Sub-Claims

For Some of the Auth Methods like JWT/OIDC and SAML that contains sub-claims or attributes as part of the given signed token, you can restrict the authorizations of the associated role to these specific claims or attributes. In other words, only clients whose token contains these sub-claims (incase of JWT/OIDC) or attributes (in case of SAML) will be allowed to access the rules defined in the role.

The Sub-Claims definition is in the structure of a map that contains keys that represent the field name of the sub-claims, and each key can contain several values ​​so that the sub-claim must contain one of those values.
The keys and values are case sensitive.

For example, assume sub-claims is set to:

Groups=Engineering
[email protected]

Only JWTs or SAML-XML containing both the "Groups" and "Email" claims/attributes, and respective matching values of "Engineering" and "[email protected]", would be authorized.
If the expected value is a list, the claim must match one of the items on the list. For example, assume sub-claims is set to:

Groups=Engineering,Security
[email protected],[email protected]

Only JWTs or SAML-XML containing both the "Groups" and "Email" claims/attributes, and respective matching values of ["Engineering" or “Security“] and ["[email protected]" or "[email protected]"], would be authorized.

CLI

>>> akeyless assoc-role-am --role-name r1 --am-name Okta --sub-claims Groups=Engineering,Security  --sub-claims [email protected],[email protected]

UI


Did this page help you?