Add OIDC provider docs for IBM ISAM (#19247)

* Add OIDC provider docs for IBM ISAM

* Add changelog, api docs and docs-nav-data

---------

Co-authored-by: Benjamin Voigt <benjamin.voigt@god.dev>

changelog/19247.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/oidc: Adds support for group membership parsing when using IBM ISAM as an OIDC provider.
+```

website/content/api-docs/auth/jwt.mdx

@@ -43,7 +43,7 @@ set.
 - `bound_issuer` `(string: <optional>)` - The value against which to match the `iss` claim in a JWT.
 - `jwt_supported_algs` `(comma-separated string, or array of strings: <optional>)` - A list of supported signing algorithms. Defaults to [RS256] for OIDC roles. Defaults to all [available algorithms](https://github.com/hashicorp/cap/blob/main/jwt/algs.go) for JWT roles.
 - `default_role` `(string: <optional>)` - The default role to use if none is provided during login.
-- `provider_config` `(map: <optional>)` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers).
+- `provider_config` `(map: <optional>)` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth, IBM ISAM. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers).
 - `namespace_in_state` `(bool: true)` - Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
 
 ### Sample Payload

website/content/docs/auth/jwt/oidc-providers/ibmisam.mdx

@@ -0,0 +1,34 @@
+---
+layout: docs
+page_title: OIDC Provider Setup - Auth Methods - IBM Security Access Manager (ISAM)
+description: OIDC provider configuration for IBM Security Access Manager (recently renamed to IBM Security Verify Access)
+---
+
+## IBM ISAM
+
+The [IBM ISAM](https://www.ibm.com/de-de/products/verify-access) identity provider
+returns group membership claims as a space-separated list of strings (e.g.
+`groups: "group-1 group-2"`) instead of a list of strings.
+
+To properly obtain group membership when using IBMISAM as the identity provider for
+Vault's OIDC Auth Method, the `ibmisam` provider must be explicitly configured as
+shown below.
+
+```shell
+vault write auth/oidc/config -<<"EOH"
+{
+   "oidc_client_id": "your_client_id",
+   "oidc_client_secret": "your_client_secret",
+   "default_role": "your_default_role",
+   "oidc_discovery_url": "https://your.idp.host",
+   "provider_config": {
+      "provider": "ibmisam"
+   }
+}
+EOH
+```
+
+This will instruct the OIDC Auth Method to parse the space-separated groups claims string
+into individual groups. Note that the role's [`groups_claim`](/vault/api-docs/auth/jwt#groups_claim)
+value must be properly configured to target the groups claim for your IBM ISAM identity
+provider.

website/content/docs/auth/jwt/oidc-providers/index.mdx

@@ -24,3 +24,4 @@ and additions may be submitted via the [Vault Github repository](https://github.
 - [Kubernetes](/vault/docs/auth/jwt/oidc-providers/kubernetes)
 - [Okta](/vault/docs/auth/jwt/oidc-providers/okta)
 - [SecureAuth](/vault/docs/auth/jwt/oidc-providers/secureauth)
+- [IBMISAM](/vault/docs/auth/jwt/oidc-providers/ibmisam)

website/data/docs-nav-data.json

@@ -1411,6 +1411,10 @@
               {
                 "title": "SecureAuth",
                 "path": "auth/jwt/oidc-providers/secureauth"
+              },
+              {
+                "title": "IBM ISAM",
+                "path": "auth/jwt/oidc-providers/ibmisam"
               }
             ]
           }