OpenID-Connect Authentication
This article describes the configurations for allowing users from an OpenID Connect (OIDC) provider to log into PrivX.
Users from added OIDC providers can log into PrivX via the PrivX GUI, and furthermore to target hosts (as permitted by their roles). Such users are authenticated against the OIDC provider.
To provide access for OIDC users, set up your OIDC and PrivX as follows:
Configure your OIDC provider to provide role information in End-User Claims.
End-User Claims from the OIDC provider must include tags that can be used to associate the End User to PrivX Roles. For example, in the following ID Token/Userinfo response, the groups Claim provides the required tags:
{ "sub": "248289761001", "name": "Jane Doe", "given_name": "Jane", "family_name": "Doe", "preferred_username": "j.doe", "email": "janedoe@example.com", "groups": ["Example Role 01", "Example Role 02"] }
PrivX requires continued access to the OIDC provider for updated group and role information. Ensure your OIDC provider is configured to issue access and refresh tokens for PrivX. Provide the following redirect URI to the OIDC provider (replace
privx.example.com
with your PrivX address):https://privx.example.com/auth/api/v1/oidc-cb
Add the OIDC provider to PrivX. To do this, go to the Administration→Directories page and click Add Directory.
Set the directory Type to OpenID Connect. Provide any required settings, such as the OIDC issuer URL and client credentials.
To allow OIDC users to log into personal accounts, specify the claim(s) containing the users' personal-account names. Then in Source=Target attribute pairs, map these claims to unix_account or windows_account for SSH and RDP connections respectively.
For example, if the users' Windows logon names are in their email claim, specify the following:
email=windows_account
As another example, if the users' preferred_username claim matches both their Unix- and Windows-account names, specify the following:
preferred_username=unix_account,windows_account
After you have provided the necessary settings, click Save to apply your changes.
(Optional) You may test OIDC logins from the PrivX login page. You can log in using either of the following methods:
Via the PrivX login page, click the OIDC authentication method listed below the Login button.
Go directly to the OIDC login page. To display the link to the OIDC login page, go to Settings→Directories and click your OIDC directory. The link is in The Direct Login URL, under the OpenID connect settings section.
Any imported PrivX users can login to the PrivX GUI using their OIDC credentials. To further allow such users to log into target hosts, add them to roles as described in Granting User Permissions.