Vault
Use SecureAuth for OIDC authentication
The SecureAuth identity provider returns group membership
claims as a comma-separated list of strings (e.g. groups: "group-1,group-2"
) instead
of a list of strings.
To properly obtain group membership when using SecureAuth as the identity provider for
Vault's OIDC Auth Method, the secureauth
provider must be explicitly configured as
shown below.
vault write auth/oidc/config -<<"EOH"
{
"oidc_client_id": "your_client_id",
"oidc_client_secret": "your_client_secret",
"default_role": "your_default_role",
"oidc_discovery_url": "https://idp.sasp.gosecureauth.com/your_secure_auth",
"provider_config": {
"provider": "secureauth"
}
}
EOH
This will instruct the OIDC Auth Method to parse the comma-separated groups claims string
into individual groups. Note that the role's groups_claim
value must be properly configured to target the groups claim for your SecureAuth identity
provider.