Managing Identity Providers
This section describes how to manage identity providers on CCKM.
Identity providers can be added, viewed, modified, or deleted on the External Vaults tab of the Oracle Vaults page. Identity providers are required when adding the external vaults, refer to Managing External Vaults for details.
Creating Identity Providers
An issuer or an openId configuration URL is required to create an identity provider.
To create an identify provider:
- Open the Cloud Key Manager Application. 
- In the left pane, click KMS Containers > Oracle Vaults. 
- Click the External Vaults tab. 
- Scroll down the page, go to the IDENTITY PROVIDERS section, and click Add Identity Provider. The General Info tab of the Add Identity Provider screen is displayed. 
General Info
- Specify a unique Name for the provider. This is a mandatory field. 
- Select Provider Verifier. This is a mandatory field. The verifier can be Issuer or OpenID Configuration URL. - Note - OpenID Configuration URL is the recommended option. 
- If you select the Issuer option, you need to specify a combination of Issuer and jwksURL. 
- If you select the OpenID Configuration URL option, you need to specify a OpenlD Configuration URL. 
 - Make sure to provide the exact CipherTrust Manager application's credentials, as received from Oracle; otherwise, external APIs might cease to work as expected. Currently, only Oracle IDCS is supported as identity provider and the issuer should be - https://identity.oraclecloud.com/.
- (If Oracle IDCS is configured in the protected mode), select jwks Protected URL and specify the following: - Client ID: Client ID of the CipherTrust Manager application as registered on third-party IDP. 
- Client Secret: Client secret of the CipherTrust Manager application as registered on third-party IDP. 
 
- Click Next. The Regional Settings (Optional) tab of the Add Identity Provider screen is displayed. 
Regional Settings (Optional)
- Enter Regional jwks URL(s) or Regional OpenlD Config URL(s), depending on the Provider Verifier you have selected in the General Info tab. 
- Click Add Regional URL(s). - Note - You can add multiple regional URLs. 
- Click Add. 
- Click Close. 
The newly created identity provider appears in the providers list. Similarly, add as many identity providers as required.
To enable multi-region functionality with FQDN connectivity:
- In the Oracle Cloud Console, create an API Gateway and a private endpoint in the destination region. Ensure both are in the same Virtual Cloud Network (VCN). 
- In the IDCS domain for the destination region, create two new resource applications: - First application: Set the primary audience to the static IP address of the API Gateway in the destination region. 
- Second application: Set the primary audience to the FQDN of your application CipherTrust Manager. 
 - Add a scope to each application, and include both scopes in the resources field of the existing client application. - Note - This results in a configuration with three resource applications and one client application that includes the scopes from all three. 
- In your application (CipherTrust Manager), add the regional IDCS URLs for the source and destination regions to the Identity Provider (IDP), and the primary OCI region. 
- On the Replicate Vault page, replicate the vault from the source region. You will need to select the destination region, IDCS domain name, and private endpoint (PE). 
Viewing Identity Providers
The Oracle Vaults page shows the available identity providers. The IDENTITY PROVIDERS section shows the Name, Issuer, OpenID Configuration URL, and jwksURL.
To view identity providers:
- Open the Cloud Key Manager application. 
- In the left pane, click KMS Containers > Oracle Vaults. 
- Click the External Vaults tab. 
- Navigate to IDENTITY PROVIDERS. The list of identity providers is displayed. - The following details are shown: - Column - Description - Name - Name of the identity provider. - Issuer - Issuer string from the identity provider JWT. - OpenID Configuration URL - URL of the OpenID configuration. - jwksURL - URL of JWKS. 
Editing Identity Providers
To edit identity providers:
- Open the Cloud Key Manager application. 
- In the left pane, click KMS Containers > Oracle Vaults. 
- Click the External Vaults tab. 
- Navigate to IDENTITY PROVIDERS. Under Name, click the desired profile. The details screen of the Identity Provider is displayed. - Alternatively, click the overflow icon  corresponding to the desired profile and click View/Edit. corresponding to the desired profile and click View/Edit.
Under GENERAL INFORMATION
- (Optional) Update Name. 
- (Optional) Update jwks Protected URL. - Enter a new Client ID. 
- Enter a new Client Secret. - Note - Do not leave the Client ID and Client Secret empty. 
 
- Click Update. 
Under REGIONAL SETTINGS
- (Optional) Add new regional URL(s). - Enter new Regional jwks URL(s) or Regional OpenlD Config URL(s), depending on the Provider Verifier that has been selected for this identity provider. 
- Click Add Regional URL(s). 
 
- (Optional) Edit existing regional URL(s). - Click the Edit icon corresponding to the desired regional URL. 
- Update regional URL. 
- Click Save. 
 
- (Optional) Deleting the existing regional URL(s). - Click the Delete icon corresponding to the desired regional URL. 
- Click Update. 
Deleting Identity Providers
When an identity provider is no longer needed, delete it from the CipherTrust Manager. Before deleting the provider, ensure that it is not in use by any external vaults.
To delete an identify provider:
- Open the Cloud Key Manager application. 
- In the left pane, click KMS Containers > Oracle Vaults. 
- Click the External Vaults tab. 
- Under IDENTITY PROVIDERS, click the overflow icon  corresponding to the to the desired provider and click Delete. The Delete Identity Provider dialog box appeared on the screen. corresponding to the to the desired provider and click Delete. The Delete Identity Provider dialog box appeared on the screen.- Are you sure you want to delete? message is displayed in the dialog box. 
- Click Delete Identity Provider to confirm the deletion. - Note - If the issuer (identity provider) is associated with an existing external vault, you will see an Error in deleting identity provider message. You need to modify the association to delete the issuer. 
A success message is displayed on the screen. The identity provider is removed from the providers list.