OIDC authentication with Microsoft Azure

18min
|
Terraform
Boundary

Deployment

OpenID Connect (OIDC) is an internet-scale federated identity and authentication protocol built on top of the OAuth 2.0 authorization framework and the JSON Object Signing and Encryption (JOSE) cryptographic system. OIDC builds on top of the OAuth 2.0 authorization protocol to enable a user to authorize a third-party application to access the user’s identity and authentication information.

The OIDC authentication method allows Boundary users to delegate authentication to an OIDC provider. This feature allows Boundary to integrate with popular identity providers like Microsoft Entra ID, cloud-hosted active directory services with an OIDC frontend, and cloud identity management systems such as AWS IAM.

Boundary users can create, read, update, and delete new OIDC authentication methods using the Admin Console UI, Boundary CLI, or the Boundary Terraform provider to enable login. OIDC auth methods can also be utilized for logging into the Admin Console and Desktop applications.

This tutorial provides an example of setting up OIDC with the Microsoft Entra ID provider and managing OIDC authentication methods.

OIDC authentication methods overview

Prerequisites

A Boundary binary greater than 0.8.0 in your PATH
This tutorial assumes you can connect to an HCP Boundary cluster or launch Boundary in dev mode.
An Azure test account. The associated email address should not be tied to another SSO method, so use of a personal account is recommended.
Installing the Boundary Desktop App provides an optional workflow for this tutorial. The 1.2.0 version or above is required for OIDC support.
Installing Terraform 0.13.0 or greater provides an optional workflow for this tutorial. The binary must be available in your PATH.

Get setup

In this tutorial, you will test OIDC integrations using HCP Boundary or by deploying a Boundary controller locally using dev mode.

Start Boundary in dev mode:

$ boundary dev
==> Boundary server configuration:

        [Controller] AEAD Key Bytes: hdcjQ5gegRbttzQ66D5GJjcxB+xtdHzL
          [Recovery] AEAD Key Bytes: E1/gdhTuDyhsvIm+tkQR0i4m/uSRrd5A
       [Worker-Auth] AEAD Key Bytes: gwo86AYxBlbPCLsw9lsBzZ4Fd7adcydw
               [Recovery] AEAD Type: aes-gcm
                   [Root] AEAD Type: aes-gcm
    [Worker-Auth-Storage] AEAD Type: aes-gcm
            [Worker-Auth] AEAD Type: aes-gcm
                                Cgo: disabled
     Controller Public Cluster Addr: 127.0.0.1:9201
             Dev Database Container: hardcore_keller
                   Dev Database Url: postgres://postgres:password@localhost:55000/boundary?sslmode=disable
         Generated Admin Login Name: admin
           Generated Admin Password: password
          Generated Host Catalog Id: hcst_1234567890
                  Generated Host Id: hst_1234567890
              Generated Host Set Id: hsst_1234567890
      Generated Oidc Auth Method Id: amoidc_1234567890
             Generated Org Scope Id: o_1234567890
  Generated Password Auth Method Id: ampw_1234567890
         Generated Project Scope Id: p_1234567890
                Generated Target Id: ttcp_1234567890
  Generated Unprivileged Login Name: user
    Generated Unprivileged Password: password
                         Listener 1: tcp (addr: "127.0.0.1:9200", cors_allowed_headers: "[]", cors_allowed_origins: "[*]", cors_enabled: "true", max_request_duration: "1m30s", purpose: "api")
                         Listener 2: tcp (addr: "127.0.0.1:9201", max_request_duration: "1m30s", purpose: "cluster")
                         Listener 3: tcp (addr: "127.0.0.1:9203", max_request_duration: "1m30s", purpose: "ops")
                         Listener 4: tcp (addr: "127.0.0.1:9202", max_request_duration: "1m30s", purpose: "proxy")
                          Log Level: info
                              Mlock: supported: false, enabled: false
                            Version: Boundary v0.10.3
                        Version Sha: d9eba38993eb70820a396894f2f1e28601d13c3d
         Worker Auth Current Key Id: folic-obliged-dude-stroller-skinless-eloquence-legible-dispense
   Worker Auth Registration Request: GzusqckarbczHoLGQ4UA25uSRm41paoR5HikgcBsCT4PMDFT7StpsFy5xjiWJwxszReKwcfGniKLcdpQto5HjhH3PqmdLU8fdT9kM7RMLiyzLKWdLqVWBhhdUiEy7Re2ConJcGWdHsGK7Th6zVQ3SXjqND3dQ3ytcVtAhdEznJQ58ib6HoMvpMTs66TS5ULCBXxpQ1u2syC6ChNPEPbaSpQd9pKWjPcPRVDjKpMzp6cjw9LZSPxBdadM81f7yS3voWoM5yMciXdUW6rqSMaP1NxRvQUAdhVQsM1ZqGLHNV
           Worker Auth Storage Path: /var/folders/8g/4dnhwwzx2d771tkklxwrd0380000gp/T/nodeenrollment1533264699
           Worker Public Proxy Addr: 127.0.0.1:9202

==> Boundary server started! Log data will stream in below:

{
  "id": "GypYTtKfJI",
  "source": "https://hashicorp.com/boundary/localmachine/controller+worker",
  "specversion": "1.0",
  "type": "system",
  "data": {
    "version": "v0.1",
    "op": "github.com/hashicorp/boundary/internal/observability/event.(*HclogLoggerAdapter).writeEvent",
    "data": {
      "@original-log-level": "none",
      "@original-log-name": "aws",
      "msg": "configuring client automatic mTLS"
    }
  },
  "datacontentype": "text/plain",
  "time": "2022-09-06T14:14:37.939433-06:00"
}
...
... More log output ...
...

