Update instructions in regards to azure AD Authentication and OIDC
5.4 KiB
layout | page_title | description |
---|---|---|
docs | OIDC Provider Setup - Auth Methods | OIDC provider configuration quick starts |
OIDC Provider Configuration
This page collects high-level setup steps on how to configure an OIDC application for various providers. For more general usage and operation information, see the Vault JWT/OIDC method documentation.
OIDC providers are often highly configurable and you should become familiar with their recommended settings and best practices. The instructions below are intended only to help you get started. Corrections and additions may be submitted via the Vault Github repository.
Azure Active Directory (AAD)
Reference: Azure Active Directory v2.0 and the OpenID Connect protocol
- Register or select an AAD application. Visit Overview page.
- Configure Redirect URIs ("Web" type).
- you must include two redirect URIs here one for CLI access another one for web access
- http://localhost:8250/oidc/callback
- https://hostname:port_number/ui/vault/auth/oidc/oidc/callback
- you must include two redirect URIs here one for CLI access another one for web access
- Record "Application (client) ID" you will need it as the oidc_client_id
- Under API Permissions grant the following permission:
- Microsoft Graph API permission Group.Read.All
- Under "Endpoints", copy the OpenID Connect metadata document URL, omitting the
/well-known...
portion.- endpoint url (oidc_discovery_url) should look as: https://login.microsoftonline.com/tenant-guid-dead-beef-aaaa-aaaa/v2.0
- Switch to Certificates & Secrets. Create a new client secret and record the generated value as it will not be accessible after you leave the page.
Please note Azure AD v2.0 endpoints are required for external groups to work.
-
groupMembershipClaims
should be changed fromnone
in the App registration manifest. Options are "All" or "Security" -
In the OIDC Role config the scope
"https://graph.microsoft.com/.default"
should be added to add groups to the jwt token andgroups_claim
should be set togroups
. -
Finally Azure AD group can be referenced by using the groups
objectId
as the group alias name for the external group.
CLI setup instructions:
You have to fill in the following values make sure to use the correct vault secret patch that matches the name of the authentication method such as /oidc/
- oidc_client_id = Application Client ID
- oidc_client_secret = Secret obtained from the Certificates & Secrets Section
- default_role = default role the user will be using when connecting. (see the second command)
- oidc_discovery_url = Open ID endpoint retrieved from the App Registration wections.
vault write auth/oidc/config \
oidc_client_id="your_client_id" \
oidc_client_secret="your_client_secret" \
default_role=“your_default_role” \
oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0”
vault write auth/oidc/role/demo user_claim="email" \
allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback" \
groups_claim="groups" \
policies=default
Auth0
- Select Create Application (Regular Web App).
- Configure Allowed Callback URLs.
- Copy client ID and secret.
- If you see Vault errors involving signature, check the application's Advanced > OAuth settings and verify that signing algorithm is "RS256".
Gitlab
- Visit Settings > Applications.
- Fill out Name and Redirect URIs.
- Making sure to select the "openid" scope.
- Copy client ID and secret.
Main reference: Using OAuth 2.0 to Access Google APIs
- Visit the Google API Console.
- Create or a select a project.
- Create a new credential via Credentials > Create Credentials > OAuth Client ID.
- Configure the OAuth Consent Screen. Application Name is required. Save.
- Select application type: "Web Application".
- Configure Authorized Redirect URIs.
- Save client ID and secret.
Keycloak
- Select/create a Realm and Client. Visit Settings.
- Client Protocol: openid-connect
- Access Type: confidential
- Standard Flow Enabled: On
- Configure Valid Redirect URIs.
- Visit Settings. Select Client ID and Secret and note the generated secret.
Okta
- Make sure an Authorization Server has been created.
- Visit Applications > Add Application (Web).
- Configure Login redirect URIs. Save.
- Save client ID and secret.
Note your policy will need oidc_scopes
to include profile
to get a full profile ("Fat Token"). You will also need to configure bound audience along the lines of "bound_audiences": ["api://default", "0a4........."]
if you are using the default authorization server.