Federated SAML Authentication

[lielran]

Having the ability to have an external federated auth system base on SAML protocol to ease the migration and onboarding to boundary.

I've been using with AWS VPN endpoint with Okta for a while now and it been working great for us.

adding boundary abilities to narrow down app/resources authZ sounds like a good mix.

[malnick]

Thanks @lielran - I'm roping in our PM @PPacent to chime in on this.

[covetocove]

Hi @lielran, while we are actively investing in an OIDC auth method that will be available in an upcoming release, we do not yet have a timeline for support of SAML. Longterm, we'll also look to add support for additional auth protocols, like SAML, in the future. We'll keep this issue open so that community members can upvote it and show their support for us adding the feature.

[lielran]

Hi @lielran, while we are actively investing in an OIDC auth method that will be available in an upcoming release, we do not yet have a timeline for support of SAML. Longterm, we'll also look to add support for additional auth protocols, like SAML, in the future. We'll keep this issue open so that community members can upvote it and show their support for us adding the feature.

Amazing, I totally get the priority of OIDC over SAML :) I think I can still use Okta with OIDC.

[covetocove]

@lielran glad to hear that perspective :) ! And yes, Okta supports OIDC.

[hmhackmaster]

Please consider this an upvote for ODIC support!

[adubkov]

Does anyone know if boundary supports okta groups? If so, how to map them to boundary roles\groups?

[khionu]

Does anyone know if boundary supports okta groups? If so, how to map them to boundary roles\groups?

That's what this issue is for. Okta uses SAML.

[cwegener]

Leaving this here: https://joonas.fi/2021/08/saml-is-insecure-by-design/

[covetocove]

As an update to this thread, Boundary supports authentication from external identity providers via OIDC. You can learn about how to configure Boundary with common identity providers such as Azure Active Directory and Okta with our tutorial here.

@adubkov, @khionu - to your points around how to map Okta (or any other IDP's) groups to Boundary groups and roles - check out Boundary's managed groups capability. This enables dynamic group/role membership assignment in Boundary based of a user's permission claims (including group memberships) at their IDP level. We have a tutorial for setting up managed groups available here.

We are still evaluating interest from users on any possible SAML support so please feel free to show interest by upvoting this post.

[praneshkumarkn1]

@PPacent - I am trying to set up Google OIDC to authenticate to the boundary. While authentication is working fine, I am not able to find any documents supporting the authorization part using google groups mapping to boundary-managed groups. Is there any method to use group_claims from JWT to use as a filter for solving the issue?