Skip to main content

azuread

Azure active directory (AAD)

warning

Note: Azure Active Directory Applications that have custom signing keys as a result of using the claims-mapping feature are currently not supported for OIDC authentication.

Reference: Azure Active Directory v2.0 and the OpenID Connect protocol

  1. Choose your Azure tenant.

  2. Go to Azure Active Directory and register an application for OpenBao.

  3. Add Redirect URIs with the "Web" type. You may include two redirect URIs, one for CLI access another one for OpenBao UI access.

    • http://localhost:8250/oidc/callback
    • https://hostname:port_number/ui/vault/auth/oidc/oidc/callback

  4. Record the "Application (client) ID" as you will need it as the oidc_client_id.

  5. Under Endpoints, copy the OpenID Connect metadata document URL, omitting the /well-known... portion.

  6. Under Certificates & secrets, add a client secret Record the secret's value as you will need it as the oidc_client_secret for OpenBao.

Connect AD group with OpenBao external group

To connect the AD group with a OpenBao external groups, you will need Azure AD v2.0 endpoints. You should set up a OpenBao policy for the Azure AD group to use.

  1. Go to Azure Active Directory and choose your OpenBao application.

  2. Go to Token configuration and Add groups claim. Select "All" or "SecurityGroup" based on which groups for a user you want returned in the claim.

  3. In OpenBao, enable the OIDC auth method.

  4. Configure the OIDC auth method with the oidc_client_id (application ID), oidc_client_secret (client secret), and oidc_discovery_url (endpoint URL) you recorded from Azure.

    bao write auth/oidc/config \
       oidc_client_id="your_client_id" \
       oidc_client_secret="your_client_secret" \
       default_role="your_default_role" \
       oidc_discovery_url="https://login.microsoftonline.com/tenant_id/v2.0"

  5. Configure the OIDC Role with the following:

    • user_claim should be "sub" or "oid" following the recommendation from Azure.
    • allowed_redirect_uris should be the two redirect URIs for OpenBao CLI and UI access.
    • groups_claim should be set to "groups".
    • oidc_scopes should be set to "https://graph.microsoft.com/.default".
    bao write auth/oidc/role/your_default_role \
       user_claim="sub" \
       allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
       groups_claim="groups" \
       oidc_scopes="https://graph.microsoft.com/.default" \
       policies=default

  6. In OpenBao, create the external group. Record the group ID as you will need it for the group alias.

  7. From OpenBao, retrieve the OIDC accessor ID from the OIDC auth method as you will need it for the group alias's mount_accessor.

  8. Go to the Azure AD Group you want to attach to OpenBao's external group. Record the objectId as you will need it as the group alias name in OpenBao.

  9. In OpenBao, create a group alias for the external group and set the objectId as the group alias name.

    bao write identity/group-alias \
       name="your_ad_group_object_id" \
       mount_accessor="openbao_oidc_accessor_id" \
       canonical_id="openbao_external_group_id"

Optional azure-specific configuration

If a user is a member of more than 200 groups (directly or indirectly), Azure will send _claim_names and _claim_sources. For example, returned claims might look like:

{
  "_claim_names": {
    "groups": "src1"
  },
  "_claim_sources": {
    "src1": {
      "endpoint": "https://graph.windows.net...."
    }
  }
}

The OIDC auth method role can be configured to include the user ID in the endpoint URL, which will be used by OpenBao to retrieve the groups for the user. Additional API permissions must be added to the Azure app in order to request the additional groups from the Microsoft Graph API.

To set the proper permissions on the Azure app:

  1. Locate the application under "App Registrations" in Azure

  2. Navigate to the "API Permissions" page for the application

  3. Add a permission

  4. Select "Microsoft Graph"

  5. Select "Delegated permissions"

  6. Add the User.Read permission

  7. Check the "Grant admin consent for Default Directory" checkbox

  8. Configure the OIDC auth method in OpenBao by setting "provider_config" to Azure.

    bao write auth/oidc/config -<<"EOH"
    {
      "oidc_client_id": "your_client_id",
      "oidc_client_secret": "your_client_secret",
      "default_role": "your_default_role",
      "oidc_discovery_url": "https://login.microsoftonline.com/tenant_id/v2.0",
      "provider_config": {
         "provider": "azure"
      }
    }
    EOH

  9. Add "profile" to oidc_scopes so the user's ID comes back on the JWT.

    bao write auth/oidc/role/your_default_role \
     user_claim="email" \
     allowed_redirect_uris="http://localhost:8250/oidc/callback,https://online_version_hostname:port_number/ui/vault/auth/oidc/oidc/callback"  \
     groups_claim="groups" \
     oidc_scopes="profile" \
     policies="default"