From eaf67b7c0e85ed21a3903e239de6ab52c29e1a40 Mon Sep 17 00:00:00 2001
From: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Date: Thu, 20 Apr 2023 11:30:59 -0700
Subject: [PATCH] Add OIDC provider docs for IBM ISAM (#19247)

* Add OIDC provider docs for IBM ISAM

* Add changelog, api docs and docs-nav-data

---------

Co-authored-by: Benjamin Voigt <benjamin.voigt@god.dev>
---
 changelog/19247.txt                           |  3 ++
 website/content/api-docs/auth/jwt.mdx         |  2 +-
 .../docs/auth/jwt/oidc-providers/ibmisam.mdx  | 34 +++++++++++++++++++
 .../docs/auth/jwt/oidc-providers/index.mdx    |  1 +
 website/data/docs-nav-data.json               |  4 +++
 5 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 changelog/19247.txt
 create mode 100644 website/content/docs/auth/jwt/oidc-providers/ibmisam.mdx

diff --git a/changelog/19247.txt b/changelog/19247.txt
new file mode 100644
index 000000000..f51e8479c
--- /dev/null
+++ b/changelog/19247.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/oidc: Adds support for group membership parsing when using IBM ISAM as an OIDC provider.
+```
diff --git a/website/content/api-docs/auth/jwt.mdx b/website/content/api-docs/auth/jwt.mdx
index 6baefa19d..42b6c5a4c 100644
--- a/website/content/api-docs/auth/jwt.mdx
+++ b/website/content/api-docs/auth/jwt.mdx
@@ -43,7 +43,7 @@ set.
 - `bound_issuer` `(string: <optional>)` - The value against which to match the `iss` claim in a JWT.
 - `jwt_supported_algs` `(comma-separated string, or array of strings: <optional>)` - A list of supported signing algorithms. Defaults to [RS256] for OIDC roles. Defaults to all [available algorithms](https://github.com/hashicorp/cap/blob/main/jwt/algs.go) for JWT roles.
 - `default_role` `(string: <optional>)` - The default role to use if none is provided during login.
-- `provider_config` `(map: <optional>)` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers).
+- `provider_config` `(map: <optional>)` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth, IBM ISAM. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers).
 - `namespace_in_state` `(bool: true)` - Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
 
 ### Sample Payload
diff --git a/website/content/docs/auth/jwt/oidc-providers/ibmisam.mdx b/website/content/docs/auth/jwt/oidc-providers/ibmisam.mdx
new file mode 100644
index 000000000..9b21f9377
--- /dev/null
+++ b/website/content/docs/auth/jwt/oidc-providers/ibmisam.mdx
@@ -0,0 +1,34 @@
+---
+layout: docs
+page_title: OIDC Provider Setup - Auth Methods - IBM Security Access Manager (ISAM)
+description: OIDC provider configuration for IBM Security Access Manager (recently renamed to IBM Security Verify Access)
+---
+
+## IBM ISAM
+
+The [IBM ISAM](https://www.ibm.com/de-de/products/verify-access) identity provider
+returns group membership claims as a space-separated list of strings (e.g.
+`groups: "group-1 group-2"`) instead of a list of strings.
+
+To properly obtain group membership when using IBMISAM as the identity provider for
+Vault's OIDC Auth Method, the `ibmisam` provider must be explicitly configured as
+shown below.
+
+```shell
+vault write auth/oidc/config -<<"EOH"
+{
+   "oidc_client_id": "your_client_id",
+   "oidc_client_secret": "your_client_secret",
+   "default_role": "your_default_role",
+   "oidc_discovery_url": "https://your.idp.host",
+   "provider_config": {
+      "provider": "ibmisam"
+   }
+}
+EOH
+```
+
+This will instruct the OIDC Auth Method to parse the space-separated groups claims string
+into individual groups. Note that the role's [`groups_claim`](/vault/api-docs/auth/jwt#groups_claim)
+value must be properly configured to target the groups claim for your IBM ISAM identity
+provider.
diff --git a/website/content/docs/auth/jwt/oidc-providers/index.mdx b/website/content/docs/auth/jwt/oidc-providers/index.mdx
index 8a19a2b71..7cb59d383 100644
--- a/website/content/docs/auth/jwt/oidc-providers/index.mdx
+++ b/website/content/docs/auth/jwt/oidc-providers/index.mdx
@@ -24,3 +24,4 @@ and additions may be submitted via the [Vault Github repository](https://github.
 - [Kubernetes](/vault/docs/auth/jwt/oidc-providers/kubernetes)
 - [Okta](/vault/docs/auth/jwt/oidc-providers/okta)
 - [SecureAuth](/vault/docs/auth/jwt/oidc-providers/secureauth)
+- [IBMISAM](/vault/docs/auth/jwt/oidc-providers/ibmisam)
diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json
index ce14ec871..71568bc28 100644
--- a/website/data/docs-nav-data.json
+++ b/website/data/docs-nav-data.json
@@ -1411,6 +1411,10 @@
               {
                 "title": "SecureAuth",
                 "path": "auth/jwt/oidc-providers/secureauth"
+              },
+              {
+                "title": "IBM ISAM",
+                "path": "auth/jwt/oidc-providers/ibmisam"
               }
             ]
           }