Identity Providers

Prev Next

An identity provider (IdP) is a service that stores and verifies user identities. The default identity provider for any user is Britive. Create and configure IdP to trust authentication tokens using the following steps:

  1. Log in to Britive with administrator privileges.

  2. Click Admin -> Identity Management.

  3. Select the Identity Providers tab and click on the Add Identity Provider button.

  4. Enter the name and description of the tag and click the Add Identity Provider button.

  5. Enter the following in the Add Identity Provider window:  

    1. Select Identity Provider Type:

      1. SAML: Enter Name and Description.

      2. OIDC: Enter Name, Issuer Url, and Description. Issuer URL is part of the Prerequisites for OIDC Providers.

      3. SPIFFE: 

        1. To use the SPIFFE (Secure Production Identity Framework for Everyone) workload identity providers, you need to install and configure SPIRE (SPIFFE Runtime Environment) first. To install and configure SPIRE, see SPIFFE.

        2. Name: Enter the name of the workload identity provider.

        3. Attributes Map: You can edit the list of attributes map and their values. Map the ID token attributes issued with the Britive service identity attributes. Identity attributes can be added from the Admin -> Identity Management -> Identity Attributes tab.

           Note: Attributes Map must contain only one mapping pair with the idpAttr set to the subject claim ('sub') in the JWT-SVID and the userAttr set to the ‘spiffe id’ custom attribute id created while configuring SPIRE. 

        4. Validation Window: The validation window starts from the time the token is signed, as specified by the x-amz-date request header in the token. For more information, see Validation Window.

        5. Bundle Endpoint, Bundle Profile (only the https_web profile is supported for now), and Trust Domain: Ensure these values match the SPIRE server configuration.

        6. Description: Enter description. 

      4. AWS STS: Enter Name and Description. You can configure only one AWS STS identity.

    2. Click Add.

  6. The new identity provider is displayed in the list. Click Manage to configure the identity provider.

    1. SAML: For configuring SSO or SCIM configuration for a particular identity provider, see Identity Provider Integration Guides.

    2. OIDC

      1. Validation Window: The validation window starts from the time the token was issued, as specified in the JWT issued at ('iat') claim. The default validation window is 30 seconds. For more information, see Validation Window.

      2. Attributes map: You can edit the list of attributes map and their values. Map the ID tokens' attributes issued by the OIDC provider to Britive service identity attributes. Identity attributes can be added from the Admin -> Identity Management -> Identity Attributes tab.

      3. Allowed Audiences: Edit a list of allowed audiences.  Allowed Audiences are part of the Prerequisites for OIDC Providers.

    3. AWS STS:

      1. Validation Window: The validation window starts from the time the token is signed, as specified by the x-amz-date request header in the token. For more information, see Validation Window.

      2. Max Request Token Duration: This is the maximum token validity period that can be requested by the client.

      3. Attributes map: You can edit the list of attributes map and its values. Map the ID tokens attributes issued with the AWS provider to Britive service identity attributes. Identity attributes can be added from the Admin -> Identity Management -> Identity Attributes tab.

Note:

If an IdP is deleted, all service identities associated with that IdP are no longer available for authentication, and the access type is set to Static.