Restrict OIDC auth method access based on Azure Active Directory claims.

Introduction

When configuring the OIDC auth method in Vault, users can be restricted from accessing Vault based on bound_claims set on the OIDC role. This parameter is a map of claims (keys) to match against permitted claim values (values) from the identity provider. This article will explain how to configure bound_claims on the role when using Azure Active Directory as the identity provider. Possible restrictions when logging into Vault can be based on Azure AD groups, roles, emails, etc.

Procedure

1. Enable and configure the OIDC auth method within Vault along with creating Vault role(s).
   • HashiCorp Learn Tutorial for enabling OIDC auth method with Azure AD.
2. (Optional) Create Vault external group(s) to associate with Azure AD.
   • HashiCorp Learn Tutorial for creating Vault external group for AD group.
3. Gather the necessary claims from Azure AD to assign as a claim to the Vault role.
   • Restrict access based on Azure AD Group.
     • The claim key will be set to groups and claim value will be the group(s) in Azure AD.
       • In the below example, the ObjectID will be used from the Azure AD group.
   • Set the map for the bound_claims parameter to groups (key) and ObjectID (value).

vault write auth/oidc/role/<VaultRole> -<<EOF
{
  "bound_claims": {
    "groups": ["<AADGroupObjectId>"]
  }
}
EOF

• Restrict access based on Azure AD App Roles.
  • In the below example, the key role will be used with the value AppRoleID from Azure.

vault write auth/oidc/role/<VaultRole> -<<EOF
{
  "bound_claims": {
    "roles": ["<AADAppRoleValue>"]
  }
}
EOF

• Restrict access based on specific Azure AD user emails
  • In the below example, the key email will be used with a list user's email values.

vault write auth/oidc/role/<VaultRole> -<<EOF
{
  "bound_claims": {
    "email": [ "<email1>". "<email2>" ]
  }
}
EOF

Troubleshooting claims returned from the IdP

You can further test claims available when making the OIDC call from Vault into Azure. Note this is not recommended to be enabled within a production environment seeing sensitive information may be present in the OIDC responses.

1. Enable verbose OIDC logging for individual Vault roles by running:

   vault write auth/oidc/role/<VaultRole> verbose_oidc_logging="true"

2. When attempting to log into Vault via the OIDC method, Vault will log additional information and show the OIDC provider responses. This logging will include all claims provided from Azure AD. These claims can be added to the Vault role with bound_claims to then restrict access to Vault.

Additional Information

• JWT/OIDC - Auth Methods - HTTP API - bound_claims
• Azure Active Directory with OIDC Auth Method and External Groups
• How to enable OIDC Auth Method with Azure AD in a Namespace