Authentication: OIDC
Use dsv config auth-provider search --encoding yaml
to see your current authentication settings.
The initial auth settings after your tenant is provisioned should look like this:
data:
- created: "2020-04-27T18:04:52Z"
createdBy: ""
id: bqjhth447csc72i4sm8g
lastModified: "2020-04-27T18:04:52Z"
lastModifiedBy: ""
name: thy-one
properties:
baseUri: https://login.thycotic.com/
clientId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
clientSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
type: thycoticone
version: "0"
length: 1
limit: 25
OIDC Providers
Any OIDC compliant authentication provider should be configurable to work with Thycotic One and Verify Privilege DevOps Vault. Documented integrations are below.
Common Steps
For all OIDC authentication providers you will need to get their provider URL, client id, and client secret. You will need to set in the authentication provider the callback URL that it will redirect to once authentication is complete.
To get your callback URL:
- Sign into the cloud manager portal and go to Manage | Teams and click Organizations for your team.
- Click Auth Providers and then click New. This opens a dialog.
- Give it a name and copy the Callback URL provided. Do not save or cancel. You will be coming back to fill out the rest of the fields.
Creating a User in Thycotic One and VP-DV
In order to log in using OIDC, the user must exist in the external provider, Thycotic One, and in VP-DV.
If your current user, such as your initial admin already exists in all places, then skip this section. If you want to add another user to Thycotic One and VP-DV simultaneously, do the following steps.
-
In the VP-DV CLI run
dsv user create --username useremail@company.com --provider thy-one
. -
This creates a user record in VP-DV and syncs it to Thycotic One. The User will get an email with a link to establish their password.
-
In the cloud manager portal, you can see your users by logging in and clicking the Users link.
Logging In
Initialize the CLI.
dsv init
Add a new profile if you want to retain your default dsv
profile.
When prompted for the authorization type, choose OIDC (federated).
Please enter auth type:
(1) Password (local user)(default)
(2) Client Credential
(3) #{ThycoticOne}# (federated)
(4) AWS IAM (federated)
(5) Azure (federated)
(6) GCP (federated)
(7) OIDC (federated)
When prompted for the authentication provider, press Enter to accept the default of thy-one
If you are on Windows or Mac OS, the CLI should automatically open a browser to the Google login page, otherwise it will print out a URL that you can copy and paste into a browser to complete the process.
Log in using your Google credentials and your browser will redirect to http://localhost:8072/callback
. The CLI is listening on that port and will submit the returned authorization code to VP-DV to finish the login process.
Verify the login by running (omit the --profile flag if you overwrote your config).
dsv auth --profile profilename