Leave dev mode running in the current session, and open a new terminal window or tab.

Authenticate to the local Boundary dev server. Enter the password password when prompted.

$ boundary authenticate password -auth-method-id ampw_1234567890 -login-name admin
Please enter the password (it will be hidden): <password>

Authentication information:
  Account ID:      acctpw_1234567890
  Auth Method ID:  ampw_1234567890
  Expiration Time: Wed, 14 Jul 2021 11:38:18 MDT
  User ID:         u_1234567890

The token was successfully stored in the chosen keyring and is not displayed here.

Providers

To enable an OIDC auth method an administrator must first configure their OIDC provider, and then Boundary. The administrator registers Boundary as a new client with their OIDC provider by providing some values unique to their Boundary deployment. The administrator then configures Boundary with unique client information provided by their OIDC provider during registration. These values must match up for OIDC to work.

The administrator will need to provide a list of Boundary callback URLs when configuring the OIDC provider. The callback URLs route to one of the controllers and must begin with 'https', unless Boundary is in dev mode, where the URLs will route to localhost.

Many OIDC providers can be integrated with Boundary. This tutorial demonstrates working with Microsoft Entra ID, a popular provider for OIDC.

Get setup on Microsoft Entra ID

An Azure account and sample application are required to setup Entra ID as an OIDC provider for Boundary. If you don't have an account, sign up for Azure. It is recommended to use a personal Microsoft account for testing, and to avoid integrating an account that might already be associated with Azure. A free account is suitable for testing OIDC integration with Boundary. Please note that you are responsible for any charges incurred by following the steps in this tutorial.

Create a user

First, create an Entra ID user that will be permitted to log into the application that authorizes Boundary.

Tip

You may also use your existing Azure user account to test OIDC with Boundary. Skip to the Create an application section to avoid creating a new user.

Once signed up, it may take some time for a new tenant to become available. Once available, sign in to the Azure Portal. Navigate to the Microsoft Entra ID view using the sidebar on the left side of the page.
You will need an Entra ID tenant that is permitted to log into the application that authorizes Boundary. If no tenants are listed in the Azure AD view, create a new tenant by following these instructions in the Azure docs. You can also use a pre-existing tenant if one is already set up. This tutorial uses the Boundary organization and the boundaryoidc domain name.
Next, create a new user. In the tenant sidebar menu, select Users from the Manage section. Click the + New User button.
Enter the User name, and under Password enable the Let me create the password option. Define a password, then click Create.
The new user should then be displayed under the Entra ID Users portal. This tutorial created a user named admin with the User Principle Name admin@boundaryoidc.onmicrosoft.com.
If using Terraform to provision Boundary, select the newly created user to view its details. Copy the Object ID value under the Identity section. Save this value for defining the oidc_user subject later on.

Create an application

An application is what authorizes Entra ID users added in the previous step to connect with Boundary. After creating an application, its configuration details are used to add the OIDC auth method to Boundary.

There are two methods for setting up Boundary as an OIDC provider with Microsoft Azure:

Microsoft Entra enterprise application
Generic Entra web application

Either method allows for authentication to Boundary using Microsoft Entra ID as an identity provider. Select an Microsoft Entra configuration method to proceed.

This content borrows heavily from the Microsoft Entra single sign-on (SSO) integration with HashiCorp Boundary documentation.

From the Microsoft Entra ID view, select Enterprise applications using the sidebar on the left side of the page.
From the Enterprise applications view, click the + New application button.
Type hashicorp boundary in the search bar, and click on the HashiCorp Boundary result.
Confirm the name of your Boundary integration (this example uses HashiCorp Boundary) and click Create.
From the HashiCorp Boundary | Overview page, click Single sign-on.
From the HashiCorp Boundary | OIDC-based Sign-on page, click Go to application.
Click Authentication under the Manage sidebar.
Provide the redirect URI, which is http://localhost:9200/v1/auth-methods/oidc:authenticate:callback when Boundary is running in dev mode.
Paste the following redirect URI in the Web field.
```
http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
```
Scroll down and locate the Front-channel logout URL. The logout URL ensures session logouts are handled correctly.
Construct the logout URL by appending :3000 to the end of your Boundary's https URL. In Dev mode, this is:
```
https://localhost:3000
```
Click Save.
Select Certificates & Secrets from the Manage sidebar on the left. Click New client secret and fill out the secret details. This tutorial describes the secret as Boundary OIDC test secret.
Click Add.
Copy the client Secret value and store it for use later. Ensure you grab the Value, not the Secret ID.
Lastly, navigate back to the App overview view using the menu on the left.
From this view, copy the Directory (Tenant) ID and the Application (client) ID.
You will also need to construct the application Issuer URL.
An Entra ID OIDC identity provider issuer is usually formatted like https://login.windows-ppe.net/Tenant_ID/v2.0, but it may vary depending on your account.
This is constructed from the OpenID Connect metadata document value, which is located in the application Endpoints view on the Overview page.
Click on Endpoints. Copy the OpenID Connect metadata document value, up to the /v2.0. For example,
```
https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0
```
This value will be the Issuer used to configure the Boundary OIDC auth method.
Note
You may need to refer to Entra OIDC documentation for the latest OIDC endpoint schemas.
Three important values are needed to configure OIDC with Boundary.
- Issuer
- Client ID
- Client Secret
The following format is used for these values:
- issuer -> https://login.windows-ppe.net/Tenant_ID/v2.0 (copied from OpenID Connect metadata document)
- client-id -> Application (client) ID)
- client-secret -> Client Secret value
For example, this tutorial uses the following values:
- Issuer: https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0
- Client ID: a4d21a76-e08c-4d8d-8c47-e1c423ee4d11
- Client Secret: X9u~u58--~rWLR4Q9i1-PtdZOi_s04~9O-
Keep these values in a safe place for use in the next steps.

