Skip to main content

secureauth

SecureAuth

The SecureAuth identity provider returns group membership claims as a comma-separated list of strings (e.g. groups: "group-1,group-2") instead of a list of strings.

To properly obtain group membership when using SecureAuth as the identity provider for OpenBao's OIDC Auth Method, the secureauth provider must be explicitly configured as shown below.

bao write auth/oidc/config -<<"EOH"
{
   "oidc_client_id": "your_client_id",
   "oidc_client_secret": "your_client_secret",
   "default_role": "your_default_role",
   "oidc_discovery_url": "https://idp.sasp.gosecureauth.com/your_secure_auth",
   "provider_config": {
      "provider": "secureauth"
   }
}
EOH

This will instruct the OIDC Auth Method to parse the comma-separated groups claims string into individual groups. Note that the role's groups_claim value must be properly configured to target the groups claim for your SecureAuth identity provider.