How to configure authenticators

  • 11 minute(s) read
Prev Next

Authenticators are a secure way to broker trust between different applications for the purpose of exchanging secrets and managing authorizations and related functions. Segura provides integration with the most used authenticators, as described in the following section.

OAuth 1.0 Authenticator

OAuth 1.0 is an authentication method that consists of using four tokens to identify and authorize an application's access. Always use modern authentication types that guarantee data integrity. The ability to authenticate using OAuth 1.0 exists because legacy applications cannot be updated. We discourage its use.

Configuring OAuth 1.0 Authenticator

To use this authentication method, follow these steps:

  1. Go to DSM > Application > Application.
  2. Edit or create a New application and select the OAuth 1.0 authentication method.

OAuth 2.0 Authenticator

OAuth 2.0 is an authentication method that consists of using a client ID and a client secret to request a time-limited token and use it to access Segura resources.

Configuring OAuth 2.0 Authenticator

To use this authentication method, follow these steps:

  1. Go to DSM > Application > Application.
  2. Edit or create a New application and select the OAuth 2.0 authentication method.
  3. Fill the Client ID and Client Secret fields with the values provided by your OAuth 2.0 provider.
  4. To finish, go to DSM > Application > Application.

When a resource needs to use a secret, it can use its OAuth 2.0 clients to request an
time limited token and use it to request the information from Segura.
If the token used is valid, Segura will leave the application interacting with Segura.

Certificate Authenticator

Certificate authentication provides for users and applications a secure way to connect and authenticate in Segura. All certificates will be managed by Segura, and they will be revoked automatically when an authorization is disabled.

Configuring Certificate Authenticator

To use this authentication method, follow these steps:

  1. Go to DSM > Application > Application.
  2. Edit or create a New application and select Certificate authentication method.

When an authorization is created, a certificate will be generated for the application to authenticate in Segura.

AliCloud Authenticator

Segura AliCloud Authenticator offers a way for AliCloud users and resources to authenticate with Segura to access secrets managed by solution.

Configuring AliCloud Authenticator

Step 1

Generate a AccessKey pair as described in the AliCloud documentation.

Step 2. Configure AliCloud as an authenticator in Segura.

  1. Go to Settings > Authentication > Providers.
  2. Click on the options button and select New provider.
  3. On the screen, select the AliCloud option and insert the AccessKey ID and AccessKey Secret.
  4. To finish, go to DSM > Application > Application.

When a resource needs to use a secret, it can use its AliCloud access keys to request the information from Segura. Segura will validate the given data with AliCloud and map the policies attributed to the requester. If the data used is valid, Segura will leave the application interacting with DSM secrets and authorizations.

Azure Authenticator

Segura Azure Authenticator offers a way for Azure users and resources to authenticate with Segura to access secrets managed by the solution.

Configuring Azure Authenticator

Step 1

Register an application in Azure as described in the Azure documentation.

Step 2

Generate a Client credential with the Microsoft.Compute/virtualMachines/*/read and Microsoft.Compute/virtualMachineScaleSets/*/read permissions as described in the Azure documentation.

Step 3. Configure Azure as an authenticator in Segura:

  1. Go to Settings > Authentication > Providers.
  2. Click on the options button and select New provider.
  3. On the screen, select the Azure option and insert the Application ID and Application Secret.
  4. To finish, go to DSM > Application > Application.

When a resource needs to use a secret, it can use its Azure token to request the information from Segura. Segura will validate the given data with Azure and map the policies attributed to the requester. If the data used is valid, Segura will leave the application interacting with DSM secrets and authorizations.

AWS Authenticator

Segura AWS Authenticator offers a way for AWS users and resources to authenticate with Segura to access secrets managed by solution.

Configuring AWS Authenticator

Step 1

Create a user on AWS IAM service as described in the AWS documentation.

Step 2

Create a role with the AdministratorAccess policy as described in the official documentation.

Step 3.

Configure AWS as an authenticator in Segura:

  1. Go to Settings > Authentication > Providers.
  2. Click on the options button and select New provider.
  3. On the screen, select the AWS option and provide the AWS Access Key ID and AWS Secret Access Key.
  4. To finish, go to DSM > Application > Application.

When a resource needs to use a secret, it can use its AWS access keys to request the information from Segura. Segura will validate the given access key with AWS and map the policies attributed to the requester. If the data used is valid, Segura will leave the application interacting with DSM secrets and authorizations.

