You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, it's obvious that there is a bug with the mapping from claims in ID Token to name in boundary claim. Here is my setup and configurations - I'm using boundary 0.15.4, as for OIDC provider I have Keycloak 23.0.7. My goal is to have users from Keycloak in the Org realm of boundary mapped with not a random ID which Boundary generates after user logs in using OIDC, but with readable (and usable afterwards) username taken from ID Token.
I'm not using terraform yet, so, I'm just using admin UI console, here is a fraction of OIDC setup which shows my mappings:
I want to map the claim preferred_username to the sub in boundary, as well as given_name to name claim.
Here is my test user in Keycloak, and data which comes back with ID Token:
Claims in ID Token:
So, once I log into Boundary using Keycloak (which of course is set as Primary for user autocreation), I get a user in Boundary without a name but ID:
And if I check Accounts section in Auth Methods -> Keycloak ->
And more importantly once I'm checking the Account details of OIDC user I see this:
From here we can see that mapping from preferred_username to subject has worked correctly, whereas mapping of given_name to name has worked incorrectly - we see that given name has settled to Full Name boundary claim, but had to be in the Name section.
The text was updated successfully, but these errors were encountered:
Hi @hillout , thanks for pointing this out; in Boundary every resource has a name and description field, which are manually populated for identification purposes. The OIDC field is being mapped correctly, but this is something we canimprove in the UI/ documentation to make this more clear.
@irenarindos hi, thanks for your reply. My goal was to use that user "name" as a vault credential library parameter template - {{.User.Name}}, so a user from OIDC will map to vault's ssh entity. But instead I'm using {{.Account.Subject}} as a workaround.
@irenarindos and btw this scenario spreads to the situation where you can't see the name of user (oidc) you've been log into with using Boundary Desktop version, cuz it leans onto the user "Name" parameter, and since it isn't mapped the blank name show in the UI:
Hi, it's obvious that there is a bug with the mapping from claims in ID Token to name in boundary claim. Here is my setup and configurations - I'm using boundary 0.15.4, as for OIDC provider I have Keycloak 23.0.7. My goal is to have users from Keycloak in the Org realm of boundary mapped with not a random ID which Boundary generates after user logs in using OIDC, but with readable (and usable afterwards) username taken from ID Token.
I'm not using terraform yet, so, I'm just using admin UI console, here is a fraction of OIDC setup which shows my mappings:
I want to map the claim preferred_username to the sub in boundary, as well as given_name to name claim.
Here is my test user in Keycloak, and data which comes back with ID Token:
Claims in ID Token:
So, once I log into Boundary using Keycloak (which of course is set as Primary for user autocreation), I get a user in Boundary without a name but ID:
And if I check Accounts section in Auth Methods -> Keycloak ->
And more importantly once I'm checking the Account details of OIDC user I see this:
From here we can see that mapping from preferred_username to subject has worked correctly, whereas mapping of given_name to name has worked incorrectly - we see that given name has settled to Full Name boundary claim, but had to be in the Name section.
The text was updated successfully, but these errors were encountered: