OIDC without role

Hi all,

My vault is working both with ldap and OIDC, no problem on config :slight_smile:

My question is about OIDC. Today, it’s role who map groups linked to my idp who allow user with policy.

But on UX, it’s not easy to provide role, i mean user have to know which role they must set on the UI but it’s complex to maintain and to explain to users (could be QA, dev, functionnal guys…).

Is it possible to use only default role and like we have inside ldap, map a group to a policy with OIDC ?

I mean, user is log in with default role and if he is on group admin, match policy admin. If he is on feature “toto”, he have access to policy “toto” ?

Hope I’m clear :slight_smile:

Hi all, someone have some input for me ^^?

Did you try with templated policies?

In Vault create an “external” group named admins, attach the admin policy to that group, create a group alias mapping the OIDC group to the external group. Any OIDC user that is a member of the admin group will have the admin policy added automatically.

It’s not a problem linked to policies, more on the way groups are working :slight_smile:

Thanks for your help


Ok so it’s what I understand but it’s not working on my side. I will push on that way.

I’m using :
bound_claims map[support_groups:[CS-MYGROUP]]

because my match should be “support_groups” from my idp.
Can I match the vault “external group” to this “support_groups” to associate a policy ?

Or it must be a specific claim from my idp (like “groups”) to allow this working ?

Thanks in advance,

setting up the groups and linking them to policies like you want to do is on my todo… Let’s see who gets there first ;).


The bound_claims is a field which specifies which claims should match in order for authentication to be successful, it has nothing to do with groups.

The groups_claim is used to define which group the authenticated user is a member of, respectively what policies should be assigned.

I’m not completely aware of your use-case but I believe the claim_mappings parameter might be what you are looking for.


Hi all,

@martinhristov90, thanks it’s working for me.

To explain for who need this feature. On my idp, I get back :
“support_groups”: [

On my oidc role, I add “groups_claim”: “support_groups”
I add a group type external with name CS-2 for exemple with a policy and I add an alias on it to oidc.

So the groups will match what the idp send to me and associate a policy

working well :slight_smile:

1 Like