Using HTTP Header SSO with vault LDAP

[yashra]

I am running vault under SSO authentication, so I want to directly access vault using the combination of headers and vault LDAP which won't ask me to provide credentials again on vault login page. Is there any way to do this?

Current :

Requirement :

[maxb]

(Note: I'm not affiliated with HashiCorp; this issue just caught my eye whilst browsing the issue tracker)

Vault doesn't have anything that would natively support this workflow.

If you wanted to implement it in your reverse proxy that fronts Vault, it would need to log in to Vault on the user's behalf, using the Vault API, and add an X-Vault-Token header to the user's requests that it proxies.

However, rather than trying to make this work, it would probably be better for you long term, to set up an OpenID Connect (OIDC) Identity Provider that users can log into using their LDAP password, and configure the Vault OIDC auth method.

OIDC seems to be one of the major standards for web application SSO these days, so you'd likely be able to re-use the investment for other web applications you add to your SSO organisation, too.

[yashra]

Thank you @maxb, I agree but as our SSO is central and can't be integrated with ODIC so we thought to use http sso headers that can help to login with LDAP. Any way to implement that?

[maxb]

My previous idea:

If you wanted to implement it in your reverse proxy that fronts Vault, it would need to log in to Vault on the user's behalf, using the Vault API, and add an X-Vault-Token header to the user's requests that it proxies.

is in fact not possible. I had neglected to consider that the Vault UI is a client side JavaScript application, and it gets confused and does not provide the desired behaviour if a token is inserted by a reverse proxy.

Regarding your follow-up:

Thank you @maxb, I agree but as our SSO is central and can't be integrated with ODIC so we thought to use http sso headers that can help to login with LDAP. Any way to implement that?

As the Vault UI is a client side JavaScript application, you can only use one of the authentication methods the application supports. (Unless you choose to maintain a fork of the Vault UI or write your own.)

Of these methods, the only one that supports SSO is OIDC. Everything else involves the user typing a password or manually copy/pasting a token.

So, you must use OIDC.

If you have existing SSO that does not support OIDC directly, however, there is an option: you need an OIDC Identity Provider, that accepts your existing SSO implementation as primary user authentication.

Then, the user experience would be like this:

1. Visit Vault web UI
2. Click "Sign in with OIDC provider"
3. Vault redirects user's browser to the OIDC provider URL
4. OIDC provider sees whether user is already logged in to existing SSO; if not, send user to existing SSO to log in first, however that works.
5. Now that OIDC provider knows who the user is, it provides an OIDC-compatble response to Vault, logging the user in

So, where would you get an OIDC provider like this, to perform the bridging from?

I do not have direct experience in running this setup, but during some previous research I ended up not using, I came across https://dexidp.io/docs/connectors/authproxy/ which sounds like exactly what you need here. It is marked as experimental though - still, it seems like it could be worth a try.

As an added bonus, if you get this working, you've solved not only have to do SSO for Vault, but also how to integrate any other OIDC-compliant products you want to use into your existing SSO infrastructure.