Skip to main content
Copy page
Version: Next

Configure Identity Providers

Identity providers are the token issuers your gateway trusts. When an agent endpoint is secured with OAuth, the gateway validates incoming JWTs against the identity providers configured on it. Each agent then chooses which of those providers it accepts.

Identity providers are owned by the gateway, not by Agent Manager. You manage them from the Identity Providers card on a gateway's detail page in the console, which renders a command you run against your cluster. The command updates the gateway's runtime configuration and then syncs Agent Manager's records.

There are two types of identity provider:

  • System — bundled with the platform (for example, ThunderKeyManager, the WSO2 Thunder IDP). System providers cannot be removed.
  • Custom — any external issuer you add (for example, an Auth0 tenant or Microsoft Entra ID).

Prerequisites​

  • A registered gateway in the environment you want to secure.
  • Terminal access to your cluster with kubectl, helm, and jq configured. For the quickstart, run the command inside the dev container shell.

Step 1: Open the Gateway's Identity Providers​

  1. Open the AMP Console.
  2. In the left sidebar, under INFRASTRUCTURE, click Gateways, then open the gateway you want to secure.
  3. On the gateway's detail page, find the Identity Providers card.

The card shows the identity providers configured on this gateway, with its type, issuer, and environment.

Step 2: Add an Identity Provider​

  1. In the Identity Providers card, click Add Identity Provider.
  2. The Gateway is already selected. Choose the Environment the provider belongs to (it is selected automatically when the gateway maps to a single environment).
  3. Enter a Name. Agents reference the provider by this name, so choose something stable and descriptive, such as Auth0 or EntraID.
  4. Provide the issuer details, either way:
    • Discover from URL — paste the provider's OpenID configuration URL (for example, https://your-tenant.us.idp.com/.well-known/openid-configuration) and click Fetch. The Issuer and JWKS URI fields are filled in for you.
    • Manual entry — type the Issuer (the expected iss claim value) and the JWKS URI directly.
Skip TLS verification

Enable Skip TLS verification when fetching JWKS only for trusted internal issuers whose certificates the gateway cannot validate. Leave it off for public providers.

Step 3: Run the Rendered Command​

The dialog renders a curl ... | bash command. Copy it and run it in a terminal where kubectl, helm, and jq are configured against your cluster. Your access token is substituted into the command when you copy it.

Behind the scenes the command:

  1. Patches the gateway's runtime configuration (the keymanagers array in its ConfigMap) with the new issuer and JWKS URI.
  2. Runs helm upgrade on the gateway release to apply the change.
  3. Syncs Agent Manager's record of the provider.
  4. Waits for the gateway to finish reprogramming.

The command is idempotent — it is safe to re-run. Once it completes, the new provider appears in the gateway's Identity Providers card and becomes selectable when securing an agent with OAuth.

Step 4: Remove an Identity Provider​

  1. In the Identity Providers card, hover the provider you want to delete and click the remove icon to open the Remove Identity Provider dialog.
  2. Copy the rendered command (it includes ACTION=delete) and run it the same way as in Step 3.

System providers such as ThunderKeyManager cannot be removed.

Always use the rendered command

Manage identity providers only through the command the console renders. The PUT/DELETE /orgs/{org}/gateways/{id}/identity-providers/{name} API endpoints update only Agent Manager's record of the gateway's providers — they do not change the gateway runtime. If you call them directly, Agent Manager and the gateway can drift apart: an agent may appear to deploy successfully while the gateway rejects every token at runtime.

Notes​

  • Agents reference an identity provider by its name, not its issuer URL.
  • A provider name is unique within a gateway.
  • ThunderKeyManager is the bundled default identity provider.
  • After adding a provider, secure an agent with it by following Secure Agent Endpoints with OAuth.