HCP Adds OpenID Connect (OIDC) Single Sign-On Functionality
Learn how users of the HashiCorp Cloud Platform (HCP) can now leverage the popular OpenID Connect (OIDC) protocol for their single sign-on (SSO) integrations.
We are excited to announce that HashiCorp Cloud Platform (HCP) now allows organizations to configure their single sign-on (SSO) with the OpenID Connect (OIDC) authentication method. This popular SSO solution gives organizations leveraging HCP more options to integrate identity providers (IDPs) into their cloud platform.
» What is OIDC SSO
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol that enables clients to verify end-users’ identities based on the authentication performed by an authorization server or identity provider, as well as obtain basic profile information about the end user in an interoperable and REST-like manner. You can learn more about OIDC here.
» The Benefits of OIDC SSO on HCP
Previously, HCP supported three specific types of authentication methods: email and password combination, GitHub, and SAML SSO. Many HCP users and customers, however, leverage OIDC external identity providers (IDPs) across their networks and want to integrate them to log in to HCP.
Due to these requests and the overall popularity of this authentication method, the latest release of HCP offers full support for OIDC authentication methods, allowing users to delegate authentication to their preferred OIDC provider.
Many organizations find OIDC SSO much simpler to implement than SAML and more accessible through APIs because it works with RESTful API endpoints. In addition, by enabling OIDC SSO, HCP adds another way to easily integrate with popular identity providers like Microsoft Azure Active Directory and Okta. Lastly, this is the first step in allowing all HCP products to integrate with each other through a single seamless authentication workflow. Look for more HCP integration updates in the future.
» How to Implement OIDC SSO on HCP
HCP supports all OIDC external identity providers. Two popular identity providers, Azure Active Directory and Okta, have unique implementation procedures. You can see an overview below, or click through for more detailed instructions. Refer to SSO Overview for details about managing organizations with SSO enabled.
» Azure Active Directory Setup
Setting up OIDC SSO on HCP utilizing Azure Active Directory requires three main actions:
- Your HCP organization's owner and/or admin must log in to HCP to set up and configure their selected SSO method.
- Verify your domain: You need a DNS record (a secret value set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.
- Enable OIDC integration: You must add information from the Initiate OIDC Integration section in HCP to the OIDC configuration for an Enterprise application in Azure Active Directory.
For detailed step-by-step instructions visit the Azure Active Directory OIDC SSO Configuration page.
» Okta Identity Provider Setup
Setting up OIDC SSO on HCP utilizing the Okta identity provider is also straightforward:
- Your HCP organization's owner and/or admin must log in to HCP to set up and configure their selected SSO method.
- Verify your domain: You need a DNS record (a secret value set as TXT) to prove ownership of a domain. HCP uses the domain to match the email addresses for SSO. You must use different SSO domains for each HCP organization. If you try to reuse a domain name, the DNS connection request will fail.
- Create an OIDC app integration: Log into Okta, click on Applications, and follow the Create App Integration process.
For detailed step-by-step instructions visit the Okta OIDC SSO Configuration page.
» More to Come
OIDC SSO expands user management options for organizations leveraging the HashiCorp Cloud Platform. It can help mitigate account take over (ATO) attacks, provide a universal source of truth to federate identities from your identity provider (IDP), and help you better manage user access to your organization. Keep an eye out for further integrations to increase user security and flexibility as HCP develops.
Sign up for the latest HashiCorp news
More blog posts like this one
Vault 1.18 introduces support for IPv6 and CMPv2 while improving security team user experience
HashiCorp Vault 1.18 brings UI support for AWS Workload Identity Federation (WIF), PKI CMPv2 for 5G, and more.
HCP expands service principals access options and role assignments
New cross-project service principals and fine-grained roles improve resource interactions on the HashiCorp Cloud Platform (HCP).
False positives: A big problem for secret scanners
False positives can distract security teams, exhaust resources, and increase the potential for actual threats to go unnoticed, but HCP Vault Radar can help minimize them.