Configuring the identity provider

The Stormshield KMaaS uses an identity provider (IDP) to authenticate end users, manage their access permissions and their life cycles. Configure the provider of your choice and create an OpenID Connect application.

The Stormshield KMaaS is compatible with JWT tokens signed with the RS256 algorithm.

The procedure below describes the configuration with One Login. For more information, refer to the One Login documentation.

In OpenID Connect, select the Configuration menu, then specify the redirect URI in the Redirect URI's field. For more information, refer to the Google documentation Connect to your identity provider for client-side encryption.
OpenID redirect URI

In OpenID Connect, select the SSO menu and take note of the ClientID and Issuer URL import values:

These values will be used in the config.json file, in the tenants > user_authentication > idps section of the Stormshield KMaaS. Below are a few examples:

  • ClientID: 3e14f1a0-5814-0550-cy6e-0bd6abe5ty43540000
  • Issuer URL (Well-known configuration):  https://stormshield-example.onelogin.com/oidc/2/.well-known/openid-configuration

For more information on declaring the identity providers in the Stormshield KMaaS, refer to section Configuring the Stormshield KMaaS, tenants parameter.

According to the specifications provided by Google, the authentication token contains a JSON Web Token (i.e., JWT). For more information, see the RFC7516 document.

The mandatory and optional fields expected by the KACL depending on the routes used are listed in the following table:

Routes Mandatory fields Optional fields

  • wrap

  • unwrap

  • privilegedwrap,

  • privilegedunwrap

  • privatekeydecrypt,

  • privatekeysign,

  • privilegedprivatekeydecrypt

  • privilegedprivatekeysign

  • iss

  • aud

  • exp

  • iat

  • email

  • google_email

Authentication token to the KACLS:

  • privilegedunwrap

They are used to authenticate a KACLS to another one in the context of a migration.

  • iss

  • aud

  • exp

  • iat

  • kacls_url

  • resource_name

  
delegate

  • iss

  • aud

  • exp

  • iat

  • email

  • delegated_to

  • resource_name

  
wrapprivatekey

  • iss

  • aud

  • exp

  • iat

  

For more information, refer to the Google documentation.

Authentication tokens related to delegation

The authentication tokens used by the encryption and decryption operations (i.e., wrap and unwrap routes) in the context of a delegation operation are dynamically generated by the Stormshield KMaaS (delegate route): for security reasons, and as recommended by Google, these tokens have a lifetime of 15 minutes.