Safeguard Your Entry: Seamlessly Secure Vault Login with OIDC

Vault, a trusted secret management tool, offers a robust way to store and protect confidential information. However, traditional login methods like Username/Password and token-based logins have their vulnerabilities. Compromising passwords or tokens could lead to unauthorized access, potentially exposing critical secrets. To address this concern, the article delves into the integration of Vault with OneLogin using OIDC.

In terms of infrastructure, we have discovered the most cost-effective solution available on the market — Fargate Spot, operating on an ECS cluster. This solution not only offers affordability but also seamlessly integrates with our existing environment.

By leveraging Fargate for Vault, we get simplified deployment, cost efficiency, scalability, enhanced security, high availability, and seamless AWS integration, creating a robust platform for secure secret management.

To learn more about the installation and configuration of Vault on our infrastructure using ECS, please feel free to contact me through LinkedIn. I would be happy to provide you with further details and insights.

Setup Vault login via OIDC

Before a client can interact with Vault, it must authenticate against an auth method to acquire a token. This token has policies attached so that the behavior of the client can be governed.

Auth methods perform authentication to verify the user or machine-supplied information. Some of the supported auth methods are targeted towards users while others are targeted toward machines or apps.

Onelogin Setup

1. Log in to your OneLogin admin portal.
2. Go to “Apps” and click “Add App” to add a new application.
3. Search for and select the “OpenID Connect (OIDC)” app.

4. Provide a name for the app and click “Save”. You will be able to filter the app by name you provided.

5. In the “Configuration” tab, enter the following information:

Login URL:
https://vault.example.com/ui/vault/auth?with=oidc

Redirect URI:
http://localhost:8250/oidc/callback,
https://vault.example.com/ui/vault/auth/oidc/oidc/callback

Post Logout Redirect URIs
https://vault.example.com/ui/vault/auth?with=oidc

Note: vault.example.com is just used as reference name, please replace it with your vault domain.

6. Under SSO Tab, Get the Client ID, Client Secret and Issuer URL

Due to security concerns, we have greyed out the client ID and issuer URL.

7. Next step is to create a new role, Go to OneLogin admin portal, Users > Roles, and click New Role.

8. Give new role a name (in our case we gave Dev Vault) and select the applications it should include, then click Save.

9. Assigning Roles to Users: From Users > Roles, open the role and go to Users. Enter one or more users into the Search for a user field and click Check. The user appears with a button Add to Role, this way you can add users manually.

Alternatively you can create mappings as well (for example: department ~ Engineering) to add all users under engineering department automatically.

10. Now Go to Applications > Vault Application that we created > Access > Roles, add new role we created above.

11. To verify, Go to Users tab and check users.

Vault Setup

1. Login to Vault via Root Token
2. Click on Access → Enable New Method → Select OIDC

3. OIDC Configurations: Check SSO Page of Onelogin and add Onelogin Issuer URL as OIDC discovery URL, Onelogin Client Key as OIDC Client Key, Onelogin Secret Key as OIDC Secret Key, Role as reader.

4. Create Vault Policies: Create the policy file named reader.hcl. This policy grants read and list capabilities to all paths in the KV secrets engine enabled at the secret path.

tee reader.hcl <<EOF
# Read permission on the k/v secrets
path "/secret/*" {
capabilities = ["read", "list"]
}
EOF

Select the Policies tab in Vault and then select Create ACL policy. Toggle Upload file sliding switch, and click Choose a file to select your reader.hcl file you authored, Click Create Policy to complete.

5. Create Vault Role: Click the Vault CLI shell icon (>_) to open a command shell, Within the terminal, create the readerrole.

export ONELOGIN_CLIENT_ID="CLIENT_ID_HERE"

vault write auth/oidc/role/reader \
      bound_audiences="$ONELOGIN_CLIENT_ID" \
      allowed_redirect_uris="https://vault.example.com/ui/vault/auth/oidc/oidc/callback" \
      allowed_redirect_uris="http://localhost:8250/oidc/callback" \
      user_claim="sub" \
      token_policies="reader"

Login with OIDC via UI

1. Sign out of the Vault UI if you are already logged in.
2. Select OIDC from the Method drop-down list.
3. In the Role, you can enter reader or since the default role is already set to “reader”, you can leave it blank.

4. Click Sign in with OIDC Proivder.

5. Now, you should be logged in.

Login with OIDC via CLI

1. Log in with the oidc method as role of a reader.

export VAULT_ADDR="https://vault.example.com"
vault login -method=oidc role="reader"

2. When prompted, accept and authorize the Vault access to Onelogin App.

3. Back to terminal, you should see log in successful.

Conclusion

The seamless integration of Vault with OneLogin via OIDC offers a comprehensive solution to the challenges of securing sensitive information. By replacing traditional login methods with OIDC, you enhance your organization’s security posture and mitigate the risk of unauthorized access to critical secrets. By following the steps outlined in this article, you can establish a robust platform for secure secret management, contributing to the overall security and success of your organisation.

Help and reference

• OIDC Auth Method
• Onelogin Openid Connect