This content borrows heavily from the Microsoft Entra register an application documentation.

From the Entra ID view, select App Registrations using the sidebar on the left side of the page.
From the Applications view, click the + New Registration button.
On the Register an application page, name your applciation and select its tenancy model. For this proof-of-concept tutorial, select Single-tenant. This tutorial names the application Boundary OIDC Test.
Under Redirect URI select the Web field. In dev mode, Boundary's callback URI uses localhost:9200.
Paste the following redirect URI in the Web field.
```
http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
```
Click Register.
Once registered, you will be taken to the Overview page for your new app registration.
Select Certificates & Secrets from the Entra ID menu on the left. Click New client secret and fill out the secret details. This tutorial describes the secret as Boundary OIDC test secret.
Click Add.
Copy the client Secret value and store it for use later. Ensure you grab the Value, not the Secret ID.
Select Authentication from the Boundary OIDC test menu on the left.
Click Configure.
Under Redirect URIs, verify the callback URI you constructed earlier using the following format:
```
http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
```
Update the callback URI if it is missing or incorrect.
Under Front-channel logout URL, enter the following:
```
https://localhost:3000
```
This ensures session logouts are handled correctly with Boundary running in dev mode.
Click Save when finished.
Now navigate back to the app's Overview page using the menu on the left.
From this view, copy the Directory (Tenant) ID and the Application (client) ID.
You will also need to construct the application Issuer URL.
An Entra ID OIDC identity provider issuer will typically have format of https://login.microsoftonline.com/Tenant_ID/v2.0, but it may vary depending on your account.
On the application Overview page, click on Endpoints. Copy the OpenID Connect metadata document value, up to the /v2.0. For example,
```
https://login.microsoftonline.com/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0
```
This value will be the Issuer used to configure the Boundary OIDC auth method.
Note
You may need to refer to Entra OIDC documentation for the latest OIDC endpoint schemas.
Three important values are needed when configuring OIDC with Boundary.
- Issuer
- Client ID
- Client Secret
The following format is used for these values:
- issuer -> https://login.microsoftonline.com/Tenant_ID/v2.0
- client-id -> Application (client) ID)
- client-secret -> Client Secret value
For example, this tutorial uses the following values:
- Issuer: https://login.microsoftonline.com/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0
- Client ID: a4d21a76-e08c-4d8d-8c47-e1c423ee4d11
- Client Secret: X9u~u58--~rWLR4Q9i1-PtdZOi_s04~9O-
Keep these values in a safe place for use in the next steps.

Auth method creation

Authentication is the process of establishing a user's identity. The user initiates this process by selecting an auth method.

When the user selects an OIDC auth method, the user's client sends a request to the system and includes additional data about the client itself. The system then returns two URLs: an OIDC authentication request URL and a Boundary token request URL.

If the user's client is a web browser, the client stores the Boundary token request URL in local storage then redirects the page to the OIDC authentication request URL. If the user's client is not a web browser, the client opens a web browser to the OIDC authentication request URL and begins polling the Boundary token request URL.

The user interacts with the OIDC provider to prove their identity using the browser window opened by the user's client. Once the OIDC provider has authenticated the user's identity, it redirects the browser window back to Boundary. The user's client then retrieves a Boundary token from the request URL.

To get started, an authentication method must be created for the provider of choice.

Create auth method for the provider

To set up a new auth method for your provider you will need the following from your provider's application settings:

issuer
client-id
client-secret

Auth methods can be created using the Admin Console UI, CLI, or using Terraform.

The Boundary Admin Console provides a UI for creating and managing OIDC resources, including auth methods.

Open the Admin Console UI by entering the Dev Controller URL of http://localhost:9200 into a browser.

Enter the admin username admin and password password and click Authenticate.

Admin UI Login

For Entra ID, these settings map to the following:

issuer -> https://login.windows-ppe.net/Tenant_ID/v2.0
client-id -> Application (client) ID)
client-secret -> Client Secret value

With these values you gathered from setting up an Entra ID application, a new OIDC auth method can be created.

Start by navigating to the Auth Methods settings view using the menu on the left side of the Admin Console. Select New and click OIDC.

Admin Console New Auth Method

Fill out the form details using the settings gathered from the Entra ID application settings.

Admin Console Auth Method Details

These include:

Name (Example: Azure)
Description (Example: Azure OIDC test auth method)
Issuer (Example: https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0)
Client ID (Example: a4d21a76-e08c-4d8d-8c47-e1c423ee4d11)
Client Secret (Example: X9u~u58--~rWLR4Q9i1-PtdZOi_s04~91-)
Signing Algorithm
- Set to RS256
- Click Add

Additionally, set the API URL Prefix as follows:

API URL Prefix: http://localhost:9200

API URL Prefix

The API URL Prefix is set to http://localhost:9200 because Boundary is running in dev mode. This URL is used for actions like token retrieval and redirection.
Ensure there is NO trailing / at the end oof the URL.

Once the form is completed, click Save.

The new authentication method has now been created. Under the Attributes output, notice the state is set to inactive. Before it can be used the new auth method must be switched to an active state.

Next we will review the available authentication states and activate the new OIDC auth method.

Troubleshooting

Troubleshooting: If unable to save the auth method, ensure that the Issuer is prefixed by https:// and does NOT have a trailing / at the end of the URL.

Start by ensuring you are logged in to Boundary as the admin user.

For Entra ID, these settings map to the following:

issuer -> https://login.windows-ppe.net/Tenant_ID/v2.0
client-id -> Application (client) ID)
client-secret -> Client Secret value

With these values you gathered from setting up an Entra ID application, a new OIDC auth method can be created.

Start by setting the Client ID, Client Secret, and Tenant ID as environment variables.

$ export CLIENT_ID="<COPIED-CLIENT-ID>"; \
export CLIENT_SECRET="<COPIED-CLIENT-SECRET>"; \
export TENANT_ID="<COPIED-TENANT-ID>"

Example:

$ export CLIENT_ID="a4d21a76-e08c-4d8d-8c47-e1c423ee4d11"; \
export CLIENT_SECRET="X9u~u58--~rWLR4Q9i1-PtdZOi_s04~91-"; \
export TENANT_ID="e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3"

These values will be passed to Boundary when creating the new OIDC auth method.

Note

The api-url-prefix must be set to the URL of your Boundary cluster. Select HCP or Dev mode to see an example.

For Dev mode the api-url-prefix is set to the local controller's address of http://localhost:9200.

$ boundary auth-methods create oidc \
  -issuer "https://login.windows-ppe.net/$TENANT_ID/v2.0" \
  -client-id "$CLIENT_ID" \
  -client-secret "$CLIENT_SECRET" \
  -signing-algorithm RS256 \
  -api-url-prefix "http://localhost:9200" \
  -name "azure"

The signing-algorithm is commonly set to RS256.
The api-url-prefix is used by the OIDC provider in the authentication flow, and should match the Boundary controller's address, set to http://localhost:9200 in this example.

Example:

$ boundary auth-methods create oidc \
  -issuer "https://login.windows-ppe.net/$TENANT_ID/v2.0" \
  -client-id "$CLIENT_ID" \
  -client-secret "$CLIENT_SECRET" \
  -signing-algorithm RS256 \
  -api-url-prefix "https://localhost:9200" \
  -name "azure"

Auth Method information:
  Created Time:         Mon, 07 Jun 2021 14:28:45 MDT
  ID:                   amoidc_rFqhKQlrvn
  Name:                 azure
  Type:                 oidc
  Updated Time:         Mon, 07 Jun 2021 14:28:45 MDT
  Version:              1

  Scope:
    ID:                 global
    Name:               global
    Type:               global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list

  Attributes:
    api_url_prefix:     https://localhost:9200
    callback_url:       https://localhost:9200/v1/auth-methods/oidc:authenticate:callback
    client_id:          a4d21a76-e08c-4d8d-8c47-e1c423ee4d11
    client_secret_hmac: SOhcIKhF0rBbe_Xc-2eHY0BNfIc3AO8GkQ0iohgLT_4
    issuer:             https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/
    signing_algorithms: [RS256]
    state:              inactive

Next we will review the available authentication states and activate the new OIDC auth method.

Begin by creating a working directory to store the Terraform configuration file and changing into that directory. This tutorial will work out of the user's HOME directory.

$ mkdir learn-boundary-oidc && cd learn-boundary-oidc/

Next, create a Terraform configuration file called main.tf.

$ touch main.tf

Open the main.tf file in your code editor and add the base Boundary provider configuration below. The 1.0.2 version or above is required to support OIDC. An output value is included to print the oidc auth method id when Terraform applies the configuration.

The initial setup should set the boundary provider to match Boundary's authentication configuration so that Terraform can authenticate to Boundary. These settings are discussed in the Get Setup section.

Copy the following configuration, but replace the recovery_kms_hcl key with the value printed in the boundary dev terminal window.

learn-boundary-oidc/main.tf

terraform {
  required_providers {
    boundary = {
      source  = "hashicorp/boundary"
      version = "1.0.12"
    }
  }
}

output "auth-method-id" {
  value = boundary_auth_method_oidc.provider.id
}

provider "boundary" {
  addr             = "http://127.0.0.1:9200"
  recovery_kms_hcl = <<EOT
kms "aead" {
  purpose = "recovery"
  aead_type = "aes-gcm"
  key = "1/niAcbdYlJGqwOJfRtx3AyewF+Ty2EnioOR/q7tWRo="
  key_id = "global_recovery"
}
EOT
}

Next, Boundary Terraform resources will be used to set up the provider of choice.

For Entra ID, these settings map to the following:

issuer -> https://login.windows-ppe.net/Tenant_ID/v2.0
client-id -> Application (client) ID)
client-secret -> Client Secret value
subject -> User object_id

With these values you gathered from the Entra ID application settings a new OIDC auth method can be created.

The Terraform Boundary provider enables OIDC using the boundary_auth_method_oidc and boundary_account_oidc resources.

The boundary_auth_method_oidc resource uses the following attributes to configure a new auth method:

resource "boundary_auth_method_oidc" "name" {
  name                = (String)
  description         = (String)
  scope_id            = (String)
  issuer              = (String)
  client_id           = (String)
  client_secret       = (String)
  signing_algorithms  = (List of String)
  api_url_prefix      = (String)
}

The scope_id is the global scope ID. For HCP this is gathered from the Boundary Admin Console UI, or is o_1234567890 if using Boundary's Dev mode.
The issuer was gathered from the provider, and should be prefixed by https://
The client_id was gathered from the provider
The client_secret was gathered from the provider
The signing_algorithms are defined by the provider's issued tokens, and will usually include RS256
The api_url_prefix is used when generating callback urls and corresponds to an address where the controller is reachable by the provider. For HCP Boundary this is the Boundary Cluster URL found in the HCP portal (such as https://e58fe114-7624-431c-994d-b6670e90b03J.boundary.hashicorp.cloud). For dev mode this is http://localhost:9200

The boundary_account_oidc resource uses the following attributes to configure a new auth method:

resource "boundary_account_oidc" "name" {
  name           = (String)
  description    = (String)
  auth_method_id = (String)
  issuer         = (String)
  subject        = (String)
}

The auth_method_id is defined by the boundary_auth_method_oidc resource, and can be accessed using the named scope id, like boundary_auth_meethod_oidc.name.id
The issuer was gathered from the provider, and should be prefixed by https://
The subject maps to the user Object ID, and was gathered from the provider when creating a user

Add these two resources into your main.tf file. The entire file contents are shown below.

