HashiCorp Cloud OIDC integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

OIDC (OpenID Connect) is an open standard protocol that provides a way to authenticate and authorize access to applications without giving the application your login credentials.

Arculix by SecureAuth, offers a simple method for adding single sign-on (SSO) MFA to HashiCorp Cloud with its OIDC solution.

Prerequisites

Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
User account with administrative privileges for HashiCorp Cloud.

Add OIDC application in Arculix

In this section, you'll configure Arculix to act as an OIDC Provider to authenticate the user and grant access to HashiCorp Cloud.

Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.

In the New Application form, on the General tab, set the following configurations:

Name	Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs. For example, HashiCorp Cloud-OIDC.
Type	Set to OpenID Connect Relying Party Application [oidc_client].
Out of Band Methods	Select the allowed methods end users can choose to approve MFA requests. For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests	Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

Select the OIDC Configuration tab, and set the following configurations:

Login
Login URL	Optional. Enter the login URL for your HashiCorp Cloud instance.
Redirect URLs	Enter the redirect URL (Redirect_uri) that Arculix will use to send back the authorization code. You can register more than one redirect URL (Redirect_uri). For example, `https://{your-tenant-URL}.HashiCorp Cloud.com/login/callback` Note After you finish the HashiCorp Cloud configuration, return to this section and enter the Allowed Callback URL provided by HashiCorp.
OIDC Provider Configuration
OIDC Provider URL	Copy this URL for HashiCorp Cloud configuration.
Client Settings
Application Type	Set to Web application.
Grant Type	Set to Authorization code – User logs in to the application, then the application redirects the flow to Arculix for authentication. After authentication, Arculix returns an authorization code to the application, then exchanges the code for an access token and an identity token.
Authentication Method	Set to Post – Authenticates using the HTTP POST method, also known as the forms post response mode.
Scopes and Claims
Scopes	Select the following scopes: profile – Allow access to user's profile information like postal address and phone number. email – Allow access to user's email address.
Session
Access Token Timeout	Set how long the access token is valid for before it times out. By default this set to 1 minute.
Refresh Token Timeout	Set how long the refresh token is valid for before it times out and requires the user to reauthenticate. By default this is set to 1 day.

Save your changes.
Edit the configured OIDC application and select the Advanced tab.
Copy the UID and Secret values.
You will need these for the HashiCorp Cloud configuration.

HashiCorp Cloud configuration

In this section, you will configure the HashiCorp Cloud application that supports OIDC.

Log in to HashiCorp Cloud and go to Organization settings.
From the left navigation, select SSO and then select the OIDC category.
Save your changes.
The Add verification record TXT to your domain host page appears. Do the following:
1. Use the verification record from HashiCorp to create a DNS TXT record for your domain.
  For more information on DNS TXT records, see How to create a DNS TXT record
2. In the Email domain section, enter your organization's domain and click Verify domain.

In the Configure your OIDC SSO client section, set the following:

Client ID	Enter the UID you copied earlier in Arculix.
Client secret	Enter the Secret you copied earlier in Arculix.
Issuer URL	Enter the OIDC Provider URL you copied earlier in Arculix.
Allowed Callback URL	Copy this URL. Return to your HashiCorp Cloud OIDC application in Arculix and enter it as a Redirect URL.

Click Save.

Test your OIDC application integration

Go to the login URL for your HashiCorp Cloud application. Click Continue with Arculix.
You will be redirected to the Arculix SSO page.
After successful authentication, select your preferred MFA method to approve access to the HashiCorp Cloud application.
Finally, you'll be redirected to the HashiCorp Cloud application home page.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

Microsoft and Active Directory are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.

In this section: