Authentication Methods

In Authentication and Authorization, we saw that Authentication Methods represent machine identities or human identities.

Rather than authenticating identities directly, Akeyless typically integrates with third-party identity providers that issue authentication tokens.

For machine access, Akeyless supports:

• Cloud identities (CSP IAM) such as AWS IAM, Azure AD, GCP IAM, and OCI IAM
• On-prem machines using Universal Identity™
• Kubernetes
• Certificate
• OAuth2.0/JWT
• API Keys
• Kerberos

For human access, Akeyless supports:

• LDAP
• SAML
• OIDC
• OAuth2.0/JWT
• Email
• API Keys

which are used by known identity providers such as Okta, Azure AD, and others.

Authentication Settings

Under your account settings in the console, you will find a tab titled Authentication Settings. Currently, this tab allows you to customize the expiration limits (TTL), and default for authentication methods that are time-sensitive.

You can set a custom range of possible TTL for your tokens, setting the minimum, default, and maximum allowed TTL for your tokens.

The default setting of your token TTL will affect all your authentication methods unless you have set a different TTL for a specific authentication method.

ℹ️

Note:

For an authentication method to have the necessary permissions to perform actions, you will need to attach it to a matching role. To learn more about this, please go to Role-Based Access Control (RBAC).

Product Type

Accounts with multiple products can label each authentication method, mostly for billing and feature access based on their products. It is recommended to set the relevant product type for the expected usage to provide your end users with the exact features for the relevant product.

Common Optional Features

The following optional features are available across Authentication Methods:

• Location: Set the path to the virtual folder where the authentication method is created, using / separators.
• Description: Add a description for the authentication method.
• Expiration Date: Select an access expiration date. This parameter is optional. Leave it empty for access to continue without an expiration date.
• Allowed Client IPs: Enter a comma-separated list of CIDR blocks from which the client can issue calls to the proxy. By "client," we mean cURL, SDKs, and so on. This parameter is optional. Leave it empty for unrestricted access.
• Allowed Trusted Gateway IPs: Comma-separated CIDR blocks. If specified, the Gateway using this IP range will be trusted to forward the original client IP. If empty, the Gateway's IP address will be used.
• Audit Log Sub-Claims: Include the following sub-claims values in Audit Logs.
• JWT TTL (in minutes): The time span from authentication to JWT expiration.
• Allowed Client Type: Select the allowed client types that will be authorized to use this authentication method. Multiple options can be selected. For example, CLI, Web UI, Extension, Mobile, Gateway Admin, or SDK.
• Delete Protection: Enable this option to protect the authentication method from accidental deletion.
• Require Sub Claim on role association: Enable this checkbox to require sub-claims when a role is associated with this authentication method.

Tutorial

Check out our tutorial video on Authentication Methods.