Make sure the following values are updated:

kms key (from boundary dev)
issuer (from provider)
client_id (from provider)
client_secret (from provider)
subject (from provider)

learn-boundary-oidc/main.tf

terraform {
  required_providers {
    boundary = {
      source  = "hashicorp/boundary"
      version = "1.0.12"
    }
  }
}

output "auth-method-id" {
  value = boundary_auth_method_oidc.provider.id
}

provider "boundary" {
  addr             = "http://127.0.0.1:9200"
  recovery_kms_hcl = <<EOT
kms "aead" {
  purpose = "recovery"
  aead_type = "aes-gcm"
  key = "m4+NMLonZAcAbr0VhFRThgnt+QM/P6BelMCEdYCBAa0="
  key_id = "global_recovery"
}
EOT
}

resource "boundary_auth_method_oidc" "provider" {
  name                 = "Azure"
  description          = "OIDC auth method for Azure"
  scope_id             = "o_1234567890"
  issuer               = "https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0"
  client_id            = "a4d21a76-e08c-4d8d-8c47-e1c423ee4d11"
  client_secret        = "X9u~u58--~rWLR4Q9i1-PtdZOi_s04~9O-"
  signing_algorithms   = ["RS256"]
  api_url_prefix       = "http://localhost:9200"
}

resource "boundary_account_oidc" "oidc_user" {
  name           = "user1"
  description    = "OIDC account for user1"
  auth_method_id = boundary_auth_method_oidc.provider.id
  issuer  = "https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0"
  subject = "c3dc63d0-90e6-4855-b9c0-e87da14a9c5f"
}

With these resources in place, first initialize Terraform.

$ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/boundary versions matching "1.0.12"...
- Installing hashicorp/boundary v1.0.12...
- Installed hashicorp/boundary v1.0.12 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Next, apply the configuration. Enter yes when prompted for confirmation.

$ terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # boundary_account_oidc.oidc_user will be created
  + resource "boundary_account_oidc" "oidc_user" {
      + auth_method_id = (known after apply)
      + description    = "OIDC account for user1"
      + id             = (known after apply)
      + issuer         = "https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0"
      + name           = "user1"
      + subject        = "c3dc63d0-90e6-4855-b9c0-e87da14a9c5f"
    }

  # boundary_auth_method_oidc.provider will be created
  + resource "boundary_auth_method_oidc" "provider" {
      + api_url_prefix     = "http://localhost:9200"
      + callback_url       = (known after apply)
      + client_id          = "a4d21a76-e08c-4d8d-8c47-e1c423ee4d11"
      + client_secret      = "X9u~u58--~rWLR4Q9i1-PtdZOi_s04~9O-"
      + client_secret_hmac = (known after apply)
      + description        = "OIDC auth method for Azure"
      + id                 = (known after apply)
      + issuer             = "https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0"
      + name               = "Azure"
      + scope_id           = "o_1234567890"
      + signing_algorithms = [
          + "RS256",
        ]
      + state              = (known after apply)
      + type               = "oidc"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

boundary_auth_method_oidc.provider: Creating...
boundary_auth_method_oidc.provider: Creation complete after 1s [id=amoidc_ZMettTQoi7]
boundary_account_oidc.oidc_user: Creating...
boundary_account_oidc.oidc_user: Creation complete after 0s [id=acctoidc_RioLnuyZMw]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

auth-method-id = amoidc_ZMettTQoi7

The new authentication method has been created! If Terraform encounters an error, ensure the issuer, client_id and client_secret have been copied correctly from the provider, and that the issuer is prefixed with https://.

Copy the auth-method-id from the output.

Authentication states

An OIDC auth method can be in one of several different states: Inactive, Active Private, and Active Public. The current state of an OIDC auth method affects how endpoints respond to requests and, in some cases, whether access to an endpoint requires authentication.

State change operations

MakeInactive transitions an OIDC auth method from either the Active Private or the Active Public state into the Inactive state.
MakePrivate transitions an OIDC auth method from either the Inactive or the Active Public state into the Active Private state. If transitioning from the Inactive state, the transition will only succeed if the configuration is valid.
MakePublic transitions an OIDC auth method from either the Inactive or the Active Private state into the Active Public state. If transitioning from the Inactive state, the transition will only succeed if the configuration is valid.

Three different states exist for an authentication method:

inactive users can not authenticate with inactive auth methods and the inactive auth methods are not listed for unauthenticated users.
active-private users can authenticate with active-private auth methods and active-private auth methods are not listed for unauthenticated users.
active-public users can authenticate active-public auth methods and active-public auth methods are listed for unauthenticated users.

Before changing the state of an auth-method, Boundary will retrieve the Provider’s discovery document for the auth method’s issuer and attempt to validate the auth-method’s configuration against this published information. If Boundary is unable to validate the configuration an error is returned and the state change is not made.

If a change is made from active-public or active-private to inactive, all in-flight authentications will succeed unless the auth method’s configuration is modified while the request is in-flight.

When changing an auth method's state using boundary auth-methods change-state the -disable-discovered-config-validation flag is used to disable validation against the provider’s published discovery document. This allows for the very rare occurrence when the Provider has published an invalid discovery document.

Activate the OIDC auth method

Now that a new OIDC method has been created, it can be activated and assigned as the default login type for the global scope.

Currently the login type is set as inactive, and won't allow authentication.

$ boundary authenticate oidc -auth-method-id amoidc_oHt4HQFCrN
Error from controller when performing authentication start

Error information:
  Kind:                Internal
  Message:             authmethod_service.(Service).authenticateOidcStart: Error generating parameters for starting the OIDC flow.: unknown: error #500
  Status:              500
  context:             Error from controller when performing authentication start

Auth methods can be activated using the Admin Console UI, CLI, or using Terraform.

Before the new auth method will be allowed it must be set to an active state.

Under the settings for the new auth method, select Inactive from the menu in the upper-right side of the page and change its state by clicking Public.

The login type will now allow be allowed.

Global and organization scopes may have auth methods in Boundary, and each scope has one primary auth-method ID. Boundary will automatically create a user upon first successful authentication using the scope’s primary auth method, which will be used by scopes with only one auth method available.

When migrating the database, Boundary will produce a log of any auth methods which resulted in no primary auth method being set for the scope.

Set the new OIDC auth method as the primary auth method for the global scope.

Under the settings for the new auth method, select Manage from the menu in the upper-right side of the page.

A confirmation window will be displayed to inform you that new users that sign in using OIDC will automatically be added to the new auth method. Select OK to continue.

Now try authenticating using the newly created OIDC auth method.

Select the admin user menu in the top-right corner of the page and select Deauthenticate.

Next, select the new auth method called Azure, and click Authenticate.

Admin Console Azure

A browser tab should automatically open and prompt you to log in with your Azure user account credentials. Ensure you log in with the test user credentials created in the Entra ID application setup, not your primary Azure account.

Azure Application Login

If you experience any issues logging in, you may be logged into the wrong Azure account. Visit the Azure Portal, select your username in the upper-right corner of the window and click Sign Out. Then, revisit the previously opened Authenticate Boundary browser tab and click Retry to log back into Azure with the test user account credentials.

After successful authentication you are automatically redirected to the Admin Console. Notice the restricted permissions for this new user, which can be updated and assigned using Roles and Groups.

If you were to log back into the Admin Console as the admin user, you would notice the new OIDC user has automatically been added under the Users view.

Admin Console New User

Next you will review the various methods that can be used to authenticate to Boundary using the new OIDC auth method.

Enable the the auth method by updating its state to active-public.

$ boundary auth-methods change-state oidc -id amoidc_rFqhKQlrvn -state active-public

Auth Method information:
  Created Time:         Mon, 12 Sep 2022 13:40:38 MDT
  ID:                   amoidc_rFqhKQlrvn
  Name:                 azure
  Type:                 oidc
  Updated Time:         Mon, 12 Sep 2022 13:56:43 MDT
  Version:              2

  Scope:
    ID:                 global
    Name:               global
    Type:               global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list
    managed-groups:
      create
      list

  Attributes:
    api_url_prefix:     https://e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3.boundary.hashicorp.cloud
    callback_url:       https://e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3.boundary.hashicorp.cloud/v1/auth-methods/oidc:authenticate:callback
    client_id:          09443893-b713-4dbf-a417-8882bff4168d
    client_secret_hmac: SEOTy9cZgs7BTYRknG44rFxQQ64xY3qp2i1iEDpkvX0
    issuer:             https://login.windows-ppe.net/0e3e2e88-8caf-41ca-b4da-e3b33b6c52ec/v2.0
    signing_algorithms: [RS256]
    state:              active-public

With the state set to active the login type will now be allowed.

When migrating the database, Boundary will produce a log of any auth methods which resulted in no primary auth method being set for the scope.

Set the new OIDC auth method as the primary auth method for the global scope.

$ boundary scopes update -primary-auth-method-id amoidc_rFqhKQlrvn -id global

Scope information:
  Created Time:             Thu, 18 Aug 2022 10:55:18 MDT
  Description:              Global Scope
  ID:                       global
  Name:                     global
  Primary Auth Method ID:   amoidc_rFqhKQlrvn
  Updated Time:             Mon, 12 Sep 2022 13:58:47 MDT
  Version:                  3

  Scope (parent):
    ID:                     global
    Name:                   global
    Type:                   global

  Authorized Actions:
    no-op
    read
    update
    delete

  Authorized Actions on Scope's Collections:
    auth-methods:
      create
      list
    auth-tokens:
      list
    groups:
      create
      list
    roles:
      create
      list
    scopes:
      create
      list
    users:
      create
      list
    workers:
      create:worker-led
      list

Now try authenticating using the newly created OIDC auth method.

$ boundary authenticate oidc -auth-method-id amoidc_rFqhKQlrvn
Opening returned authentication URL in your browser...

A browser tab should automatically open and prompt you to log in with the user credentials created when setting up Entra ID.

After successful authentication, return to your terminal and notice the Authentication information that is printed.

$ boundary authenticate oidc -auth-method-id amoidc_rFqhKQlrvn
Opening returned authentication URL in your browser...

Authentication information:
  Account ID:      acctoidc_oztPFBFesH
  Auth Method ID:  amoidc_rFqhKQlrvn
  Expiration Time: Thu, 13 May 2021 17:01:11 MDT
  User ID:         u_JCRQP3ID7l

The token was successfully stored in the chosen keyring and is not displayed here.

Auth methods must be updated to an active state before they can be used.

