Manage Identity Providers

Identity providers in DevOps Secrets Safe authenticate and assign identity to authenticated users. Only the internal identity provider is enabled by default. External identity providers can be configured to enable usage of identity sources separate from the internal user store.

Identity providers can be configured using the command line interface or the API. Management permissions for identity provider configurations are for Create, Read, Update, and Delete operations the resource path /principal. Once configured, the base resource path for an identity provider is /principal/<providerName>. The internal identity provider exists at the path /principal/internal.

Users can attempt authentication via the provider using the route /connect/token/<providerName>. For example, if a provider were configured with the name developers, principals from that provider would exist under the path principal/developers while users from that provider could log in by supplying their credentials in a request to the route /connect/token/developers.

Principals are created for external users the first time they successfully log in. It is not currently possible to set up permissions for specific users from external identity providers until they first perform a login. The act of logging in makes DevOps Secrets Safe aware of the user identity and makes the identity eligible for permission management.

List Identity Provider Configurations

The ssrun identity get command returns a JSON array of all external identity provider configurations.

ssrun identity get
   "Name": "ldap_production",
   "Type": "LDAP",
   "Options": {
     "Url": "ldap://",
     "BindDn": "uid=tesla,dc=example,dc=com",
     "BindCredentials": "password",
     "SearchBase": "dc=example,dc=com",
     "SearchFilter": "(&(objectClass=person)(uid={0}))",
     "GroupDn": "dc=example,dc=com",
     "GroupFilter": "(|(memberUid={0})(member={0})(uniqueMember={0}))"
     "Type": "idcs_sample",
     "Name": "IDCS",
     "Options": {
         "ClientId": "f57a5d2b4a954828b59de61fa921e315",
         "ClientSecret": "785c8d61-37c4-4c5f-b491-35b166d7127f",
         "InstanceUrl": ""

Create Identity Provider Configuration

Create the identity provider described in the file at myConfig.txt:

ssrun identity create -f myConfig.txt

Create a preconfigured identity provider identified by the -n argument using the following command. Currently the only preconfigured identity provider is Kubernetes, which configures the cluster hosting DevOps Secrets Safe as an identity provider.

ssrun identity create -n <providerName>

The preconfigured Kubernetes provider configuration is:

      "Name": "Kubernetes",
      "Type": "Kubernetes",
      "Enabled": true

For more information about valid configuration samples, please see Synchronize Group Membership for External Identity Providers.

Update Identity Provider Configuration

The following command updates the identity provider named <providerName> with the contents of the configuration file myConfig.txt. The name field for a provider is static and cannot be changed by an update operation. All other fields are eligible for modification.

ssrun identity update -f myConfig.txt -n <providerName>

Delete Identity Provider Configuration

Deletes the identity provider configuration named <providerName> using the following command. After deletion, the named provider is erased and can no longer be used for authentication. Users whose identities originate from the deleted provider are notable to obtain new authorization tokens.

ssrun identity delete -n <providerName>