Session username

Can I represent Username as OIDC username in Boundary when logging in using OIDC?
In the session menu, it is difficult to recognize users such as u_gY7s2b0cYm, so it is not known who accessed it.


1 Like

Asking the same question here, as when mark OIDC as primary auth method, user will create a random uid and couldn’t claim email address or username from OIDC to add to boundary username or description.

1 Like

Indeed you can, but you need to “pre-stage” them. A couple of questions to help with a useful example:

  1. Are you managing Boundary with Terraform, or the Boundary CLI?
  2. What is your Identity platform (AzureAD, Okta etc)?


Hi @grantorchard1

  1. Are you managing Boundary with Terraform, or the Boundary CLI?
    → I’m using Terraform.
  2. What is your Identity platform (AzureAD, Okta etc)?
    → I’m using keycloak
1 Like

Alright, I don’t have Keycloak here immediately to validate, but let’s go with things, and hopefully we can get through it.

Here is the code I use to setup OIDC on the Boundary side:

resource "boundary_auth_method_oidc" "this" {
  name                 = "global"
  scope_id             = "global"
  state                = "active-public"
  is_primary_for_scope = true
  callback_url         = "${var.boundary_url}/v1/auth-methods/oidc:authenticate:callback"
  issuer               = module.azuread_oidc.oidc_discovery_url
  client_id            = module.azuread_oidc.application_client_id
  client_secret        = module.azuread_oidc.azuread_application_password
  allowed_audiences = [
  signing_algorithms = ["RS256"]
  api_url_prefix     = var.boundary_url
  account_claim_maps = [
  claims_scopes = [

The important thing here is the account claim map - this example uses Azure AD and I map the object_id in as the subject for the claim.

Next up, you probably want to source the user list in a similar fashion to:

variable "users" {
   type = list(string)

data "keycloak_user" "this" {
  for_each = toset(var.users)
  realm_id =
  username = each.value

Once you’ve got these back, you want to create an OIDC account and a user.

resource "boundary_account_oidc" "this" {
  for_each       = { for v in data.keycloak_user.this: v.mail => v } #set the key to something distinct, in the case email.
  name           = each.value.mail
  subject        = # I'm guessing this is the correct attribute
  auth_method_id =

resource "boundary_user" "this" {
  for_each = { for v in boundary_account_oidc.this : => v }
  account_ids = [
  name     =
  scope_id = "global"

Let me know if that works for you… it may need a little bit of tuning.

1 Like

If you populate the name and email claims in keycloak’s returned id_token or these claims are returned from keycloak’s userinfo endpoint, then boundary will populate them in the user’s boundary OIDC account.

BTW, these claims are re-synced to the boundary OIDC account every time the user authenticates to boundary via an OIDC auth-method.

Hi all!
Do I need to set up account_claim_maps and make oidc accounts and users into terraform?
The OIDC account shows the user’s email address.
I want the OIDC username or email address to appear in the Users list.