This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/integrations/services/hashicorp-cloud/index.md

2.0 KiB

title
HashiCorp Cloud Platform

Support level: Community

What is HashiCorp Cloud

From https://cloud.hashicorp.com/

:::note HashiCorp Cloud Platform is a fully managed platform for Terraform, Vault, Consul, and more. :::

Preparation

The following placeholders will be used:

  • authentik.company is the FQDN of authentik.

Step 1 - HashiCorp Cloud

Login in under https://portal.cloud.hashicorp.com. Navigate to the Settings entry in the sidebar, then SSO. Enable SSO and configure domain verification for the domain your users email have.

Under Initiate SAML integration, copy SSO Sign-On URL and Entity ID.

Step 2 - authentik

In authentik, under Providers, create a SAML Provider with these settings:

:::note Only settings that have been modified from default have been listed. :::

Protocol Settings

  • Name: HashiCorp Cloud
  • ACS URL: Value of SSO Sign-On URL from above
  • Issuer: Value of Entity ID from above
  • Service Provider Binding: Post
  • Audience: Value of Entity ID from above

Open Advanced protocol settings, and ensure a signing certificate is selected, and all default property mappings are selected.

Create an application which uses this provider. Optionally apply access restrictions to the application using policy bindings.

  • Name: HashiCorp Cloud
  • Slug: hashicorp-cloud
  • Provider: HashiCorp Cloud

Step 3 - HashiCorp Cloud

Open the Application's page in authentik and click on the provider name. Copy the value of SSO URL (Redirect) and paste it into the SAML IDP Single Sign-On URL field in the HashiCorp Cloud settings.

Download the certificate, open it in a text editor, and paste the contents into SAML IDP Certificate in the HashiCorp Cloud settings.

Afterwards, logging in to HashiCorp Cloud with any email address ending in the domains verified above will redirect to your authentik instance, if those email addresses don't have an existing account.