Automatic group mapping fails
Troubleshoot problems where the debugging data suggests a bad or nonexistent mapping between your Vault role and AD FS the Claim Issuance Policy.
Example debugging data
[DEBUG] auth.saml.auth_saml_1d2227e7: validating user context for role: api=callback role_name=default-samlrole="{ "token_bound_cidrs":null, "token_explicit_max_ttl":0, "token_max_ttl":0, "token_no_default_policy":false, "token_num_uses":0, "token_period":0, "token_policies":["default"], "token_type":0, "token_ttl":0, "BoundSubjects":["*@example.com","*@ext.example.com"], "BoundSubjectsType":"glob", "BoundAttributes":{"http://schemas.xmlsoap.org/claims/Group":["VaultAdmin","VaultUser"]}, "BoundAttributesType":"string", "GroupsAttribute":"groups" }"user context="{ "attributes": { "http://schemas.xmlsoap.org/claims/Group":["Domain Users","VaultAdmin"], "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":["rs@example.com"] }, "subject":"rs@example.com"}"
Analysis
Use vault read
to review the current role configuration:
$ vault read auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE> Key Value--- -----bound_attributes map[http://schemas.xmlsoap.org/claims/Group:[VaultAdmin VaultUser]]bound_attributes_type stringbound_subjects [*@example.com *@ext.example.com]bound_subjects_type globgroups_attribute groupstoken_bound_cidrs []token_explicit_max_ttl 0stoken_max_ttl 0stoken_no_default_policy falsetoken_num_uses 0token_period 0stoken_policies [default]token_ttl 0stoken_type default
The Vault role uses groups
for the group attribute, so Vault expects user
context in the SAML response to include a groups
attribute with the form:
user context="{ "attributes": { "groups":[<LIST_OF_BOUND_GROUPS>]", ... }}"
But the SAML response indicates the Claim Issuance Policy uses Group
for the
group attribute, so the user context uses Group
to key the bound groups:
user context="{ "attributes": { "http://schemas.xmlsoap.org/claims/Group":["Domain Users","VaultAdmin"], ... }, "subject":"rs@example.com"}"
Solution
The first option to resolve the problem is update group_attribute
for the
Vault role to use Group
:
$ vault write auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE> \ groups_attribute=http://schemas.xmlsoap.org/claims/Group
For example:
$ vault write auth/saml/role/adfs-default \ groups_attribute=http://schemas.xmlsoap.org/claims/Group