Auto-user creation in multiple auth methods

[AbhilashaLiv]

We have configured 2 OIDC authentication methods in Boundary for the purpose of having separate login methods on team basis. However, unless an auth method is marked as primary it doesn’t allow a new user (that doesn’t exist in the boundary DB yet) to log in. We need to either mark more than one auth method as primary or some other workaround to this problem. Please guide us. Thanks in advance!

We’re using Keycloak as the identity provider and boundary version 0.11.2.

Link to discussion - (https://discuss.hashicorp.com/t/how-to-get-auto-user-creation-in-multiple-auth-methods/49883/1)

[covetocove]

Hi @AbhilashaLiv, borrowing from @omkensey's reply in the discuss post

The primary auth method for a scope “auto-vivifies”, creating a Boundary user object for the corresponding account automatically so the user can log in, but other auth methods do not.

Boundary supports only one primary auth method per org, meaning only one auth method can auto-vivify Boundary users

If you use separate orgs and have each one have one of the auth methods as primary, though, you can have both methods auto-vivify within their separate orgs.

The other thing you can do is create users for the corresponding accounts on non-primary auth methods either automatically by using Terraform or scripting the Boundary CLI, or manually using the Boundary admin GUI.

A major reason for only allowing one auth method per org to auto-create/auto-vivify users is that allowing multiple auth methods to auto-vivify users has a high likelihood of creating superfluous users in the event that a user has accounts with each IDP.

[covetocove]

Closed as not planned due to reasoning above and lack of community interest.

[jimlambrt]

You could provision the users via the API before users attempt to authen.