Vault
Azure active directory (AAD)
Note: Azure Active Directory Applications that have custom signing keys as a result of using the claims-mapping feature are currently not supported for OIDC authentication.
Reference: Azure Active Directory v2.0 and the OpenID Connect protocol
Choose your Azure tenant.
Go to Azure Active Directory and register an application for Vault.
Add Redirect URIs with the "Web" type. You may include two redirect URIs, one for CLI access another one for Vault UI access.
Record the "Application (client) ID" as you will need it as the
oidc_client_id
.Under Endpoints, copy the OpenID Connect metadata document URL, omitting the
/well-known...
portion.- The endpoint URL (
oidc_discovery_url
) will look like: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0
- The endpoint URL (
Under Certificates & secrets, add a client secret Record the secret's value as you will need it as the
oidc_client_secret
for Vault.
Connect AD group with Vault external group
Reference: Azure Active Directory with OIDC Auth Method and External Groups
To connect the AD group with a Vault external groups, you will need Azure AD v2.0 endpoints. You should set up a Vault policy for the Azure AD group to use.
Go to Azure Active Directory and choose your Vault application.
Go to Token configuration and Add groups claim. Select "All" or "SecurityGroup" based on which groups for a user you want returned in the claim.
In Vault, enable the OIDC auth method.
Configure the OIDC auth method with the
oidc_client_id
(application ID),oidc_client_secret
(client secret), andoidc_discovery_url
(endpoint URL) you recorded from Azure.vault write auth/oidc/config \ oidc_client_id="your_client_id" \ oidc_client_secret="your_client_secret" \ default_role="your_default_role" \ oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0"
Configure the OIDC Role with the following:
user_claim
should be"sub"
or"oid"
following the recommendation from Azure.allowed_redirect_uris
should be the two redirect URIs for Vault CLI and UI access.groups_claim
should be set to"groups"
.oidc_scopes
should be set to"https://graph.microsoft.com/.default profile"
.vault write auth/oidc/role/your_default_role \ user_claim="sub" \ allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \ groups_claim="groups" \ oidc_scopes="https://graph.microsoft.com/.default profile" \ policies=default
In Vault, create the external group. Record the group ID as you will need it for the group alias.
From Vault, retrieve the OIDC accessor ID from the OIDC auth method as you will need it for the group alias's
mount_accessor
.Go to the Azure AD Group you want to attach to Vault's external group. Record the
objectId
as you will need it as the group alias name in Vault.In Vault, create a group alias for the external group and set the
objectId
as the group alias name.vault write identity/group-alias \ name="your_ad_group_object_id" \ mount_accessor="vault_oidc_accessor_id" \ canonical_id="vault_external_group_id"
Optional azure-specific configuration
If a user is a member of more than 200 groups (directly or indirectly), Azure will
send _claim_names
and _claim_sources
. For example, returned claims might look like:
{
"_claim_names": {
"groups": "src1"
},
"_claim_sources": {
"src1": {
"endpoint": "https://graph.windows.net...."
}
}
}
The OIDC auth method role can be configured to include the user ID in the endpoint URL, which will be used by Vault to retrieve the groups for the user. Additional API permissions must be added to the Azure app in order to request the additional groups from the Microsoft Graph API.
To set the proper permissions on the Azure app:
Locate the application under "App Registrations" in Azure
Navigate to the "API Permissions" page for the application
Add a permission
Select "Microsoft Graph"
Select "Delegated permissions"
Add the User.Read permission
Check the "Grant admin consent for Default Directory" checkbox
Configure the OIDC auth method in Vault by setting
"provider_config"
to Azure.vault write auth/oidc/config -<<"EOH" { "oidc_client_id": "your_client_id", "oidc_client_secret": "your_client_secret", "default_role": "your_default_role", "oidc_discovery_url": "https://login.microsoftonline.com/tenant_id/v2.0", "provider_config": { "provider": "azure" } } EOH
Add
"profile"
tooidc_scopes
so the user's ID comes back on the JWT.vault write auth/oidc/role/your_default_role \ user_claim="sub" \ allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \ groups_claim="groups" \ oidc_scopes="profile" \ policies="default"