Automatic group mapping fails

Troubleshoot problems where the debugging data suggests a bad or nonexistent mapping between your Vault role and AD FS the Claim Issuance Policy.

Example debugging data

[DEBUG] auth.saml.auth_saml_1d2227e7: validating user context for role: api=callback role_name=default-saml
role="{
  "token_bound_cidrs":null,
  "token_explicit_max_ttl":0,
  "token_max_ttl":0,
  "token_no_default_policy":false,
  "token_num_uses":0,
  "token_period":0,
  "token_policies":["default"],
  "token_type":0,
  "token_ttl":0,
  "BoundSubjects":["*@example.com","*@ext.example.com"],
  "BoundSubjectsType":"glob",
  "BoundAttributes":{"http://schemas.xmlsoap.org/claims/Group":["VaultAdmin","VaultUser"]},
  "BoundAttributesType":"string",
  "GroupsAttribute":"groups"
  }"
user context="{
  "attributes":
  {
    "http://schemas.xmlsoap.org/claims/Group":["Domain Users","VaultAdmin"],
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":["rs@example.com"]
  },
  "subject":"rs@example.com"
}"

Analysis

Use vault read to review the current role configuration:

$ vault read auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE>

Key                        Value
---                        -----
bound_attributes           map[http://schemas.xmlsoap.org/claims/Group:[VaultAdmin VaultUser]]
bound_attributes_type      string
bound_subjects             [*@example.com *@ext.example.com]
bound_subjects_type        glob
groups_attribute           groups
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [default]
token_ttl                  0s
token_type                 default

The Vault role uses groups for the group attribute, so Vault expects user context in the SAML response to include a groups attribute with the form:

user context="{
  "attributes":
  {
    "groups":[<LIST_OF_BOUND_GROUPS>]",
    ...
  }
}"

But the SAML response indicates the Claim Issuance Policy uses Group for the group attribute, so the user context uses Group to key the bound groups:

user context="{
  "attributes":
  {
    "http://schemas.xmlsoap.org/claims/Group":["Domain Users","VaultAdmin"],
    ...
  },
  "subject":"rs@example.com"
}"

Solution

The first option to resolve the problem is update group_attribute for the Vault role to use Group:

$ vault write auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE> \
    groups_attribute=http://schemas.xmlsoap.org/claims/Group

For example:

$ vault write auth/saml/role/adfs-default \
    groups_attribute=http://schemas.xmlsoap.org/claims/Group

The second option to resolve the problem is to update your AD FS configuration to use groups and confirm the bound attributes in Vault match the expected groups:

Update your AD FS the Claim Issuance Policy to use groups for unqualified names:
LDAP attribute Outgoing claim type
Token-Groups - Unqualified Names groups

LDAP attribute	Outgoing claim type
`Token-Groups - Unqualified Names`	`groups`

Verify the bound attribute for your Vault role match the groups listed in the SAML response:

$ vault write auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE> \
    bound_attributes=groups="<AD_GROUP_LIST>"

For example:

$ vault write auth/saml/role/default-adfs \
    bound_attributes=groups="VaultAdmin,VaultUser"

Automatic group mapping fails

Example debugging data

Analysis

Solution

Additional resources