I want to enable SSO for Vault with KeyCloak. I am using the free version of Vault. On the pricing page of the vault, it is mentioned that the SSO integration is not possible for the free version with okta, dude and ping. Can someone clarify me whether I can enable SSO for vault via KeyCloak in the free version?
Are you talking about Vault OSS or HCP Vault Secrets? Both are “free as in beer” (in the sense that you don’t need to pay for them) but only the former gives you complete control over your self-managed installation and freedom to use/modify/distribute its source code.
If you’re looking for the integration of Vault OSS with Okta, here is a link: OIDC Authentication with Okta | Vault | HashiCorp Developer
Actually, I am looking for the integration of Vault OSS with KeyCloak and more importantly whether it is possible in the free version.
Because in the pricing page, it is mentioned that only the paid versions can have SSO integration
Yes, Vault OSS integrates with any IdP that is OIDC-compliant.
Yes, you can integrate Vault OSS with Keycloak and then handle the users on Keycloak. I completed that a few weeks ago. As a starting point I followed this post:
It gives you just an overall idea about the process, as it lacks the part where you assign specific Vault authorization (thru policies) to the Keycloak users.
These are the main steps I followed to assign specific Vault authorizations (thru policies) to the Keycloak users.
On the Keycloak IDP:
- Create one or more groups specific for Vault. I created a main group (HCVault) and some child groups (i.e. Admins, SSHUsers, Readers, etc.)
- Assign the IDP users to the groups according to their needs on Vault
- Don’t forget to MAP the Group Membership in the Dedicated scopes of the client. You can decide to map the Full group path or only the child group name: this will change the name assigned in the Id token.
On Vault
- Add groups_claim=groups in the OIDC role defined in auth/oidc/config
- Create the corresponding groups of type “External” and assign the correct policy to each group
- For each of these external group, create an Alias with the same name assigned on Keycloak (use the “Full path” or “Child group name” depending on the choice made in the Mapping on Keycloak).
After the SSO login, each user will be assigned to the corrisponding group on Vault, with the authorization given by the policy assigned to the Group.