OIDC Managed Groups

dpanihin24 · July 6, 2021, 4:47pm

Hello,
I cant find some explanation for OIDC Managed groups, more precisely how to config this feature.
I have already configured OKTA oidc provider and i am able to connect to system.
Can you give some simple example how i can configure claims to groups???

Thank you

Admir-Hadzic-MOP · July 9, 2021, 9:36am

Yes, the official documentation doesn’t offer any examples. Terraform Registry for Boundary doesn’t contain any filtering blocks, and creating/modifying groups in console lack filtering options as well.

Anyone has any clues on how can we set it up?

dpanihin24 · July 9, 2021, 9:41pm

I have managed it. Will post explanation later

dpanihin24 · July 10, 2021, 2:38pm

Firstable OIDC Auth-method should be properly configured. Official doc describes minimal flow for authenticaton.

Once there is OIDC auth method configured need to add additional claims.
By default it request only openid claim scope. For getting more data (Fullname, email, groups …) should add it to:
Auth Methods → < OIDC-Method > → Claims Scopes
Following scopes:
email
profile
groups
Now we can create managed group with filter (CLI only).
For example user member in:
groups: [group1, group2, group3]
boundary managed-groups create oidc -name < NAME > -auth-method-id <ID_OF_OIDC_METHOD> -filter ‘“group1” in “/userinfo/groups”’
If user is member in group1 he will be added after login to our managed group
Add created group as principal to some role:
boundary roles add-principals -id < ROLE_ID > -principal=< MANAGED_GROUP_ID >

seems thats all

drdukes · July 21, 2021, 4:14am

@dpanihin24 Good info. I will try to work with these steps. I would LOVE to know how you pieced together these steps. What resources did you use?

Can someone from Hashicorp provide a documentation resource for managing group access with an OIDC method?

It would be ideal for my use case to allow auth0 managed Google accounts access to my Boundary instance. Thanks!

dpanihin24 · July 21, 2021, 1:32pm

I am using OKTA. I have configured dev OKTA account and played with it.
Part of info i took from official Hashicorp’s docs. Lots info its knowledge in OKTA - how it works.

PPacent · November 15, 2021, 7:50pm

Hi folks! For anyone interested there’s now a Boundary tutorial for configuring managed groups via the CLI and Terraform using Azure AD, Okta, and Auth0. This same pattern can be applied to other Open ID Connect (OIDC) identity providers.

pranesh.kumar · March 30, 2023, 11:55am

Hi ,
I am trying to setup google oidc auth for boundary
is there any native support for google oidc with boundary to implement user mapping?
Based on fetching group_claims from google workspace and add filter to boundary managed groups