• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Try Cloud(opens in new tab)
  • Sign up
Vault Home

Documentation

Skip to main contentOverview
  • What is Vault?
  • Use Cases

  • Browser Support
  • Installing Vault

    • Overview
    • AppRole
    • AliCloud
    • AWS
    • Azure
    • Cloud Foundry
    • GitHub
    • Google Cloud
      • Overview
        • Overview
        • Auth0
        • Azure AD
        • Forgerock
        • Gitlab
        • Google
        • Keycloak
        • Kubernetes
        • Okta
        • SecureAuth
    • Kerberos
    • Kubernetes
    • LDAP
    • Oracle Cloud Infrastructure
    • Okta
    • RADIUS
    • TLS Certificates
    • Tokens
    • Username & Password

    • App ID
      DEPRECATEDDEPRECATED
  • Vault Integration Program
  • Vault Interoperability Matrix
  • Troubleshoot






  • Glossary


  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Documentation
  4. Auth Methods
  5. JWT/OIDC
  6. OIDC Providers
  7. SecureAuth
  • Vault
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x
  • v1.7.x
  • v1.6.x
  • v1.5.x
  • v1.4.x

SecureAuth

The SecureAuth identity provider returns group membership claims as a comma-separated list of strings (e.g. groups: "group-1,group-2") instead of a list of strings.

To properly obtain group membership when using SecureAuth as the identity provider for Vault's OIDC Auth Method, the secureauth provider must be explicitly configured as shown below.

vault write auth/oidc/config -<<"EOH"
{
   "oidc_client_id": "your_client_id",
   "oidc_client_secret": "your_client_secret",
   "default_role": "your_default_role",
   "oidc_discovery_url": "https://idp.sasp.gosecureauth.com/your_secure_auth",
   "provider_config": {
      "provider": "secureauth"
   }
}
EOH

This will instruct the OIDC Auth Method to parse the comma-separated groups claims string into individual groups. Note that the role's groups_claim value must be properly configured to target the groups claim for your SecureAuth identity provider.

Edit this page on GitHub
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)