ADFS 4.0 groups claim could not be converted to list

[ljupchokotev]

We have OIDC configured to work with ADFS 4.0 and we are hitting an issue when we want to use groups_claim. What happens is that ADFS issues the groups claim as string if there is only one group that the user belongs to. If there are multiple groups, then it sends the groups claim as an array which Vault accepts.

We are hitting the following error: https://github.com/hashicorp/vault-plugin-auth-jwt/blob/master/path_login.go#L345 because Vault expects the groups claim to always be an array.

I tried to force ADFS to send the groups claim as an array even if there is only one group, but I couldn't figure out how to do it.

Is this something that can be fixed on Vault's side?

[kalafut]

Certainly not the first instance of this, and I'm a little surprised how often this claim is coming back from IdPs as a different type depending on the length. Adding some flexibility to the parsing is something we'll being investigating soon, and have already added when parsing bound_claims for similar reasons.

In the mean time, can you possibly add membership to a dummy group on the ADFS side, thus forcing it to output a list? Pretty hacky, I know...

[ljupchokotev]

We already did something similar as a workaround. Instead of creating a dummy group we just have a custom claim rule which issues a dummy value on the same claim which forces it to have at least two values and then ADFS formats that as an array.

It would be nice to handle this type of thing on Vault's side though.