mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-22 23:21:08 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
52 lines
2.3 KiB
Plaintext
52 lines
2.3 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: SCEP - Auth Methods
|
|
description: The SCEP auth method is used to authenticate clients using the PKI SCEP integration, it isn't useful by itself.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# SCEP auth method
|
|
|
|
|
|
@include 'alerts/enterprise-only.mdx'
|
|
|
|
The SCEP authentication method controls static challenges and Intune
|
|
authentication methods for clients using the SCEP protocol within given PKI
|
|
mounts.
|
|
|
|
## Authentication
|
|
|
|
Do not use the SCEP plugin directly. SCEP mount paths only support
|
|
[delegated authentication](/vault/api-docs/system/mounts#delegated_auth_accessors)
|
|
from a PKI mount.
|
|
|
|
Multiple PKI mounts can use the same SCEP authN mount. If you configure a PKI
|
|
mount without an associated SCEP role, Vault returns the first matching SCEP
|
|
role that meets the other request criteria.
|
|
|
|
PKI mounts configured for Intune only match SCEP auth roles with `intune` set as
|
|
the authentication type. All other PKI mounts can match to SCEP auth roles with
|
|
`static-challenge` set as the authentication type.
|
|
|
|
## Configuration
|
|
|
|
Configure the SCEP authentication method through roles. Within each SCEP role,
|
|
specify the authentiation type with `auth_type` to indicate whether your SCEP
|
|
mount uses static challenge authentication or Intune authentication.
|
|
|
|
`auth_type` | Authentication
|
|
------------------ | --------------
|
|
`static-challenge` | Method specified in `challenge` parameter
|
|
`intune` | Intune authentication
|
|
|
|
When the authentication methods repeast across multiple roles, You must
|
|
configure your PKI mounts with the prefered SCEP role name to match with the
|
|
appropriate role. If you leave the role name unset, the SCEP mount returns the
|
|
first matching role, which might not have the correct policy attached to it.
|
|
|
|
## API
|
|
|
|
The SCEP auth method has a full HTTP API. Refer to the [SCEP auth API documentation](/vault/api-docs/auth/scep) for more details.
|