You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Background: Azure AD login with OIDC auth method.
Azure AD is passing the AD samaccountname group names via the groups claim in the ID Token.
Vault is setup to use one of the group names setup via roles/group-alias.
Current behavior: if i leave the role field blank in the OIDC browser login, it defaults to the default group specified in Vault's Role config. If i put in the setup roles/group-alias in the field the right policy gets applied as expected.
Expected behavior: vault looks at the roles/group-alias configuration, and any role/alias name that matches a group in the group claims applies the correct policy. If multiple policies are not available, it applies the first one that matches, and the admins need to ensure that users do not have more than one group that could match a vault config.
The text was updated successfully, but these errors were encountered:
Background: Azure AD login with OIDC auth method.
Azure AD is passing the AD samaccountname group names via the groups claim in the ID Token.
Vault is setup to use one of the group names setup via roles/group-alias.
Current behavior: if i leave the role field blank in the OIDC browser login, it defaults to the default group specified in Vault's Role config. If i put in the setup roles/group-alias in the field the right policy gets applied as expected.
Expected behavior: vault looks at the roles/group-alias configuration, and any role/alias name that matches a group in the group claims applies the correct policy. If multiple policies are not available, it applies the first one that matches, and the admins need to ensure that users do not have more than one group that could match a vault config.
The text was updated successfully, but these errors were encountered: