.Create a group mapping between the IT and
it-engg-shared-keys
.Click the
it-engg-shared-keys
group name.Click + Add Group Map.
Provide the following configuration details:
Strategy - select
ldap
from the drop-down menu.Connection Name - select the
bababini
connection from the drop-down menu.Connection Group Name - type in
IT
.
Click Add Group Map to confirm.
Create a group mapping between the Engineering and
it-engg-shared-keys
via the commandClick the
it-engg-shared-keys
group name.Click + Add Group Map.
Provide the following configuration details:
Strategy - select
ldap
from the drop-down menu.Connection Name - select the
bababini
connection from the drop-down menu.Connection Group Name - type in
Engineering
.
Click Add Group Map to confirm.
Users in both LDAP groups can now share all the keys granting access permissions to the it-engg-shared-keys
group.