Azure AD Group Mapped to Vault External Groups, auth via OIDC

Avatar
Clayton Platt
  • Updated

A deeper look into Vault's external group integration with Azure AD, mentioned in the Azure AD OIDC tutorial, highlights Vault's ability to map policies to users belonging to multiple AD groups.


Expected Outcome

  • Members of Azure AD groups will be able to authenticate via OIDC and inherit all policies associated with that group
  • Members of multiple AD groups will inherit all policies of their respective groups 


Prerequisites

  • Azure AD groups with members spanning multiple groups
  • Vault client OIDC configured for use with Azure AD 
  • No policies are defined in the OIDC role, unless global policies are desired


Use Case

  • Defined in the referenced tutorial
  • Member of Azure AD group(s) authenticate to Vault via OIDC
  • Policies are assigned to user based on which AD group(s) the particular user belongs to
  • If a user belongs to multiple AD groups, they will inherit all policies associated with each group
  • Essentially, implement LDAP auth method's group policy mapping functionality in OIDC


Procedure

1. Create a Vault external group for each AD group

  • Assign appropriate policies you wish respective AD group members to inherit
  • Save the id parameter output after each created group, needed upon creation of group alias
vault write identity/group \
   name="arbitrary_name_AD_group_1" \
   type="external" \ 
   policies="policy1,policy2"   # NOTE: NO SPACE between policy1 and policy2
  • Example Output:
Key     Value
---     -----
id      0605c1a3-fa0c-c6fe-0bf4-d33b9ee6a35e  # NOTE: SAVE THIS VALUE FOR LATER
name    arbitrary_name_AD_group_1

 

2. Get Azure Object Id for each AD group

  • The required parameter in the creation of a group alias--links the AD group to the respective Vault external group
  • Policies will NOT map if group name is used in place of object ID during group alias creation

Object Id Column AD Dashboard-1.png

 

     WARNING: Under certain naming conventions, the group name can resemble the object ID

 

3. Create group aliases using  Object Id for the name parameter  

  • Each Vault external group created requires only a single group alias 
  • In the above screenshot, each of the 4 AD groups would map to their own Vault external groups
  • Each of those 4 Vault external groups would have its own group alias
  • Set name to the Object ID from its respective AD group
  • canonical_id is the id parameter output after group creation in step 1
  • Run vault auth list to get the OIDC mount accessor
vault write identity/group-alias \
     name="Object_Id_AD_Group_1" \
     mount_accessor=<OIDC_mount_accessor> \ 
     canonical_id=<vault_group_1_id_from first step>

 

Authenticate via OIDC with a user spanning multiple AD groups

  • User should have inherited the policies from each group with which they are associated
Key                  Value
---                  -----
token                hvs...
token_accessor       p8VpzfYE7atYRIqYA2Hvi4JQ
token_duration       768h
token_renewable      true
token_policies       ["default"]
identity_policies    ["policy_from_Vault_Group_1" "policy_from_Vault_group_2"]
policies             [...]
token_meta_role      default

 

Summary:

  • Created a Vault external group for each AD group tied to a single OIDC role
  • Assigned each Vault group their respective policies 
  • Created group aliases for each Vault group
  • Authenticated with a member of multiple AD groups, confirmed all policies from each group
  • Vault maps Azure AD group members to Vault groups, and accounts for some users across them

Reference

Articles in this section

See more

Related articles