mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-30 11:01:09 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
90 lines
2.5 KiB
Plaintext
90 lines
2.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: "Troubleshoot ADFS and SAML: invalid BoundSubjects"
|
|
description: >-
|
|
Fix connection problems in Vault due to an invalid BoundSubject entry when
|
|
using Active Directory Federation Services (ADFS) as an SAML provider.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Clients cannot connect to Vault: invalid `BoundSubjects`
|
|
|
|
Troubleshoot problems where the debugging data suggests a problem with bound
|
|
subjects.
|
|
|
|
|
|
|
|
## Example debugging data
|
|
|
|
<CodeBlockConfig hideClipboard highlight="12">
|
|
|
|
```json
|
|
[DEBUG] auth.saml.auth_saml_b1886dfe: validating user context for role: api=callback role_name=default-saml
|
|
role="{
|
|
"token_bound_cidrs":null,
|
|
"token_explicit_max_ttl":0,
|
|
"token_max_ttl":0,
|
|
"token_no_default_policy":false,
|
|
"token_num_uses":0,
|
|
"token_period":0,
|
|
"token_policies":["default"],
|
|
"token_type":0,
|
|
"token_ttl":0,
|
|
"BoundSubjects":["*@example.com *@ext.example.com"],
|
|
"BoundSubjectsType":"glob",
|
|
"BoundAttributes":{"groups":["VaultAdmin","VaultUser"]},
|
|
"BoundAttributesType":"string",
|
|
"GroupsAttribute":"groups"
|
|
}"
|
|
user context="{
|
|
"attributes":
|
|
{
|
|
"groups":["Domain Users","VaultAdmin"],
|
|
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress":["rs@example.com"]
|
|
},
|
|
"subject":"rs@example.com"
|
|
}"
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
|
|
|
|
|
|
## Analysis
|
|
|
|
The SAML role expects a single string with a comma separated list of relevant
|
|
domains for `BoundSubjects`, but the provided string is malformed.
|
|
|
|
|
|
## Solution
|
|
|
|
To resolve the problem, update your SAML role and correct the `BoundSubjects`
|
|
string:
|
|
|
|
```shell-session
|
|
$ vault write auth/<SAML_PLUGIN_PATH>/role/<ADFS_ROLE> \
|
|
bound_subjects="<CORRECTED_DOMAIN_LIST>"
|
|
```
|
|
|
|
For example:
|
|
|
|
<CodeBlockConfig hideClipboard>
|
|
|
|
```shell-session
|
|
$ vault write auth/saml/role/adfs-default \
|
|
bound_subjects="*@example.com, *@ext.example.com"
|
|
```
|
|
|
|
</CodeBlockConfig>
|
|
|
|
|
|
|
|
|
|
## Additional resources
|
|
|
|
- [SAML auth method Documentation](/vault/docs/auth/saml)
|
|
- [SAML API Documentation](/vault/api-docs/auth/saml)
|
|
- [Set up an AD FS lab environment](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/set-up-an-ad-fs-lab-environment)
|