Automatic group mapping fails

Troubleshoot problems where the debugging data suggests a bad or nonexistent mapping between your Vault role and AD FS the Claim Issuance Policy.

Example debugging data

[DEBUG] auth.saml.auth_saml_1d2227e7: validating user context for role: api=callback role_name=default-samlrole="{  "token_bound_cidrs":null,  "token_explicit_max_ttl":0,  "token_max_ttl":0,  "token_no_default_policy":false,  "token_num_uses":0,  "token_period":0,  "token_policies":["default"],  "token_type":0,  "token_ttl":0,  "BoundSubjects":["*@example.com","*@ext.example.com"],  "BoundSubjectsType":"glob",  "BoundAttributes":{"http://schemas.xmlsoap.org/claims/Group":["VaultAdmin","VaultUser"]},  "BoundAttributesType":"string",  "GroupsAttribute":"groups"  }"user context="{  "attributes":  {    "http://schemas.xmlsoap.org/claims/Group":["Domain Users","VaultAdmin"],    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":["rs@example.com"]  },  "subject":"rs@example.com"}"

Analysis

Use vault read to review the current role configuration:

$ vault read auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE>Key                        Value---                        -----bound_attributes           map[http://schemas.xmlsoap.org/claims/Group:[VaultAdmin VaultUser]]bound_attributes_type      stringbound_subjects             [*@example.com *@ext.example.com]bound_subjects_type        globgroups_attribute           groupstoken_bound_cidrs          []token_explicit_max_ttl     0stoken_max_ttl              0stoken_no_default_policy    falsetoken_num_uses             0token_period               0stoken_policies             [default]token_ttl                  0stoken_type                 default

The Vault role uses groups for the group attribute, so Vault expects user context in the SAML response to include a groups attribute with the form:

user context="{  "attributes":  {    "groups":[<LIST_OF_BOUND_GROUPS>]",    ...  }}"

But the SAML response indicates the Claim Issuance Policy uses Group for the group attribute, so the user context uses Group to key the bound groups:

user context="{  "attributes":  {    "http://schemas.xmlsoap.org/claims/Group":["Domain Users","VaultAdmin"],    ...  },  "subject":"rs@example.com"}"

Solution

The first option to resolve the problem is update group_attribute for the Vault role to use Group:

$ vault write auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE> \    groups_attribute=http://schemas.xmlsoap.org/claims/Group

For example:

$ vault write auth/saml/role/adfs-default \    groups_attribute=http://schemas.xmlsoap.org/claims/Group

The second option to resolve the problem is to update your AD FS configuration to use groups and confirm the bound attributes in Vault match the expected groups:

Update your AD FS the Claim Issuance Policy to use groups for unqualified names:
LDAP attribute Outgoing claim type
Token-Groups - Unqualified Names groups

LDAP attribute	Outgoing claim type
`Token-Groups - Unqualified Names`	`groups`

Verify the bound attribute for your Vault role match the groups listed in the SAML response:

$ vault write auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE> \    bound_attributes=groups="<AD_GROUP_LIST>"

For example:

$ vault write auth/saml/role/default-adfs \    bound_attributes=groups="VaultAdmin,VaultUser"

Automatic group mapping fails

Example debugging data

Analysis

Solution

Additional resources