diff --git a/changelog/19247.txt b/changelog/19247.txt new file mode 100644 index 000000000..f51e8479c --- /dev/null +++ b/changelog/19247.txt @@ -0,0 +1,3 @@ +```release-note:improvement +auth/oidc: Adds support for group membership parsing when using IBM ISAM as an OIDC provider. +``` diff --git a/website/content/api-docs/auth/jwt.mdx b/website/content/api-docs/auth/jwt.mdx index 6baefa19d..42b6c5a4c 100644 --- a/website/content/api-docs/auth/jwt.mdx +++ b/website/content/api-docs/auth/jwt.mdx @@ -43,7 +43,7 @@ set. - `bound_issuer` `(string: )` - The value against which to match the `iss` claim in a JWT. - `jwt_supported_algs` `(comma-separated string, or array of strings: )` - A list of supported signing algorithms. Defaults to [RS256] for OIDC roles. Defaults to all [available algorithms](https://github.com/hashicorp/cap/blob/main/jwt/algs.go) for JWT roles. - `default_role` `(string: )` - The default role to use if none is provided during login. -- `provider_config` `(map: )` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers). +- `provider_config` `(map: )` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth, IBM ISAM. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers). - `namespace_in_state` `(bool: true)` - Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs. ### Sample Payload diff --git a/website/content/docs/auth/jwt/oidc-providers/ibmisam.mdx b/website/content/docs/auth/jwt/oidc-providers/ibmisam.mdx new file mode 100644 index 000000000..9b21f9377 --- /dev/null +++ b/website/content/docs/auth/jwt/oidc-providers/ibmisam.mdx @@ -0,0 +1,34 @@ +--- +layout: docs +page_title: OIDC Provider Setup - Auth Methods - IBM Security Access Manager (ISAM) +description: OIDC provider configuration for IBM Security Access Manager (recently renamed to IBM Security Verify Access) +--- + +## IBM ISAM + +The [IBM ISAM](https://www.ibm.com/de-de/products/verify-access) identity provider +returns group membership claims as a space-separated list of strings (e.g. +`groups: "group-1 group-2"`) instead of a list of strings. + +To properly obtain group membership when using IBMISAM as the identity provider for +Vault's OIDC Auth Method, the `ibmisam` provider must be explicitly configured as +shown below. + +```shell +vault write auth/oidc/config -<<"EOH" +{ + "oidc_client_id": "your_client_id", + "oidc_client_secret": "your_client_secret", + "default_role": "your_default_role", + "oidc_discovery_url": "https://your.idp.host", + "provider_config": { + "provider": "ibmisam" + } +} +EOH +``` + +This will instruct the OIDC Auth Method to parse the space-separated groups claims string +into individual groups. Note that the role's [`groups_claim`](/vault/api-docs/auth/jwt#groups_claim) +value must be properly configured to target the groups claim for your IBM ISAM identity +provider. diff --git a/website/content/docs/auth/jwt/oidc-providers/index.mdx b/website/content/docs/auth/jwt/oidc-providers/index.mdx index 8a19a2b71..7cb59d383 100644 --- a/website/content/docs/auth/jwt/oidc-providers/index.mdx +++ b/website/content/docs/auth/jwt/oidc-providers/index.mdx @@ -24,3 +24,4 @@ and additions may be submitted via the [Vault Github repository](https://github. - [Kubernetes](/vault/docs/auth/jwt/oidc-providers/kubernetes) - [Okta](/vault/docs/auth/jwt/oidc-providers/okta) - [SecureAuth](/vault/docs/auth/jwt/oidc-providers/secureauth) +- [IBMISAM](/vault/docs/auth/jwt/oidc-providers/ibmisam) diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index ce14ec871..71568bc28 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -1411,6 +1411,10 @@ { "title": "SecureAuth", "path": "auth/jwt/oidc-providers/secureauth" + }, + { + "title": "IBM ISAM", + "path": "auth/jwt/oidc-providers/ibmisam" } ] }