From 584b5877f2b5c5430d337905be61deff0822b44d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Mon, 9 Feb 2026 19:41:18 +0100
Subject: [PATCH] vault: use full group name format for Kanidm

---
 terraform/vault/oidc.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/vault/oidc.tf b/terraform/vault/oidc.tf
index b94e761..b3efc71 100644
--- a/terraform/vault/oidc.tf
+++ b/terraform/vault/oidc.tf
@@ -24,7 +24,7 @@ resource "vault_jwt_auth_backend_role" "admin" {
 
   user_claim   = "preferred_username"
   groups_claim = "groups"
-  bound_claims = { groups = "admins" }
+  bound_claims = { groups = "admins@home.2rjus.net" }
   role_type    = "oidc"
   oidc_scopes  = ["openid", "profile", "email", "groups"]