Vault File Manager Authentication Support

This article provides an overview of identity provider support, capabilities, and requirements.

Supported IDPs

Vault File Manager supports the following identity providers:

• Ping Identity
• ADFS
• Okta
• Microsoft Azure AD

How Authentication Works

Vault File Manager authentication works by:

• Consuming Authorization Server (AS) metadata retrieved from a Vault profile to allow users to authenticate with the AS via OAuth 2.0 / OpenID Connect or with Vault directly via username and password.
• Requesting the Vault session based on the id_token or the access_token.
• Allowing Vault to validate tokens locally if they are presented as JWT when the keys are published via the JWKs URI.
• Allowing Vault to validate tokens remotely using the introspection endpoint, if exposed by the AS.

Authentication Support

Vault File Manager supports:

• OAuth 2.0 / OpenID Connect with no client secret.
• Authorization Code grant type with openid and offline_access scopes.
• Silent refresh of the Vault session if the AS honors the offline_access scope and presents a refresh_token.
• Federation based on the user’s Federated ID or Vault User Name.
• Modern Windows Authentication (ADAL) to authenticate with Microsoft ADFS, when configured.

Requirements

Vault File Manager requires:

• The user’s Federated ID to be included in the sub claim of the token. Customers can configure an alternative identifier claim if the sub claim is not available or cannot be modified to contain the correct Federated ID.
• The AS to support the hard-coded client ID. Customers can create a mapping between the hard-coded client ID stored in the client apps, such as Vault File Manager, and the generated client ID required by the AS.