Vault
IBM ISAM
The IBM ISAM identity provider
returns group membership claims as a space-separated list of strings (e.g.
groups: "group-1 group-2"
) instead of a list of strings.
To properly obtain group membership when using IBMISAM as the identity provider for
Vault's OIDC Auth Method, the ibmisam
provider must be explicitly configured as
shown below.
vault write auth/oidc/config -<<"EOH"
{
"oidc_client_id": "your_client_id",
"oidc_client_secret": "your_client_secret",
"default_role": "your_default_role",
"oidc_discovery_url": "https://your.idp.host",
"provider_config": {
"provider": "ibmisam"
}
}
EOH
This will instruct the OIDC Auth Method to parse the space-separated groups claims string
into individual groups. Note that the role's groups_claim
value must be properly configured to target the groups claim for your IBM ISAM identity
provider.