Configuring OAuth 2.0 / OpenID Connect Profiles
In order to configure SSO, you must first create a SAML profile. Then, you must provision users to use the profile. The following article walks through the creation of an OAuth 2.0 / OpenID Connect profile.
Vault allows you to create multiple profiles and associate each with a different authorization server (AS). This allows users to authenticate with any AS configured on the security policy to which they are assigned. Note that Vault supports OpenID Connect with PingFederate Authorization Servers only.
To create an OAuth 2.0 / OpenID Connect profile:
- Go to Admin > Settings > OAuth 2.0 / OpenID Connect Profiles.
- Click Create.
- Enter a Label and Name for the profile.
- Choose a Status for the profile. It’s best practice to leave the profile as Inactive until configuration is complete.
- Optional: Add a description of the profile.
- Under OAuth 2.0 / OpenID Connect Configuration, upload your AS Metadata with the Upload AS Metadata button. See details below.
- Select a User ID Type, either Vault User Name or Federated ID. See details below.
- Click Save.
Upload Authentication Server Metadata
You can upload your Authentication Server metadata by either uploading an AS Metadata JSON file or specifying a URL where the data is available.
To upload AS metadata:
- Click Upload AS Metadata.
- To import AS metadata by uploading a JSON file, select Authorization Server Metadata and then choose a file.
- To import AS metadata by specifying a URL, select Provide Authorization Server Metadata URL and then enter the location of the file.
- Click Continue. Vault validates the contents of the AS Metadata JSON and returns an error message if the information is invalid.
- To complete the configuration, click Save.
The JSON file structure is defined in the AS Metadata specifications.
The following metadata is required:
||The authorization server's issuer identifier, which is a URL that uses the "
||URL of the authorization server's authorization endpoint.|
||URL of the authorization server's token endpoint.|
||URL of the authorization server's OAuth 2.0 introspection endpoint.|
||JSON array containing a list of the OAuth 2.0
||JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include
||JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. The algorithm
You may include any other optional metadata. The following metadata is optional, but recommended:
||URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint.|
||JSON array containing a list of the OAuth 2.0 [
||JSON array containing a list of the Claim Names of the Claims that the OpenID Provider may be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.|
||URL of the OpenID Provider's UserInfo Endpoint. This URL must use the “
About User ID Types
The two options for User ID Type are Vault User Name and Federated ID.
Vault User Name
Choose Vault User Name if you plan to store the Vault user names as an attribute in your IdP user directory, or if the Vault user names happen to exactly match your enterprise user names. Basically, this puts the burden on the IdP to map enterprise user names to vault user names.
Choose Federated ID if you plan to store enterprise user names in the Federated ID field on the Vault user profile. This puts the burden on Vault to map from enterprise user names to vault user names.