OIDC group_claim is not working with Keycloak
609 views
Skip to first unread message
Anantharami Reddy
Apr 12, 2019, 8:56:44 AM4/12/19
to Vault
I have tried with the User_claim and it is working fine but Group_claim is not working ( maybe, I didn't use the right value in that field). Is it possible to test group_claim with keycloak auth provider?. If yes, could you please describe me bit more on this?
Jim Kalafut
Apr 12, 2019, 1:34:31 PM4/12/19
to Vault
Hi,
Other users have successfully used group_claim with Keycloak. There are a number of group-like claims possible in the Keycloak JWT (including "groups", but also "roles" in various spots). Depends what you're trying to set up. Have you already created the expected groups in Vault? They won't be automatically created during the auth process.
Regards,
Jim
Anantharami Reddy
Apr 12, 2019, 2:58:53 PM4/12/19
to vault...@googlegroups.com
Hi,
Thanks for your reply.
I didn't set up groups in the vault. I thought it will create automatically in the vault when I authenticate with keycloak. Please kindly provide me with an example set up if you happened to have anything such that.
Best regards,
Anantha
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ea39fb45-44a7-4af1-a907-cf2e7c630b10%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jim Kalafut
Apr 12, 2019, 3:40:27 PM4/12/19
to vault...@googlegroups.com
Hi Anantha,
If you’re not familiar with identity and groups in Vault, please review: https://learn.hashicorp.com/vault/identity-access-management/iam-identity
If you have groups “A” and “B” in Keycloak, you should create external groups in Vault named “A” and “B”. When you authenticate and Vault finds group names in the claim you’ve specified, it will create group aliases for those that already exist.
Sorry, I don’t have specific guidance for setting up Keycloak.
Regards,
Jim
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/CALsrUzC6XyiEdore%2B6XLN6rkHjC_zH_V2bcTPUi4dj%2B1Y_4tBw%40mail.gmail.com.
Anantharami Reddy
Apr 12, 2019, 6:18:39 PM4/12/19
to Vault
Hi Jim,
Thank you very much for your support. It is really helpful :)
Best regards,
Anantha
Jim
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/ea39fb45-44a7-4af1-a907-cf2e7c630b10%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages