HashiConf More sessions have been added to the conference agenda. Buy your pass and plan your schedule. Register
Vault
Vault Home

Use SecureAuth for OIDC authentication

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

The SecureAuth identity provider returns group membership claims as a comma-separated list of strings (e.g. groups: "group-1,group-2") instead of a list of strings.

To properly obtain group membership when using SecureAuth as the identity provider for Vault's OIDC Auth Method, the secureauth provider must be explicitly configured as shown below.

vault write auth/oidc/config -<<"EOH"
{
   "oidc_client_id": "your_client_id",
   "oidc_client_secret": "your_client_secret",
   "default_role": "your_default_role",
   "oidc_discovery_url": "https://idp.sasp.gosecureauth.com/your_secure_auth",
   "provider_config": {
      "provider": "secureauth"
   }
}
EOH

This will instruct the OIDC Auth Method to parse the comma-separated groups claims string into individual groups. Note that the role's groups_claim value must be properly configured to target the groups claim for your SecureAuth identity provider.

Edit this page on GitHub