boundary icon indicating copy to clipboard operation
boundary copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Federated SAML Authentication

Open lielran opened this issue 4 years ago • 10 comments

Having the ability to have an external federated auth system base on SAML protocol to ease the migration and onboarding to boundary.

I've been using with AWS VPN endpoint with Okta for a while now and it been working great for us.

adding boundary abilities to narrow down app/resources authZ sounds like a good mix.

lielran avatar Jan 06 '21 09:01 lielran

Thanks @lielran - I'm roping in our PM @PPacent to chime in on this.

malnick avatar Jan 06 '21 17:01 malnick

Hi @lielran, while we are actively investing in an OIDC auth method that will be available in an upcoming release, we do not yet have a timeline for support of SAML. Longterm, we'll also look to add support for additional auth protocols, like SAML, in the future. We'll keep this issue open so that community members can upvote it and show their support for us adding the feature.

covetocove avatar Jan 19 '21 20:01 covetocove

Hi @lielran, while we are actively investing in an OIDC auth method that will be available in an upcoming release, we do not yet have a timeline for support of SAML. Longterm, we'll also look to add support for additional auth protocols, like SAML, in the future. We'll keep this issue open so that community members can upvote it and show their support for us adding the feature.

Amazing, I totally get the priority of OIDC over SAML :) I think I can still use Okta with OIDC.

lielran avatar Jan 20 '21 06:01 lielran

@lielran glad to hear that perspective :) ! And yes, Okta supports OIDC.

covetocove avatar Jan 20 '21 06:01 covetocove

Please consider this an upvote for ODIC support!

hmhackmaster avatar Mar 01 '21 22:03 hmhackmaster

Does anyone know if boundary supports okta groups? If so, how to map them to boundary roles\groups?

adubkov avatar Apr 27 '21 00:04 adubkov

Does anyone know if boundary supports okta groups? If so, how to map them to boundary roles\groups?

That's what this issue is for. Okta uses SAML.

khionu avatar Apr 27 '21 08:04 khionu

Leaving this here: https://joonas.fi/2021/08/saml-is-insecure-by-design/

cwegener avatar Aug 12 '21 12:08 cwegener

As an update to this thread, Boundary supports authentication from external identity providers via OIDC. You can learn about how to configure Boundary with common identity providers such as Azure Active Directory and Okta with our tutorial here.

@adubkov, @khionu - to your points around how to map Okta (or any other IDP's) groups to Boundary groups and roles - check out Boundary's managed groups capability. This enables dynamic group/role membership assignment in Boundary based of a user's permission claims (including group memberships) at their IDP level. We have a tutorial for setting up managed groups available here.

We are still evaluating interest from users on any possible SAML support so please feel free to show interest by upvoting this post.

covetocove avatar Sep 08 '22 18:09 covetocove

@PPacent - I am trying to set up Google OIDC to authenticate to the boundary. While authentication is working fine, I am not able to find any documents supporting the authorization part using google groups mapping to boundary-managed groups. Is there any method to use group_claims from JWT to use as a filter for solving the issue?

praneshkumarkn1 avatar Mar 30 '23 11:03 praneshkumarkn1