Link Active Directory SAML groups to Vault
Enterprise
Appropriate Vault Enterprise license or HCP Vault Dedicated cluster required.
Configure your Vault instance to link your Active Directory groups to Vault policies with SAML.
Before you start
- You must have Vault Enterprise or HCP Vault v1.15.5+.
- You must be running AD FS on Windows Server.
- You must have a SAML plugin configured for AD FS.
- You must have a Vault admin token. If you do not have a valid admin
token, you can generate a new token in the Vault GUI or using
vault token create
with the Vault CLI.
Step 1: Enable a kv
plugin instance for AD clients
Enable an instance of the KV secret engine for AD FS under a custom path:
For example:
Step 2: Create a read-only policy for the kv
plugin
Use vault write
to create a read-only policy for AD FS clients that use the
new KV plugin:
For example:
Step 3: Create and link a Vault group to AD
Create an external group in Vault and save the group ID to a file named
group_id.txt
:Retrieve the mount accessor for the AD FS authentication method and save it to a file named
accessor_adfs.txt
:Create a group alias:
Step 4: Verify the link to Active Directory
Use the Vault CLI to login as an Active Directory user who is a member of the linked Active Directory group:
Read your test value from the KV plugin: