Automatic group mapping fails
Troubleshoot problems where the debugging data suggests a bad or nonexistent mapping between your Vault role and AD FS the Claim Issuance Policy.
Example debugging data
Analysis
Use vault read
to review the current role configuration:
The Vault role uses groups
for the group attribute, so Vault expects user
context in the SAML response to include a groups
attribute with the form:
But the SAML response indicates the Claim Issuance Policy uses Group
for the
group attribute, so the user context uses Group
to key the bound groups:
Solution
The first option to resolve the problem is update group_attribute
for the
Vault role to use Group
:
For example: