Forbiden when making auth method primary


I’m trying to set up a sanbox with boundary to test if it would be a right fit.

Currently I’m having trouble in setting up a auth method as primary, it return forbidden trough the console, trough terraform nothing happens and via console it returns “connection refused on”

Could you guys help me and give me some insights on how could I troubleshoot this?

What does your boundary setup look like? Is it a single dev-mode instance, or a server-mode install?

How are you configuring the auth method; does it show up as a secondary auth method already?

Did you assign roles with permissions to any groups configured for accounts using that auth method?

It’s server mode. And it appeared as secondary. In the meanwhile I solved it making the test user admin of the global scope instead of the org scope.

Not yet. I associated some users of that auth to previous accounts (password ones) for testing only.

Does it make sense that specific permission is tied with the global scope?

It may be relevant that when an OIDC auth method is secondary, accounts are not created automatically for it. You have to create the account yourself after the user logs in if it’s a secondary auth method.

Makes sense… I have a follow up question if I may.

Is there a way to get OIDC auto created users a role? If so where can I found docs on it?

I think what you want is managed groups. You can create an OIDC auth method, make it primary, create a managed group with membership defined by the OIDC attributes of accounts tied to that auth method, then assign that group to a role.

1 Like