Skip to main content

HashiCorp Vault OIDC integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

OIDC (OpenID Connect) is an open standard protocol that provides a way to authenticate and authorize access to applications without giving the application your login credentials.

Arculix by SecureAuth, offers a simple method for adding single sign-on (SSO) MFA to HashiCorp Vault with its OIDC solution.


  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with the following permissions configured for HashiCorp Vault or use the HashiCorp Vault root token token.

    # Mount the OIDC auth method
    path "sys/auth/oidc" {
      capabilities = [ "create", "read", "update", "delete", "sudo" ]
    # Configure the OIDC auth method
    path "auth/oidc/*" {
      capabilities = [ "create", "read", "update", "delete", "list" ]
    # Write ACL policies
    path "sys/policies/acl/*" {
      capabilities = [ "create", "read", "update", "delete", "list" ]
    # List available secrets engines to retrieve accessor ID
    path "sys/mounts" {
      capabilities = [ "read" ]

Add OIDC application in Arculix

In this section, you'll configure Arculix to act as an OIDC Provider to authenticate the user and grant access to HashiCorp Vault.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:


    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, HashiCorp Vault.


    Set to OpenID Connect Relying Party Application [oidc_client].

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

  4. Select the OIDC Configuration tab, and set the following configurations:


    Login URL 

    Optional. Enter the login URL for your HashiCorp Vault instance.

    Redirect URLs

    Enter the redirect URL (Redirect_uri) that Arculix will use to send back the authorization code.

    You can register more than one redirect URL (Redirect_uri).

    If you are running Vault locally, it should be:

    https://<your-local-instance-address>:8250/oidc/callback, https://<your-local-instance-address>:8200/ui/vault/auth/oidc/oidc/callback

    If you are running Vault in HCP, replace -URL- with the public address of your HCP Vault, and it should be:

    https://<your-local-instance-address>:8250/oidc/callback, -URL-/ui/vault/auth/oidc/oidc/callback

    Client Settings 

    Application Type 

    Set to Web application.

    Grant Type 

    Set to Authorization code – User logs in to the application, then the application redirects the flow to Arculix for authentication. After authentication, Arculix returns an authorization code to the application, then exchanges the code for an access token and an identity token.

    Authentication Method 

    Set to Basic – Basic authentication method that transmits the client secret in clear text. To ensure the security of the client secret, use HTTPS to encrypt the communication.

    Scopes and Claims 


    Select the following scopes:

    • profile – Allow access to user's profile information like postal address and phone number.

    • email – Allow access to user's email address.


    Access Token Timeout 

    Set how long the access token is valid for before it times out. By default this set to 1 minute.

    Refresh Token Timeout 

    Set how long the refresh token is valid for before it times out and requires the user to reauthenticate. By default this is set to 1 day.

  5. Save your changes.

  6. Edit the configured OIDC application and select the Advanced tab.

  7. Copy the UID and Secret values.

    You will need these for the HashiCorp Vault configuration.


HashiCorp Vault configuration

In this section, you will configure the HashiCorp Vault application that supports OIDC.

  1. For the initial configuration, do the following as applicable for Vault or HCP Vault.

  2. From the command line, create a variable for the Arculix secret.

    • Linux and Mac

      export Arculix_secret=<Arculix-secret-from-OIDC-app-configuration>
    • Windows

      set Arculix_secret=<Arculix-secret-from-OIDC-app-configuration>
  3. Log in to HashiCorp Vault with an administrator account and click Policies.

  4. Click Create ACL policy.

  5. In the Create ACL policy page, set the following:


    Enter a unique name for your policy.

    For example, manager.


    Enter the following code:

    # Manage k/v secrets
    path "/secret/*" {
        capabilities = ["create", "read", "update", "delete", "list"]
  6. Click Create policy.

  7. Return to ACL Policies to create another new policy.

  8. In the Create ACL policy page, set the following:


    Enter a unique name for your policy.

    For example, reader.


    Enter the following code:

    # Read permission on the k/v secrets
    path "/secret/*" {
        capabilities = ["read", "list"]
  9. Click Create policy.

  10. From the main navigation, go to Access to configure OIDC on HashiCorp Vault.

  11. Click Enable new method.

  12. On the Enable an Authentication Method page, select OIDC.

  13. Click Next, then select Enable Method.

  14. In the Configure OIDC section, set the following configurations:

    OIDC discovery URL

    Enter the Arculix discovery URL in this format:<organization>/oauth2/v1/

    Default role

    Set to reader.

  15. Toggle OIDC Options to expand it, and set the following:

    OIDC Client ID 

    Enter the UID value copied from the HashiCorp Vault OIDC application in Arculix.

    OIDC Client Secret 

    Enter the Secret value copied from the HashiCorp Vault OIDC application in Arculix.

  16. Save your changes.

  17. In the top left, click the Vault CLI shell icon (>_) to open a command shell.

  18. Use the following commands in the terminal to create the reader role.


    The allowed_redirect_uris and allowed_redirect_uris use the Redirect URLs defined in the Arculix configuration.

    The user_claim sets the claim to use to uniquely identify the user.

    vault write auth/oidc/role/reader \
          bound_audiences="$AUTH0_CLIENT_ID" \
          allowed_redirect_uris="https://<your-local-instance address>:8200/ui/vault/auth/oidc/oidc/callback" \
          allowed_redirect_uris="https://<your-local-instance address>:8250/oidc/callback" \
          user_claim="sub" \

Test your OIDC application integration

  1. Go to your HashiCorp Vault URL. Set Method to OIDC and click Sign in with OIDC Provider.

  2. You will be redirected to the Arculix SSO page.

    Application login page with QR code
  3. After successful authentication, select your preferred MFA method to approve access to the HashiCorp Vault application.

    Select MFA method
  4. Finally, you'll be redirected to the HashiCorp Vault application home page.


If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.