OpenID-Connect (OIDC) Authentication
This article explains how to configure PrivX to authenticate users via an OpenID Connect (OIDC) identity provider.
OIDC users can log into the PrivX GUI and access target hosts, based on the permissions granted by their assigned roles. Authentication is handled via the configured OIDC provider.
You can integrate PrivX with both Active Directory (AD) and an OIDC provider — for example, using Microsoft Entra. See: Microsoft Entra ID as a User Directory via LDAPS and Microsoft Entra ID as a User Directory via Microsoft Graph API.
To enable OIDC Authentication in PrivX:
-
Configure your OIDC provider to provide role information in End-User Claims.
Your OIDC provider must have End-User Claims with tags that can be used to associate users with PrivX roles. For example, the groups claim in the ID Token or UserInfo response could include the required tags: .
{
"sub": "248289761001",
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"preferred_username": "j.doe",
"email": "janedoe@example.com",
"groups": ["Example Role 01", "Example Role 02"]
} -
Ensure your OIDC provider is configured to issue access tokens and refresh tokens for PrivX.
PrivX requires access and refresh tokens to retrieve updated group and role information.
Provide the following redirect URI to the OIDC provider (replace
privx.example.com
with the hostname of your PrivX instance):https://privx.example.com/auth/api/v1/oidc-cb
-
Add the OIDC provider to PrivX.
In PrivX, go to Administration→Directories, and click Add Directory.
Then, set Type to OpenID Connect, and enter the required configuration fields (such as OIDC issuer URL and client credentials).
-
To allow users to log into personal accounts, specify the OIDC claim(s) containing the users' personal account names and map them to Unix or Windows account fields using Source=Target attribute pairs. Use
unix_account
for SSH connections andwindows_account
for RDP.Examples:
- If users' Windows logon names are provided in the
email
claim, specifyemail=windows_account
. - If
preferred_username
matches both Unix and Windows account names, specifypreferred_username=unix_account,windows_account
.
- If users' Windows logon names are provided in the
When using Oracle Cloud as the OIDC provider, you also need to open Advanced Directory Settings and set Additional Issuer URL to https://identity.oraclecloud.com/
.
For AWS Cognito OIDC directories, make sure the Use userinfo endpoint option is disabled.
-
After completing the setup, click Save to apply the changes.
-
(Optional) You may test OIDC logins with two different methods:
- On the PrivX login page, click the OIDC method listed below the Login button.
- Go to Administration→Directories, and select your OIDC directory. Then, in the OpenID Connect settings section, copy the value of Direct Login URL, and use it to go directly to the OIDC login page.
Once imported, OIDC users can access the PrivX GUI using their OIDC credentials. To allow these users to log into target hosts, assign them to roles as described in Granting User Permissions.