AD via OIDC groups claim

Please can you help to fix my issues


All connected and working but i’m having issues with groups

Eg Azure AD had group> t2_admin

I would like to get only the members of the t2_admin AD group to have the Vault admin policy applied

At the moment when I login with OIDC and enter the Role “t2_admin” all users get the admin policy. I’m almost there but if you can point me in the right direction that would be great.

I’ve looked in forums and blogs and nothing working yet…

Any help Appreciated

Resurrecting an old post, but have you gotten group mappings to work?

I use a combination of roles and Identity Groups.

On the role

  • groups_claim is groups

Create an Identity Group:

  • name is your desired group name (can match your AzureAD group name or can be something unique)
  • type is external

Finally create an Identity Group Alias:

  • canonical_id is the internal ID number of your Identity Group created above
  • name is the group ID in Azure (usually formatted as a UUID)
  • mount_accessor is the accessor ID of your Azure JWT auth method mount

If you don’t want to use Identity Secrets you may be able to specify the bound_claims parameter on the role (please note that I have not tested this with AzureAD/OIDC):

  • bound_claims is a map of group = <azuread_group_id>
1 Like

Excellent. I cobbled together a similar config for Gsuite and this is nice to compare it to.