---
layout: docs
page_title: Use SecureAuth for OIDC authentication
description: >-
  Configure Vault to use SecureAuth as an OIDC provider.
---

> [!IMPORTANT]  
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.

# Use SecureAuth for OIDC authentication


The [SecureAuth](https://www.secureauth.com/) identity provider returns group membership
claims as a comma-separated list of strings (e.g. `groups: "group-1,group-2"`) instead
of a list of strings.

To properly obtain group membership when using SecureAuth as the identity provider for
Vault's OIDC Auth Method, the `secureauth` provider must be explicitly configured as
shown below.

```shell
vault write auth/oidc/config -<<"EOH"
{
   "oidc_client_id": "your_client_id",
   "oidc_client_secret": "your_client_secret",
   "default_role": "your_default_role",
   "oidc_discovery_url": "https://idp.sasp.gosecureauth.com/your_secure_auth",
   "provider_config": {
      "provider": "secureauth"
   }
}
EOH
```

This will instruct the OIDC Auth Method to parse the comma-separated groups claims string
into individual groups. Note that the role's [`groups_claim`](/vault/api-docs/auth/jwt#groups_claim)
value must be properly configured to target the groups claim for your SecureAuth identity
provider.