The OIDC method allows authentication via a configured OIDC provider using the user's web browser. When using the OIDC auth method, the
user_claimparameter is used to uniquely identify the user. This will be used as the name for the Identity entity alias created on a successful Vault login. If using Azure AD as your IdP and
user_claim, there are additional steps necessary on the Azure application.
Azure AD Configuration
In order to allow Azure AD to pass
sAMAccountNamein the access token, additional changes are necessary on the Azure application in use. For more specific changes, please check Microsoft's documentation. At a high level,
optionalclaimswill need to be added via the application manifest. Along with setting the necessary
acceptMappedClaimswill also need to be set to
true. Note that Microsoft adds "Do not set
truefor multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app."
true, Vault will not be able to fetch the access token, with the following error:
Error exchanging oidc code: Provider.Exchange: unable to exchange auth code with provider: oauth2: cannot fetch token: 400 Bad Request