Hi, I’m trying to connect my vault to my Jumpcloud SSO using OIDC
I read that I should create an external group and an alias for automatically assign policies to the existing groups
I configured the vault the next way:
vault write auth/oidc/config \
oidc_discovery_url="https://oauth.id.jumpcloud.com/" \
oidc_client_id="<redacted>" \
oidc_client_secret="<redacted>" \
default_role="default"
vault write auth/oidc/role/default -<<EOF
{
"user_claim": "name",
"ttl": "1h",
"bound_claims": { "groups": ["jumpcloud_group_example", "<redacted>", "<redacted>", "<redacted>"] },
"allowed_redirect_uris": ["https://<vault_url>/ui/vault/auth/oidc/oidc/callback","http://localhost:8250/oidc/callback"]
}
EOF
and created the following group:
vault auth list -format=json | jq -r '.["oidc/"].accessor' > accessor.txt
vault write -format=json identity/group name="jumpcloud_group_example" \
policies="admin" \
type="external" \
metadata=description="Vault Administrators" | jq -r ".data.id" > group_id.txt
vault write identity/group-alias name="<jumpcloud_group_id>" \
mount_accessor=$(cat accessor.txt) \
canonical_id=$(cat group_id.txt)
I manage to login through the UI (through the sso popup) but when checking the token - the identity_policies is empty and not containing the admin policy and the group stays empty:
Key Value
--- -----
token <redacted>
token_accessor uGxaLFy2x4rj4e8q5vK4Lfzo
token_duration 59m46s
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
token_meta_role default