The state of the new auth method can be checked using the read operation. First, ensure you are logged in as the admin user.

$ boundary authenticate password -auth-method-id ampw_1234567890 -login-name admin
Please enter the password (it will be hidden): <password>

Authentication information:
  Account ID:      apw_DZRvFzmb0Y
  Auth Method ID:  ampw_1234567890
  Expiration Time: Thu, 20 May 2021 16:32:06 MDT
  User ID:         u_1234567890

The token was successfully stored in the chosen keyring and is not displayed here.

Next read the auth method details. Use the auth-method-id you copied from the terraform apply output.

$ boundary auth-methods read -id amoidc_ZMettTQoi7

Auth Method information:
  Created Time:         Wed, 09 Jun 2021 12:59:44 MDT
  Description:          OIDC auth method for Azure
  ID:                   amoidc_ZMettTQoi7
  Name:                 Azure
  Type:                 oidc
  Updated Time:         Wed, 09 Jun 2021 12:59:45 MDT
  Version:              2

  Scope:
    ID:                 o_1234567890
    Name:               Generated org scope
    Parent Scope ID:    global
    Type:               org

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accounts:
      create
      list

  Attributes:
    api_url_prefix:     http://localhost:9200
    callback_url:       http://localhost:9200/v1/auth-methods/oidc:authenticate:callback
    client_id:          a4d21a76-e08c-4d8d-8c47-e1c423ee4d11
    client_secret_hmac: qbLhGSr0XZpZhdEjChZwjJMqG-dZzsX9gSRG4f44jWQ
    issuer:             https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0
    signing_algorithms: [RS256]
    state:              active-public

Notice at the bottom of the output that the login state is already set to active-public.

It's important to be aware that using Terraform to provision an auth method will set the state to active by default, unless otherwise defined. The state attribute can be used on the boundary_auth_method_oidc resource to set an auth method to active-private or inactive.

Now that the auth method state has been verified, the primary login type can be defined for the global scope.

When migrating the database, Boundary will produce a log of any auth methods which have more than one auth method which resulted in no primary auth method being set for the Scope.

Make three updates to the boundary_auth_method_oidc resource in the main.tf file:

Set the auth method's state to active-public for clarity
Set the new OIDC auth method as the primary auth method for the global scope by setting the is_primary_for_scope attribute

Below is an example. Update your main.tf file accordingly.

resource "boundary_auth_method_oidc" "provider" {
  name                 = "Azure"
  description          = "OIDC auth method for Azure"
  scope_id             = "o_1234567890"
  issuer               = "https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0"
  client_id            = "a4d21a76-e08c-4d8d-8c47-e1c423ee4d11"
  client_secret        = "X9u~u58--~rWLR4Q9i1-PtdZOi_s04~9O-"
  signing_algorithms   = ["RS256"]
  api_url_prefix       = "http://localhost:9200"
  is_primary_for_scope = true
  state                = "active-public"
}

Apply the updated configuration. Enter yes when prompted.

$ terraform apply
boundary_auth_method_oidc.provider: Refreshing state... [id=amoidc_ZMettTQoi7]
boundary_account_oidc.oidc_user: Refreshing state... [id=acctoidc_RioLnuyZMw]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # boundary_account_oidc.oidc_user must be replaced
-/+ resource "boundary_account_oidc" "oidc_user" {
        auth_method_id = "amoidc_ZMettTQoi7"
        description    = "OIDC account for user1"
      ~ id             = "acctoidc_RioLnuyZMw" -> (known after apply)
      + issuer         = "https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0" # forces replacement
        name           = "user1"
      + subject        = "c3dc63d0-90e6-4855-b9c0-e87da14a9c5f"
    }

  # boundary_auth_method_oidc.provider will be updated in-place
  ~ resource "boundary_auth_method_oidc" "provider" {
        api_url_prefix       = "http://localhost:9200"
        callback_url         = "http://localhost:9200/v1/auth-methods/oidc:authenticate:callback"
        client_id            = "a4d21a76-e08c-4d8d-8c47-e1c423ee4d11"
        client_secret        = "X9u~u58--~rWLR4Q9i1-PtdZOi_s04~9O-"
        client_secret_hmac   = "qbLhGSr0XZpZhdEjChZwjJMqG-dZzsX9gSRG4f44jWQ"
        description          = "OIDC auth method for Azure"
        id                   = "amoidc_ZMettTQoi7"
      + is_primary_for_scope = true
        issuer               = "https://login.windows-ppe.net/e29eae0c-29d7-4851-5e1fb68bfb3-5f8e3/v2.0"
        name                 = "Azure"
        scope_id             = "o_1234567890"
        signing_algorithms   = [
            "RS256",
        ]
        state                = "active-public"
        type                 = "oidc"
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

boundary_account_oidc.oidc_user: Destroying... [id=acctoidc_RioLnuyZMw]
boundary_auth_method_oidc.provider: Modifying... [id=amoidc_ZMettTQoi7]
boundary_auth_method_oidc.provider: Modifications complete after 0s [id=amoidc_ZMettTQoi7]
boundary_account_oidc.oidc_user: Destruction complete after 0s
boundary_account_oidc.oidc_user: Creating...
boundary_account_oidc.oidc_user: Creation complete after 0s [id=acctoidc_RioLnuyZMw]

Apply complete! Resources: 1 added, 1 changed, 1 destroyed.

Outputs:

auth-method-id = amoidc_ZMettTQoi7

With the auth method set to active and defined as the primary login method, users can now authenticate using their preferred method of choice.

