I want to understand if its possible to setup onlogin for SSO for hashicorp vault. I couldnot see that in oidc auth methods but i think there can be some way to enable this. Has someone did something like this before and guide me if its possible.
OIDC is a standard method for authentication and as such should be supported independently of the IdP you use.
That being said, there are certain details about each IdP setup that can cause you some headache but in general if you understand the concepts behind OIDC, you should be able to work it out.
As you mentioned, Onelogin is not on the list of example providers but I’d assume this tutorial is a good starting point.
If you have any issues while following along, just post the configuration steps and the errors you’re facing here.
Thanks much for your response. I was able to configure one login with SSO and it works via UI. For CLI, currently its giving me issues. Infrawise, we are running vault in ECS Task and ALB routes the request from 443 to 8200. When I am trying to run below command:
vault login -method=oidc role="reader" listenaddress="0.0.0.0" callbackhost="vault.example.com" callbackmethod="https" callbackport="443" port="8200"
Complete the login via your OIDC provider. Launching browser to:
Waiting for OIDC authentication to complete...
Error authenticating: Unable to authorize role "reader" with redirect_uri "http://localhost:8250/oidc/callback". Check Vault logs for more information.
In this case it tries default values which is not correct in our case as url is vault.example.com and port is 443
Ah, no - that is a misunderstanding. When you execute vault login -method=oidc the URL involved in the OIDC redirect is not the URL to your Vault server.
Rather the URL is almost alwayshttp://localhost:8250/oidc/callback and the thing listening at this URL is the local Vault CLI command itself!
You do need to configure your Vault server to allow this URL as a redirect URL, which I think is what is missing here.
You will also need to configure Onelogin to allow this as a redirect URL for Vault.
The full flow is this:
User runs vault login -method=oidc
Vault CLI calls Vault server, asking it for an URL a browser can use to start the authentication
Vault CLI launches local browser using the URL fetched in the previous step. Meanwhile Vault CLI starts listening on http://localhost:8250…
Browser interacts with identity provider as needed. If successful, identity provider redirects the browser to http://localhost:8250/oidc/callback - where the original Vault CLI is listening - which is how the successful authentication makes it back to the Vault CLI
Vault CLI sends a one-time code received via the browser redirect, to the Vault server, where it is used to finalise the login and return a Vault session token