Map user entity id to Identity Provider email when using OIDC

pantelis-karamolegko · January 8, 2023, 10:38am

I have enabled OIDC auth backend in my vault instance using GSuite as my identity provider.

AFAIK, when a new user logs in, an entity is created, and vault creates a UUID to be assigned to the newly created entity.

Is there a way to replace (or add to) the UUID with the user email of the IDP?

edit 1: I am currently using user_claim = "sub" in the configuration of the default oidc role but when running vault read -format=json identity/entity/id list=true I don’t see any user emails in the entities related to the oidc

edit 2: I have tried with user_claim = "email" but now the log in fails with

claim “email” not found in token

pantelis-karamolegko · January 8, 2023, 4:11pm

nvm, resolved. this is what was missing from my vault_jwt_auth_backend_role resource configuration

oidc_scopes           = toset(["openid email"])

Topic		Replies	Views
While using OIDC, i want to Map user entity id to Identity Provider email Vault	1	441	April 18, 2023
Create vault entity with user okta email Vault	0	345	May 25, 2021
OIDC - Email not Populating Vault	0	343	October 24, 2022
Oidc providers and entity lookup Vault	0	277	March 20, 2022
Pre-assign oidc identities to roles Vault vault	7	785	December 21, 2022

Map user entity id to Identity Provider email when using OIDC

Related topics