Google Cloud Authenticator

Segura Google Cloud Authenticator offers a way for Google Cloud users and resources to authenticate with Segura to access secrets managed by solution throw Google Cloud keys.

Configure Google Cloud Authenticator

Step 1

Create a service account with the roles/iam.serviceAccountKeyAdmin and roles/compute.viewer roles as described at the Google documentation.

Step 2

Generate a Key as described at the documentation.

Step 3

Configure Google Cloud as a authenticator in Segura

  1. Go to Settings > Authentication > Providers.
  2. Click on the options button and select New provider.
  3. On the screen, select the Google Cloud option and provide the Google Cloud key.
  4. To finish, go to DSM > Application > Application.

When a resource needs to use a secret, it can use its Google Cloud keys to request the information from Segura. Segura will validate the given key with Google Cloud and map the policies attributed to the requester. If the data used is valid, Segura will leave the application interacting with DSM secrets and authorizations.

GitHub Authenticator

GitHub authentication provides for users and applications a way to connect and authenticate in Segura using GitHub users’ tokens. This authentication method is most used by users to consume Segura resources.

Configure GitHub Authenticator

Step 1

Create a GitHub user token with admin:org scope as described at the GitHub documentation.

Step 2

Configure GitHub authenticator in Segura:

  1. Go to Settings > Authentication > Providers.
  2. Click on the options button and select New provider.
  3. On the screen, select the GitHub option and provide the User token.
  4. To finish, go to DSM > Application > Application.

When a user needs to use a secret, it can use its GitHub personal token to request the information from Segura. Segura will validate the given token with GitHub and map the policies attributed to the requester. If the data used is valid, Segura will leave the application interacting with DSM secrets and authorizations.

OpenID Authenticator

OpenID Connect (OIDC) is an identity layer on top of the OAuth 2.0 protocol that allows clients to request and receive sensitive information. It offers the possibility to use one account to authenticate multiple applications. Segura OIDC Authenticator uses the authentication layer provided by OIDC to enable applications to authenticate and fetch secrets from Segura.

Configuring OpenID Authenticator

You must provide the following information to register this authentication method:

  1. Provider name.
  2. Token.
  3. Redirect URL.

Consult your OpenID provider documentation or talk with our support team to know more about it. After that, follow these steps to configure your OpenID provider as an authentication method:

  1. Go to Settings > Authentication > Providers.
  2. Click on the options button and select New provider.
  3. On the screen, select the OpenID option and fill Provider, Token and Redirect URL fields.
  4. To finish, go to DSM > Application > Application.

To use the OpenID Authenticator, the application will need to send a token to Segura, which will validate with the OpenID provider. For a valid token, Segura will deliver the secret for the requester application.

Kubernetes Authenticator

Segura Kubernetes Authenticator offers a way for Kubernetes applications and resources to authenticate in Segura to access secrets managed by the solution using Kubernetes tokens. This method helps containers managed by Kubernetes to authenticate into Segura easily.

Configure Kubernetes Authenticator

Step 1

Apply the following policy to generate a Kubernetes token:

kubectl apply -f - <<EOF
---
apiVersion : rbac. authorization .k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: senhasegura - authenticator
  namespace : default
subjects:
    - kind: ServiceAccount
      name: senhasegura - authenticator
      namespace: kube-system
roleRef:
  kind: ClusterRole
  name: senhasegura - authenticator
  apiGroup: rbac.authorization.k8s.io

To use the Kubernetes Authenticator, the application will need to send a token to Segura, which will validate with the Kubernetes host. For a valid token, Segura will deliver the secret for the requester application.

SPIFFE Authenticator

SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running. Segura SPIFFE Authenticator offers a way for workloads to authenticate with Segura to access secrets managed by a solution through SPIFFE, short-lived cryptographic identity documents (SVID).

Configure SPIFFE Authenticator

To use this authentication method, follow these steps:

Step 1

Get the root.pem and bundle.pem files used in your SPIFFE topology with your CA;

Step 2

Configure SPIFFE as an authenticator in Segura:

  1. Go to Settings > Authentication > Providers.
  2. Click on the New provider button.
  3. Select the SPIFFE option and provide the Root certificate and the Bundle certificate.
  4. Click on the Save button.

Step 3

Configure the application to use SPIFFE authentication in Segura:

  1. Go to DSM > Application > Application.
  2. Edit or create a new application and select SPIFFE Authenticator.
  3. Click on the Save button.

