Introduction
The OIDC method allows authentication via a configured OIDC provider using the user's web browser. When using the OIDC auth method, the
user_claim parameter is used to uniquely identify the user. This will be used as the name for the Identity entity alias created on a successful Vault login. If using Azure AD as your IdP and sAMAccountName for the user_claim, there are additional steps necessary on the Azure application.Azure AD Configuration
In order to allow Azure AD to pass
sAMAccountName in the access token, additional changes are necessary on the Azure application in use. For more specific changes, please check Microsoft's documentation. At a high level, optionalclaims will need to be added via the application manifest. Along with setting the necessary optionalclaims, acceptMappedClaims will also need to be set to true. Note that Microsoft adds "Do not set acceptMappedClaims property to true for multi-tenant apps, which can allow malicious actors to create claims-mapping policies for your app."Without setting
acceptMappedClaims to true, Vault will not be able to fetch the access token, with the following error: Error exchanging oidc code: Provider.Exchange: unable to exchange auth code with provider: oauth2: cannot fetch token: 400 Bad Request Additional Information:
-
Vault OIDC
user_claim: https://developer.hashicorp.com/vault/api-docs/auth/jwt#user_claim -
Microsoft
acceptedMappedClaims: https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#acceptmappedclaims-attribute