Mapping entity aliases to specific (internal) groups

I have the following entity. Its only alias (as is evident) has been created after the user logged in using an oidc auth backend mounted in auth/subpath/test-oidc path

      "2ca13a34-7b11-1234-1234-dk1c1207300c": {
        "aliases": [
            "id": "12dfr5f5-42gf-154s-46e5-123456789",
            "mount_accessor": "auth_oidc_12345678",
            "mount_path": "auth/subpath/test-oidc/",
            "mount_type": "oidc",
            "name": ""
        "name": "entity_98765432"

How can I assign the user to a particular (internal) group?

The corresponding resource does not seem to have a way to add members using their aliases.

You can use the vault_identity_entity data source to find the alias after creation and associate it with your group.

Alternatively, depending on what attributes you pass into the OIDC auth method, you could map an external group to your users automatically via the groups_claim attribute in your OIDC role. Here’s an example using Azure as the OIDC provider.

1 Like

Do you happen to know if there is a way the association of the entry with the group can somehow be implemented before the user logs in for the first time? (the alias_name is predictable, given that it will be the user’s email

Unfortunately due to some limitations I cannot use the second solution.

If you know the alias name/id then you can pre-create it and attach it to a pre-created Identity Entity and then add the Entity to the desired Internal group.

Just make sure what you’re using as the OIDC user claim is what you’re expecting the alias to be for that auth mount (e.g., if you’re expecting email address, make sure the user claim maps to the email address provided by your OIDC provider vs. any other unique ID the provider may serve up, such as a UUID).

If the values don’t match exactly (case-sensitive) a new alias will be created. But if everything matches the existing alias will be used.