OIDC Managed Groups

Hello,
I cant find some explanation for OIDC Managed groups, more precisely how to config this feature.
I have already configured OKTA oidc provider and i am able to connect to system.
Can you give some simple example how i can configure claims to groups???

Thank you

Yes, the official documentation doesn’t offer any examples. Terraform Registry for Boundary doesn’t contain any filtering blocks, and creating/modifying groups in console lack filtering options as well.

Anyone has any clues on how can we set it up?

I have managed it. Will post explanation later

1 Like

Firstable OIDC Auth-method should be properly configured. Official doc describes minimal flow for authenticaton.

  1. Once there is OIDC auth method configured need to add additional claims.
    By default it request only openid claim scope. For getting more data (Fullname, email, groups …) should add it to:
    Auth Methods → < OIDC-Method > → Claims Scopes
    Following scopes:
    email
    profile
    groups

  2. Now we can create managed group with filter (CLI only).
    For example user member in:
    groups: [group1, group2, group3]
    boundary managed-groups create oidc -name < NAME > -auth-method-id <ID_OF_OIDC_METHOD> -filter ‘“group1” in “/userinfo/groups”’
    If user is member in group1 he will be added after login to our managed group

  3. Add created group as principal to some role:
    boundary roles add-principals -id < ROLE_ID > -principal=< MANAGED_GROUP_ID >

seems thats all

4 Likes

@dpanihin24 Good info. I will try to work with these steps. I would LOVE to know how you pieced together these steps. What resources did you use?

Can someone from Hashicorp provide a documentation resource for managing group access with an OIDC method?

It would be ideal for my use case to allow auth0 managed Google accounts access to my Boundary instance. Thanks!

I am using OKTA. I have configured dev OKTA account and played with it.
Part of info i took from official Hashicorp’s docs. Lots info its knowledge in OKTA - how it works.

2 Likes

Hi folks! For anyone interested there’s now a Boundary tutorial for configuring managed groups via the CLI and Terraform using Azure AD, Okta, and Auth0. This same pattern can be applied to other Open ID Connect (OIDC) identity providers.

1 Like