Skip to main content

HashiCorp Cloud OIDC integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

OIDC (OpenID Connect) is an open standard protocol that provides a way to authenticate and authorize access to applications without giving the application your login credentials.

Arculix by SecureAuth, offers a simple method for adding single sign-on (SSO) MFA to HashiCorp Cloud with its OIDC solution.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for HashiCorp Cloud.

Add OIDC application in Arculix

In this section, you'll configure Arculix to act as an OIDC Provider to authenticate the user and grant access to HashiCorp Cloud.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, HashiCorp Cloud-OIDC.


    Set to OpenID Connect Relying Party Application [oidc_client].

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  4. Select the OIDC Configuration tab, and set the following configurations:


    Login URL 

    Optional. Enter the login URL for your HashiCorp Cloud instance.

    Redirect URLs

    Enter the redirect URL (Redirect_uri) that Arculix will use to send back the authorization code.

    You can register more than one redirect URL (Redirect_uri).

    For example, https://{your-tenant-URL}.HashiCorp


    After you finish the HashiCorp Cloud configuration, return to this section and enter the Allowed Callback URL provided by HashiCorp.

    OIDC Provider Configuration

    OIDC Provider URL

    Copy this URL for HashiCorp Cloud configuration.

    Client Settings 


    Application Type 

    Set to Web application.

    Grant Type 

    Set to Authorization code – User logs in to the application, then the application redirects the flow to Arculix for authentication. After authentication, Arculix returns an authorization code to the application, then exchanges the code for an access token and an identity token.

    Authentication Method 

    Set to Post – Authenticates using the HTTP POST method, also known as the forms post response mode.

    Scopes and Claims 


    Select the following scopes:

    • profile – Allow access to user's profile information like postal address and phone number.

    • email – Allow access to user's email address.


    Access Token Timeout 

    Set how long the access token is valid for before it times out. By default this set to 1 minute.

    Refresh Token Timeout 

    Set how long the refresh token is valid for before it times out and requires the user to reauthenticate. By default this is set to 1 day.

  5. Save your changes.

  6. Edit the configured OIDC application and select the Advanced tab.

  7. Copy the UID and Secret values.

    You will need these for the HashiCorp Cloud configuration.


HashiCorp Cloud configuration

In this section, you will configure the HashiCorp Cloud application that supports OIDC.

  1. Log in to HashiCorp Cloud and go to Organization settings.

  2. From the left navigation, select SSO and then select the OIDC category.

  3. Save your changes.

  4. The Add verification record TXT to your domain host page appears. Do the following:

    1. Use the verification record from HashiCorp to create a DNS TXT record for your domain.

      For more information on DNS TXT records, see How to create a DNS TXT record

    2. In the Email domain section, enter your organization's domain and click Verify domain.

  5. In the Configure your OIDC SSO client section, set the following:

    Client ID

    Enter the UID you copied earlier in Arculix.

    Client secret

    Enter the Secret you copied earlier in Arculix.

    Issuer URL

    Enter the OIDC Provider URL you copied earlier in Arculix.

    Allowed Callback URL

    Copy this URL. Return to your HashiCorp Cloud OIDC application in Arculix and enter it as a Redirect URL.

  6. Click Save.

Test your OIDC application integration

  1. Go to the login URL for your HashiCorp Cloud application. Click Continue with Arculix.

  2. You will be redirected to the Arculix SSO page.

    Application login page with QR code
  3. After successful authentication, select your preferred MFA method to approve access to the HashiCorp Cloud application.

    Select MFA method
  4. Finally, you'll be redirected to the HashiCorp Cloud application home page.


If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

Microsoft and Active Directory are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.