We have configured 2 OIDC authentication methods in Boundary for the purpose of having separate login methods on the basis of teams. However, unless an auth method is marked as primary it doesn’t allow a new user (that doesn’t exist in the boundary DB yet) to log in.
We need to either mark more than one auth method as primary or some other workaround to this problem.
Please guide us. Thanks in advance!
We’re using Keycloak as the identity provider and boundary version 0.11.2.
The primary auth method for a scope “auto-vivifies”, creating a Boundary user object for the corresponding account automatically so the user can log in, but other auth methods do not. If you use separate orgs and have each one have one of the auth methods as primary, though, you can have both methods auto-vivify within their separate orgs.
The other thing you can do is create users for the corresponding accounts on non-primary auth methods either automatically by using Terraform or scripting the Boundary CLI, or manually using the Boundary admin GUI.
@omkensey , can you please elaborate more how to create users for the corresponding account. I have similar account requirements where I want to prompt the user to satisfy two form of authentication i.e. one is via keycloak and other is via boundary level, the question is I can see the user (authenicated via keycloak) in boundary auth methods (under accounts tab) but how to create “username & password” for the same account in boundary. at the end, I am trying to enforce two form of authentication (one via keycloak and other via boundary before the user can see the lists of targets.
It is not possible to require two forms of authentication within Boundary at the moment. Longer-term we want to add approvals workflows that would make e.g. 2FA something that can be required.