Step 4

Configure the Workload SN in a Authorization in Segura:

  1. Go to DSM > Application > Authorizations for the application.
  2. Click on New authorization.
  3. In the Workload SN (Subject Name), fill in the SPIFFE URL of the workloads you want to authorize. For example: spiffe://webservices.example.com/environment/application/database/.
  4. Click on the Save button.

With this authentication method, applications and microservices will be able to consume Segura DSM secrets using its SPIFFE SVID. In this example, any application or service that has its SN starting the value bellow, for example, will be able to authenticate and get the secrets, as defined at the Authorization permissions.

Application signature (fingerprinting)

Segura Application signature offers a way for applications and resources to authenticate in Segura to access secrets managed by solution using a fingerprint This method helps developers connect into Segura without the need to handle authentication methods.

Configuring Application signature (fingerprint)

  1. To begin with Application signature, the **Signature Provider **must be registered on Segura.
  2. Go to Settings > Authentication > Providers.
  3. Click on the options button and select New provider.
  4. On the screen, provide the Header fields and Algorithm will be used to validate.
  5. To finish, go to DSM > Application > Application.
  6. Edit or create a New application and select Application signature. The keyID will be generated by Segura when an authorization is created.

To use the Application Signature Authenticator, the application will need to send a header field called Signature with the keyId, algorithm headers fields, and a base64-encoded signature to Seguraon the header of the request in, as in this example:

Authorization: Signature keyId="fa30cf74c412cae5c05a1371241df6bf06019590a",
algorithm="rsa-sha256", headers="host date appname system
environment", signature="WldkMWNtRUtaVzUyYVhhc2RhSnZibTFsYm5ROWNISnZaQWFzZA=="

Segura will validate the signature with the public key of the application and the algorithm used. If the signature is valid, Segura will deliver the secret for the requester application. For a valid signature, Segura will deliver the secret for the requester application.

JWT authentication configuration

JWT authentication allows applications or users to authenticate with the DSM to use secrets saved in the product. By authenticating with a valid JWT, the user obtains an access token to our API, with permissions defined by policies associated with the configured role.

Requirements

  • An identity provider capable of issuing valid JWTs (with RS256 or HS256 signature).
  • Public key of the provider, if JWTs are signed with RS256.
  • A valid JWT with the necessary claims (iss, aud, sub, etc.).

Configuration steps

To begin with JWT authentication, the JWT provider must be registered on Segura.

Enable the JWT authentication method.

In the configuration file or via CLI/API:

auth_methods:
  - type: jwt
    enabled: true

Configure the identity provider.

You must specify the issuer, the public key (if RS256), and the validation parameters:

POST /auth/jwt/config

{
  "issuer": "https://seu-idp.com/",
  "jwks_url": "https://seu-idp.com/.well-known/jwks.json",
  "audience": "sua-aplicacao-id",
  "allowed_algorithms": ["RS256"]
}

Create a role (token-to-policy association rule).

Create a role that defines which tokens can authenticate and what permissions they receive:

POST /auth/jwt/roles/dev-app

{
  "bound_audiences": ["sua-aplicacao-id"],
  "bound_issuer": "https://seu-idp.com/",
  "user_claim": "sub",
  "policies": ["read-secrets", "list-keys"],
  "token_ttl": "1h"
}

Perform login with JWT

The client application sends the JWT to obtain a token from your solution:

{
  "auth": {
    "access_token": "s.abc123xyz",
    "policies": ["read-secrets", "list-keys"],
    "expires_in": 3600
  }
}

Validations

When the JWT is received, your application must perform the following validations:

  • Verify the signature (via public key or secret).
  • Verify that the iss and aud are among those allowed in the role.
  • Extract the sub claim or another configured as the user's identity.
  • Associate the policies defined in the corresponding role.

Without authentication

Segura offers a way for applications to consume the resources without authentication. This method will identify the application based on the unique key generated for it and will control the application access based on the authorization policies.

Configuring an authorization without authentication

To begin with OpenID Authenticator, the OpenID Provider must be registered on Segura.

  1. Go to DSM > Application > Application.
  2. Edit or create a New application and select Without authentication.
Info

To increase security when using senhasegura® DSM features without authentication, we suggest adding IP access restrictions, requesting source, and limiting permissions. Without an authentication method, the application will be able to consume the resources of senhasegura® informing only Customer Key.