OpenID-Connect Authentication

This article describes the configurations for allowing users from an OpenID Connect (OIDC) provider to log into PrivX.

Users from added OIDC providers can log into PrivX via the PrivX GUI, and furthermore to target hosts (as permitted by their roles). Such users are authenticated against the OIDC provider.

To provide access for OIDC users, set up your OIDC and PrivX as follows:

  1. Configure your OIDC provider to provide role information in End-User Claims.

    End-User Claims from the OIDC provider must include tags that can be used to associate the End User to PrivX Roles. For example, in the following ID Token/Userinfo response, the ​groups​​ Claim provides the required tags:

    {
        "sub": "248289761001",
        "name": "Jane Doe",
        "given_name": "Jane",
        "family_name": "Doe",
        "preferred_username": "j.doe",
        "email": "[email protected]",
        ​"groups": ["Example Role 01", "Example Role 02"]​​
    }
    
  2. PrivX requires continued access to the OIDC provider for updated group and role information. Ensure your OIDC provider is configured to issue access and refresh tokens for PrivX. Provide the following redirect URI to the OIDC provider (replace privx.example.com with your PrivX address):

    https://​​privx.example.com​​/auth/api/v1/oidc-cb
    
  3. Add the OIDC provider to PrivX. To do this, go to the ​Administration→Directories​ page and click ​Add Directory​​.

  4. Set the directory ​Type​ to ​OpenID Connect​​. Provide any required settings, such as the OIDC issuer URL and client credentials.

    📘

    Note

    To allow OIDC users to log into personal accounts, specify the claim(s) containing the users' personal-account names. Then in ​Source=Target attribute pairs​​, map these claims to ​unix_account​ or ​windows_account​​ for SSH and RDP connections respectively.

    For example, if the users' Windows logon names are in their ​email​​ claim, specify the following:

    email=windows_account

    As another example, if the users' ​preferred_username​​ claim matches both their Unix- and Windows-account names, specify the following:

    preferred_username=unix_account,windows_account

    After you have provided the necessary settings, click ​Save​​ to apply your changes.

  5. ​​(Optional)​​ You may test OIDC logins from the PrivX login page. You can log in using either of the following methods:

    • Via the PrivX login page, click the OIDC authentication method listed below the ​Login​​ button.

    • Go directly to the OIDC login page. To display the link to the OIDC login page, go to ​Settings→Directories​ and click your OIDC directory. The link is in ​The Direct Login URL​​, under the ​OpenID connect settings​​ section.

Any imported PrivX users can login to the PrivX GUI using their OIDC credentials. To further allow such users to log into target hosts, add them to roles as described in Granting User Permissions.


Did this page help you?