Map user entity id to Identity Provider email when using OIDC

pantelis-karamolegko · January 8, 2023, 10:38am

I have enabled OIDC auth backend in my vault instance using GSuite as my identity provider.

AFAIK, when a new user logs in, an entity is created, and vault creates a UUID to be assigned to the newly created entity.

Is there a way to replace (or add to) the UUID with the user email of the IDP?

edit 1: I am currently using user_claim = "sub" in the configuration of the default oidc role but when running vault read -format=json identity/entity/id list=true I don’t see any user emails in the entities related to the oidc

edit 2: I have tried with user_claim = "email" but now the log in fails with

claim “email” not found in token

pantelis-karamolegko · January 8, 2023, 4:11pm

nvm, resolved. this is what was missing from my vault_jwt_auth_backend_role resource configuration

oidc_scopes           = toset(["openid email"])

Topic		Replies	Views
While using OIDC, i want to Map user entity id to Identity Provider email Vault	1	303	April 18, 2023
OIDC - Azure AD & pinned identifier Vault	0	197	March 10, 2023
Create vault entity with user okta email Vault	0	258	May 25, 2021
OIDC claim_mappings will not override 'name' nor store it in metadata Vault	2	1588	April 15, 2020
Oidc providers and entity lookup Vault	0	246	March 20, 2022

Map user entity id to Identity Provider email when using OIDC

Related topics