Vault login OIDC via Onelogin

Vault
1

Hi,

I want to understand if its possible to setup onlogin for SSO for hashicorp vault. I couldnot see that in oidc auth methods but i think there can be some way to enable this. Has someone did something like this before and guide me if its possible.

2

OIDC is a standard method for authentication and as such should be supported independently of the IdP you use.

That being said, there are certain details about each IdP setup that can cause you some headache but in general if you understand the concepts behind OIDC, you should be able to work it out.

As you mentioned, Onelogin is not on the list of example providers but I’d assume this tutorial is a good starting point.

If you have any issues while following along, just post the configuration steps and the errors you’re facing here.

4

Hi Macmiranda

Thanks much for your response. I was able to configure one login with SSO and it works via UI. For CLI, currently its giving me issues. Infrawise, we are running vault in ECS Task and ALB routes the request from 443 to 8200. When I am trying to run below command:

vault login -method=oidc role="reader" listenaddress="0.0.0.0" callbackhost="vault.example.com" callbackmethod="https" callbackport="443" port="8200"                                            

Complete the login via your OIDC provider. Launching browser to:

Waiting for OIDC authentication to complete...

It opens browser

https://vault.example.com/oidc/callback?code=something&state=st_something

but browser returns output like this:

{“errors”:}

When I inspect it says GET request and 404.

I guess request is reaching from one login to vault but vault is not returning response properly for CLI. Do you have any idea?

I have configured just OIDC key secret and domain did nothing on oidc_response_mode and oidc_response_type.

5

You have appended a bunch of extra unneeded and/or incorrect parameters to this command.

You should run only:

vault login -method=oidc role="reader"
6

Error authenticating: Unable to authorize role "reader" with redirect_uri "http://localhost:8250/oidc/callback". Check Vault logs for more information.

In this case it tries default values which is not correct in our case as url is vault.example.com and port is 443

7

Ah, no - that is a misunderstanding. When you execute vault login -method=oidc the URL involved in the OIDC redirect is not the URL to your Vault server.

Rather the URL is almost always http://localhost:8250/oidc/callback and the thing listening at this URL is the local Vault CLI command itself!

You do need to configure your Vault server to allow this URL as a redirect URL, which I think is what is missing here.

Example config:

vault write auth/oidc/role/reader \
  ...
  allowed_redirect_uris=...,http://localhost:8250/oidc/callback

You will also need to configure Onelogin to allow this as a redirect URL for Vault.

The full flow is this:

  1. User runs vault login -method=oidc
  2. Vault CLI calls Vault server, asking it for an URL a browser can use to start the authentication
  3. Vault CLI launches local browser using the URL fetched in the previous step. Meanwhile Vault CLI starts listening on http://localhost:8250
  4. Browser interacts with identity provider as needed. If successful, identity provider redirects the browser to http://localhost:8250/oidc/callback - where the original Vault CLI is listening - which is how the successful authentication makes it back to the Vault CLI
  5. Vault CLI sends a one-time code received via the browser redirect, to the Vault server, where it is used to finalise the login and return a Vault session token
8

Hey Max, Thanks much for looking into this! I was able to fix the issue by changing redirect uri as suggested by you. Thanks Again.