Skip to content

chore: add changelog about oidc claim mapping #918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Oct 15, 2025
Merged

chore: add changelog about oidc claim mapping #918

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4dd4cad
chore: add changelog about oidc claim mapping
KNiepok Oct 3, 2025
aa84e4d
Merge branch 'main' into oidc-claim-mappings-changelog
KNiepok Oct 13, 2025
7321c8d
add OIDC custom claims docs section
KNiepok Oct 14, 2025
2059759
chore: lint
KNiepok Oct 14, 2025
d7af657
chore: add a link
KNiepok Oct 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added docs/assets/screenshots/sso/oidc-custom-claims.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
21 changes: 21 additions & 0 deletions docs/integrations/cloud-providers/oidc/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,27 @@ The only exceptions are tracked runs whose stack is not set to [autodeploy](../.

The scope claim, as well as other claims presented by the Spacelift token, are merely advisory. It depends on you whether you want to control access to your external service provider based on the scope of the token or on some other claim like space, caller, or run type. In other words, Spacelift gives you the data and it's up to you to decide how to use it.

## Custom Claims Mapping for Groups

Some identity providers use non-standard claim names for user group membership. For example:

- **AWS Cognito** uses `cognito:groups` instead of the standard `groups` claim
- **Google Workspace** does not include group membership in OIDC tokens by default

Spacelift allows you to map custom claims from your identity provider to the standard `groups` claim that Spacelift expects. This enables group-based access control even when your IdP doesn't follow the standard OIDC groups claim convention.

### Configuring Custom Claims Mapping

To configure custom claims mapping:

1. Navigate to **Organization settings** → **Single Sign-On**
2. In your OIDC configuration, look for the **Custom claims mapping** section
3. Add a mapping for the `groups` claim:
- **Claim name in IdP**: Enter the custom claim name from your identity provider (e.g., `cognito:groups`)
- **Claim name in Spacelift**: Enter `groups`

![Screenshot: OIDC configuration page showing custom claims mapping section](../../../assets/screenshots/sso/oidc-custom-claims.png)

## Use the Spacelift OIDC token

You can follow our guidelines to see how to use the Spacelift OIDC token to authenticate with:
Expand Down
1 change: 1 addition & 0 deletions docs/product/changelog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ description: Find out about the latest changes to Spacelift.
## Features

- You can now create API keys via the TF provider. See the [API keys resource documentation](https://search.opentofu.org/provider/spacelift-io/spacelift/latest/docs/resources/api_key) for more information.
- Added SSO OIDC claim mapping support. See the [custom claims mapping documentation](../integrations/cloud-providers/oidc/README.md#configuring-custom-claims-mapping) for more information.

## 2025-10-01

Expand Down