We have configured 2 OIDC authentication methods in Boundary for the purpose of having separate login methods on the basis of teams. However, unless an auth method is marked as primary it doesn’t allow a new user (that doesn’t exist in the boundary DB yet) to log in.
We need to either mark more than one auth method as primary or some other workaround to this problem.
Please guide us. Thanks in advance!
We’re using Keycloak as the identity provider and boundary version 0.11.2.
The primary auth method for a scope “auto-vivifies”, creating a Boundary user object for the corresponding account automatically so the user can log in, but other auth methods do not. If you use separate orgs and have each one have one of the auth methods as primary, though, you can have both methods auto-vivify within their separate orgs.
The other thing you can do is create users for the corresponding accounts on non-primary auth methods either automatically by using Terraform or scripting the Boundary CLI, or manually using the Boundary admin GUI.