Hi,
Can I represent Username as OIDC username in Boundary when logging in using OIDC?
In the session menu, it is difficult to recognize users such as u_gY7s2b0cYm, so it is not known who accessed it.
Thanks!
1 Like
Asking the same question here, as when mark OIDC as primary auth method, user will create a random uid and couldn’t claim email address or username from OIDC to add to boundary username or description.
1 Like
Indeed you can, but you need to “pre-stage” them. A couple of questions to help with a useful example:
- Are you managing Boundary with Terraform, or the Boundary CLI?
- What is your Identity platform (AzureAD, Okta etc)?
Thanks!
- Are you managing Boundary with Terraform, or the Boundary CLI?
→ I’m using Terraform. - What is your Identity platform (AzureAD, Okta etc)?
→ I’m using keycloak
Thanks!
1 Like
Alright, I don’t have Keycloak here immediately to validate, but let’s go with things, and hopefully we can get through it.
Here is the code I use to setup OIDC on the Boundary side:
resource "boundary_auth_method_oidc" "this" {
name = "global"
scope_id = "global"
state = "active-public"
is_primary_for_scope = true
callback_url = "${var.boundary_url}/v1/auth-methods/oidc:authenticate:callback"
issuer = module.azuread_oidc.oidc_discovery_url
client_id = module.azuread_oidc.application_client_id
client_secret = module.azuread_oidc.azuread_application_password
allowed_audiences = [
module.azuread_oidc.application_client_id
]
signing_algorithms = ["RS256"]
api_url_prefix = var.boundary_url
account_claim_maps = [
"oid=sub"
]
claims_scopes = [
"email",
"profile"
]
}
The important thing here is the account claim map - this example uses Azure AD and I map the object_id in as the subject for the claim.
Next up, you probably want to source the user list in a similar fashion to:
variable "users" {
type = list(string)
}
data "keycloak_user" "this" {
for_each = toset(var.users)
realm_id = data.keycloak_realm.master_realm.id
username = each.value
}
Once you’ve got these back, you want to create an OIDC account and a user.
resource "boundary_account_oidc" "this" {
for_each = { for v in data.keycloak_user.this: v.mail => v } #set the key to something distinct, in the case email.
name = each.value.mail
subject = each.value.id # I'm guessing this is the correct attribute
auth_method_id = boundary_auth_method_oidc.this.id
}
resource "boundary_user" "this" {
for_each = { for v in boundary_account_oidc.this : v.name => v }
account_ids = [
each.value.id
]
name = each.value.name
scope_id = "global"
}
Let me know if that works for you… it may need a little bit of tuning.
1 Like
If you populate the name and email claims in keycloak’s returned id_token or these claims are returned from keycloak’s userinfo endpoint, then boundary will populate them in the user’s boundary OIDC account.
BTW, these claims are re-synced to the boundary OIDC account every time the user authenticates to boundary via an OIDC auth-method.
Hi all!
@grantorchard1
Do I need to set up account_claim_maps and make oidc accounts and users into terraform?
@jimlambrt
The OIDC account shows the user’s email address.
I want the OIDC username or email address to appear in the Users list.
Thanks!