Authentication: OIDC

Use dsv config auth-provider search --encoding yaml to see your current authentication settings.

The initial auth settings after your tenant is provisioned should look like this:

Copy
data:
- created: "2020-04-27T18:04:52Z"
  createdBy: ""
  id: bqjhth447csc72i4sm8g
  lastModified: "2020-04-27T18:04:52Z"
  lastModifiedBy: ""
  name: thy-one
  properties:
    baseUri: https://login.thycotic.com/
    clientId: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    clientSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  type: thycoticone
  version: "0"
length: 1
limit: 25

OIDC Providers

Any OIDC compliant authentication provider should be configurable to work with Thycotic One and Verify Privilege DevOps Vault. Documented integrations are below.

Common Steps

For all OIDC authentication providers you will need to get their provider URL, client id, and client secret. You will need to set in the authentication provider the callback URL that it will redirect to once authentication is complete.

To get your callback URL:

  1. Sign into the cloud manager portal and go to Manage | Teams and click Organizations for your team.
  2. Click Auth Providers and then click New. This opens a dialog.
  3. Give it a name and copy the Callback URL provided. Do not save or cancel. You will be coming back to fill out the rest of the fields.

Post OIDC Configuration Steps

Creating a User in Thycotic One and VP-DV

In order to log in using OIDC, the user must exist in the external provider, Thycotic One, and in VP-DV.

If your current user, such as your initial admin already exists in all places, then skip this section. If you want to add another user to Thycotic One and VP-DV simultaneously, do the following steps.

  1. In the VP-DV CLI run dsv user create --username useremail@company.com --provider thy-one.

  2. This creates a user record in VP-DV and syncs it to Thycotic One. The User will get an email with a link to establish their password.

  3. In the cloud manager portal, you can see your users by logging in and clicking the Users link.

Logging In

Initialize the CLI.

Copy
dsv init

Add a new profile if you want to retain your default dsv profile.

When prompted for the authorization type, choose OIDC (federated).

Copy
Please enter auth type:
       (1) Password (local user)(default)
       (2) Client Credential
       (3) #{ThycoticOne}# (federated)
       (4) AWS IAM (federated)
       (5) Azure (federated)
       (6) GCP (federated)
       (7) OIDC (federated)

When prompted for the authentication provider, press Enter to accept the default of thy-one

If you are on Windows or Mac OS, the CLI should automatically open a browser to the Google login page, otherwise it will print out a URL that you can copy and paste into a browser to complete the process.

Log in using your Google credentials and your browser will redirect to http://localhost:8072/callback. The CLI is listening on that port and will submit the returned authorization code to VP-DV to finish the login process.

Verify the login by running (omit the --profile flag if you overwrote your config).

Copy
dsv auth --profile profilename