Clients cannot connect to Vault: invalid BoundSubjects

Troubleshoot problems where the debugging data suggests a problem with bound subjects.

Example debugging data

[DEBUG] auth.saml.auth_saml_b1886dfe: validating user context for role: api=callback role_name=default-saml
role="{
  "token_bound_cidrs":null,
  "token_explicit_max_ttl":0,
  "token_max_ttl":0,
  "token_no_default_policy":false,
  "token_num_uses":0,
  "token_period":0,
  "token_policies":["default"],
  "token_type":0,
  "token_ttl":0,
  "BoundSubjects":["*@example.com *@ext.example.com"],
  "BoundSubjectsType":"glob",
  "BoundAttributes":{"groups":["VaultAdmin","VaultUser"]},
  "BoundAttributesType":"string",
  "GroupsAttribute":"groups"
}"
user context="{
  "attributes":
  {
    "groups":["Domain Users","VaultAdmin"],
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":["rs@example.com"]
  },
  "subject":"rs@example.com"
}"

Analysis

The SAML role expects a single string with a comma separated list of relevant domains for BoundSubjects, but the provided string is malformed.

Solution

To resolve the problem, update your SAML role and correct the BoundSubjects string:

$ vault write auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE> \
bound_subjects="<CORRECTED_DOMAIN_LIST>"

For example:

$ vault write auth/saml/role/adfs-default \
bound_subjects="*@example.com, *@ext.example.com"

Clients cannot connect to Vault: invalid BoundSubjects

Example debugging data

Analysis

Solution

Additional resources