Skip to main content

Allowed IdP Claims

  • yaml/json setting: allowed_idp_claims
  • Type: map of strings lists
  • Required

Allowed IdP Claims is a collection of whitelisted claim key-value pairs to authorize for a given route.

This is useful if your identity provider has extra information about a user that is not in the directory. It can also be useful if you wish to use groups with the generic OIDC provider.


- from:
- Doe
- Smith

This policy would match users with the family_name claim containing Smith or Doe.

Claims are represented as a map of strings to a list of values:

"family_name": ["Doe"],
"given_name": ["John"]
  • Nested maps are flattened: { "a": { "b": ["c"] } } becomes { "a.b": ["c"] }
  • Values are always a list: { "a": "b" } becomes { "a": ["b"] }