OIDC without role

cpoule23 · November 3, 2020, 8:08am

Hi all,

My vault is working both with ldap and OIDC, no problem on config

My question is about OIDC. Today, it’s role who map groups linked to my idp who allow user with policy.

But on UX, it’s not easy to provide role, i mean user have to know which role they must set on the UI but it’s complex to maintain and to explain to users (could be QA, dev, functionnal guys…).

Is it possible to use only default role and like we have inside ldap, map a group to a policy with OIDC ?

I mean, user is log in with default role and if he is on group admin, match policy admin. If he is on feature “toto”, he have access to policy “toto” ?

Hope I’m clear
Cyril

cpoule23 · November 5, 2020, 9:32am

Hi all, someone have some input for me ^^?

rgevaert · November 5, 2020, 7:53pm

Did you try with templated policies?

EricHorst · November 6, 2020, 4:51am

In Vault create an “external” group named admins, attach the admin policy to that group, create a group alias mapping the OIDC group to the external group. Any OIDC user that is a member of the admin group will have the admin policy added automatically.

cpoule23 · November 6, 2020, 7:37am

Hi,
It’s not a problem linked to policies, more on the way groups are working

Thanks for your help

cpoule23 · November 6, 2020, 7:44am

Hi,

Ok so it’s what I understand but it’s not working on my side. I will push on that way.

I’m using :
bound_claims map[support_groups:[CS-MYGROUP]]

because my match should be “support_groups” from my idp.
Can I match the vault “external group” to this “support_groups” to associate a policy ?

Or it must be a specific claim from my idp (like “groups”) to allow this working ?

Thanks in advance,
Cyril

rgevaert · November 6, 2020, 8:34am

setting up the groups and linking them to policies like you want to do is on my todo… Let’s see who gets there first ;).

martinhristov90 · November 6, 2020, 11:34am

Hello,

The bound_claims is a field which specifies which claims should match in order for authentication to be successful, it has nothing to do with groups.

The groups_claim is used to define which group the authenticated user is a member of, respectively what policies should be assigned.

I’m not completely aware of your use-case but I believe the claim_mappings parameter might be what you are looking for.

Martin

cpoule23 · November 10, 2020, 9:21am

Hi all,

@martinhristov90, thanks it’s working for me.

To explain for who need this feature. On my idp, I get back :
“support_groups”: [
“CS-1”,
“CS-2”,
“CS-3”
],

On my oidc role, I add “groups_claim”: “support_groups”
I add a group type external with name CS-2 for exemple with a policy and I add an alias on it to oidc.

So the groups will match what the idp send to me and associate a policy

Thanks,
working well

Topic		Replies	Views
OIDC role to policy mapping Vault	6	2410	March 3, 2023
Authorization through OIDC and LDAP Vault	1	1044	February 16, 2020
Role assignments with OIDC auth provider Vault vault	3	268	December 7, 2022
Vault OIDC external groups user being assigned all policies Vault	1	321	February 16, 2023
Vault OIDC auth method with external groups Vault	2	536	November 10, 2021

OIDC without role

Related topics