Authenticate using OIDC

With the OIDC provider configured, Boundary users can authenticate using the CLI, Admin Console or Boundary Desktop app. Boundary administrators will usually follow a CLI or Admin Console workflow, while clients and end-users can use the CLI or Desktop application.

The Boundary Desktop app is currently available for MacOS and Windows users.

Note

Ensure that the latest version of the Boundary Desktop app is installed from the releases page before attempting to login with OIDC. The minimum version of the app allowing OIDC login is 1.0.0.

Launch the Boundary Desktop app and enter the Boundary Cluster URL.
Launch the Boundary Desktop app and enter http://localhost:9200 as the Cluster URL, then click Submit.
Select Azure and click Authenticate.
A browser window should launch and prompt for your provider's user credentials. You may see an "Authentication Pending" message, and can click the "Retry" button to force a new authentication tab to open.
Submit your OIDC provider user credentials.
You should receive a "Successful Authentication" message.

Once authenticated, open the Boundary Desktop app again and verify the authenticated user in the upper-right corner of the application window.
It is expected for this user to be unprivileged, and to be denied access to view targets and sessions. The OIDC user could be updated to include new privileges if an admin user assigns it to a role.

You have now completed OIDC integration with the Boundary Desktop app.

Navigate to the Boundary Cluster URL in your web browser. This is your HCP Cluster URL, such as https://e58fe114-7624-431c-994d-b6670e90b03J.boundary.hashicorp.cloud, or http://localhost:9200 if using Dev mode.
Select the name of the new auth method (such as Azure) and click Authenticate.
If your browser doesn't allow pop-ups, you may be presented with an "Authentication Pending" message, which you can bypass by clicking Retry. If you do not encounter this message proceed to the next step. Consider enabling pop-ups from your localhost for the rest of this tutorial.
Next, enter your Azure user credentials and click Continue.
You should receive a "Successful Authentication" message and automatically be redirected to the Admin Console. If you are not redirected, check to make sure your browser is not blocking pop-ups from http://localhost:9200, or allow pop-ups temporarily.
Once authenticated, navigate to the Auth Methods view on the left, and notice the OIDC Type and ID used when setting up the auth method. Explore the other views and notice what this user has access to view and not view. The OIDC user could be updated to include new privileges if an admin user assigns it to a role.
You have now completed OIDC integration with the Admin Console.

The boundary authenticate oidc command will launch a browser session to enable authentication using the configured provider.

$ boundary authenticate oidc -auth-method-id amoidc_q7jAdI1QgA
Opening returned authentication URL in your browser...

The provider's login page should open in a browser tab, prompting for the username and password for the account used to configure the Boundary OIDC Test application. Below is an example of an Azure login prompt.

Azure Application Login

Warning

Trouble logging in? If you receive an Unsuccessful authentication message from Boundary, try logging out of the provider in your browser, then run boundary authenticate oidc again and re-authenticate. This is especially important if you created a new provider user in the Create a user section. Ensure you are logging in as the correct user.

After logging in your terminal should confirm the Account and User IDs.

$ boundary authenticate oidc -auth-method-id amoidc_q7jAdI1QgA
Opening returned authentication URL in your browser...

Authentication information:
  Account ID:      acctoidc_f0wWsno9jQ
  Auth Method ID:  amoidc_q7jAdI1QgA
  Expiration Time: Wed, 21 Apr 2021 15:02:38 MDT
  User ID:         u_zAfnbL9b7y

The token was successfully stored in the chosen keyring and is not displayed here.

The user is now authenticated using OIDC. Listing various scope items would show this user is not able to access most resources by default. The OIDC user could be updated to include new privileges if an admin user assigns it to a role.

You have now completed OIDC integration using the CLI.

Cleanup and teardown

Warning

If you plan on completing the Manage IdP Groups tutorial, leave the current configuration running. Successful completion of this tutorial is a pre-requisite for the Manage IdP Groups tutorial.

If you are not continuing on to the next tutorial, tear down the environment:

1. Stop Boundary dev mode

Locate the shell where boundary dev was run and enter ctrl+c to stop dev mode.

^C==> Boundary dev environment shutdown triggered
[INFO]  worker: status ticking shutting down
[INFO]  controller: terminating completed sessions ticking shutting down
[INFO]  controller: closing expired pending tokens ticking shutting down
[INFO]  controller: status ticking shutting down
[INFO]  controller: recovery nonce ticking shutting down

2. Delete any sample applications from your OIDC provider.

This tutorial provided steps for configuring an Entra ID sample applications as Boundary auth methods. Revisit the provider settings and delete any sample applications you no longer need.

3. Delete any test users from your OIDC provider.

This tutorial created sample users within Azure to authenticate using the CLI, Admin Console or Desktop app. Revisit the Entra ID settings and remove any test users created for this tutorial.

4. Delete any test client secrets from your OIDC provider.

This tutorial may have created client secrets within Azure. Revisit the provider settings and remove any client secrets created for this tutorial.

Next steps

This tutorial demonstrated the steps to add an OIDC authentication method and create a new user. You set up a provider application to authenticate with Boundary, and verified that you can authenticate using the newly created user.

Next, check out the Manage IdP Groups tutorial to learn about automatically managing group membership claims with OIDC auth methods.

To learn more about the basics of managing user accounts, check out the Manage Users and Groups and Manage Roles tutorials.

OIDC authentication with Okta

Manage OIDC IdP groups

OIDC authentication methods overview

Prerequisites

Get setup

Providers

Get setup on Microsoft Entra ID

Create a user

Create an application

Auth method creation

Create auth method for the provider

Authentication states

State change operations

Activate the OIDC auth method

Set OIDC as primary login

Authenticate using OIDC

Cleanup and teardown

Next steps