Vault: Clearer AzureAD Auth/External Group documentation?

Created on 19 Jan 2020  路  5Comments  路  Source: hashicorp/vault

I just set up AzureAD authentication via OIDC, with External Groups, and found the docs somewhat confusing/multiple places to look and pieces of information to pull together.

Would it be worth having a central place for that - maybe adding some additional details to the jwt_oidc_providers page?

I also got the AzureAD piece working with UPN, which is more "standard" for us anyway than email, and requires a few additional steps that I'm happy to document if people think it'd be helpful.

cc @jescalan

autjwt-oidc docs enhancement
Source
picture rayterrill
👍3

All 5 comments

Please update this, I am working for three days, still I can not figure it out what was the issue is.
@rayterrill Can you please give me some document to configure

sri53 picture sri53 on 18 Feb 2020
👍1

yes please

"Finally Azure AD group can be referenced by using the groups objectId as the group alias name for the external group."

is a little confusing and I'm not sure how to proceed from:

https://www.vaultproject.io/docs/auth/jwt_oidc_providers.html#azure-active-directory-aad-

ghost picture ghost on 20 Apr 2020

@rayterrill Please feel free to document whatever you found in here even if it's not cohesive or coherent enought to be worthy of updating the Vault official documentation page.

It would surely help others trying to configure it and maybe together we can make something more detailed

annerajb picture annerajb on 30 Jun 2020
👍1

Sorry @annerajb lost track of this. Here are the notes I have:

AzureAD:

  1. Register an AAD application (ex: "Vault")
  2. Configure the redirect URIs - make sure you also add a redirect URI for whatever URL you'll be running Vault on (for example, https://vault.yourdomain.com/ui/vault/auth/oidc/oidc/callback):
http://localhost:8250/oidc/callback
https://vault.yourdomain.com/ui/vault/auth/oidc/oidc/callback
  1. Under the "API Permissions" tab, grant the following permissions, and grant admin consent once added.
Group.Read.All
profile (this is necessary to expose the "upn" claim to Vault)
User.Read
  1. Under Token configuration (currently in preview as of 1/2020), click "Add groups claim", check the box for "All groups", and click SAVE. This passes group info to Vault, which allows us to map AzureAD groups into Vault groups to apply different permissions.
  2. Under the "Certificates & Secrets" tab, create a new client secret and note it for later

Vault - Configure the OIDC Provider for AzureAD

  1. Enable the OIDC provider:
vault auth enable oidc
  1. Build the OIDC config for AzureAD. You will need the client id, client secret, and tenant id from the app:
vault write auth/oidc/config oidc_client_id="[CLIENT_ID]" oidc_client_secret="[CLIENT_SECRET]" oidc_discovery_url="https://login.microsoftonline.com/[TENANT_ID]/v2.0" default_role="default"
  1. Configure the oidc default role. This allows anyone who can sign in with the azuread app to use the default policy (doesn't allow much) using User Principal Name (upn). This also allows for group claims, which lets us assign additional permissions to people based on AzureAD groups.
vault write auth/oidc/role/default user_claim="upn" allowed_redirect_uris="http://localhost:8250/oidc/callback,https://vault.yourdomain.com/ui/vault/auth/oidc/oidc/callback" groups_claim="groups" policies=default oidc_scopes="profile"

Vault - Mapping "External" AzureAD Groups to the OIDC Provider

  1. Build an "admins" external group in vault, which uses an existing "admins" policy in vault
vault write identity/group name="admins" type="external" policies="admins"
  1. Get the accessor ID for the oidc connection. You need the accessor value under oidc/. It should look something like: "auth_oidc_**"
vault auth list -format=json
  1. Find the Object ID of the group in AzureAD you want to map through to Vault (AzureAD > Groups > Find the Group > Note the Object ID value)
  2. Map the admins group in AzureAD to the admins external group in vault. The name should be the Group ID for the AD group providing access to the policy from Step 3, the mount_accessor is the value from Step 2, and the canonical id is the value from Step 1:
vault write identity/group-alias name="GROUP_ID_GUID_FROM_STEP_3" mount_accessor="auth_oidc_VAULT_FROM_STEP_2" canonical_id="ID_FROM_STEP_1"

For any subsequent groups you want to map through from AzureAD, you just need to repeat the steps in the "Vault - Mapping "External" AzureAD Groups to the OIDC Provider" section - create an External Group in Vault for the group, then map the AzureAD group to the Vault group using the identity/group-alias functionality.

rayterrill picture rayterrill on 30 Jun 2020

@rayterrill

FYI

Step 4.

Under Token configuration (currently in preview as of 1/2020), click "Add groups claim", check the box for "All groups", and click SAVE. This passes group info to Vault, which allows us to map AzureAD groups into Vault groups to apply different permissions.

So without setting --optional-claims for the application, as per Vault's OIDC Provider Configuration guide, you can set either

"groupMembershipClaims": "All",

or

"groupMembershipClaims": "SecurityGroup",

With az command, above can be set with 

export AZUREAD_APP_DISPLAY_NAME="vault-app"
az ad app update \
   --id "$(az ad app list --query "[].{appId:appId,displayName:displayName}[?displayName=='${AZUREAD_APP_DISPLAY_NAME}']" | jq -r '.[] | .appId')" \
   --set groupMembershipClaims=All
meappy picture meappy on 18 Aug 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jantman picture jantman  路  29Comments
bitglue picture bitglue  路  37Comments
Miserlou picture Miserlou  路  45Comments
hashbrowncipher picture hashbrowncipher  路  65Comments
jweissig picture jweissig  路  44Comments