Vault auth users with Azure AD.

[Kamil Sebastian]

Hi,

I don't fully understand how this should work. My Vault instance is running in AWS (like the rest of environment). What I'd like to achieve are Vault users authenticated using Azure AD without creating them with userpass method. So each user could login to Vault using his token obtained from Azure AD. Is it possible to configure it in that way? I can't find any example. How Vault Agent config would look like in this case?

brgds,

[Michel Vocks]

Hi there!

Yes, this is possible. You can use Vault's OIDC/JWT authentication backend to allow authentication against Azure AD. There is also a guide available in the docs for OIDC & Azure AD setup: https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html#azure-active-directory-aad-

Cheers,

Michel

[Kamil Sebastian]

So I ran:

vault write auth/oidc/role/test user_claim="user" allowed_redirect_uris="https://vault.domain.net/ui/vault/auth/oidc/oidc/callback" groups_claim="groups" policies=default

So in the UI I am trying to log in using OIDC, then it is open a Office365 window with information: "Signing in with your OIDC provider..." and fall back to main Vault window saying:

Error claim "user" not found in token. 

[Jim Kalafut]

Hi Kamil,

You need to point the `user_claim` to a claim in the ID token (e.g. sub, email, etc.). Here are the standard claims, and optional ones can be configured:  https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

You can enable the "verbose_oidc_logging" for the role during configuration to help troubleshoot the setup. This will log the received ID token so you can see what Vault is trying to process. Be sure to disable this setting prior to deploying to production.

Regards,

Jim