[entraid] add setup script for offline clusters. (#47863)

* [entraid] add setup script for offline clusters. This PR adds a cli configuration for Entra ID where it's possible to default to system credentials instead of relying on OIDC for authentication in EntraID. OIDC is not always a possibility specially when the cluster is private and not internet acessible. The UX is the following: ```text Step 1: Run the Setup Script 1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility. 2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar. 3. Once uploaded, execute the script by running the following command: $ bash entraid.sh **Important Considerations**: - You must have **Azure privileged administrator permissions** to complete the integration. - Ensure you're using the **Bash** environment in Cloud Shell. - During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials. - **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. Once the script completes, type 'continue' to proceed, 'exit' to quit: continue Step 2: Input Tenant ID and Client ID With the output of Step 1, please copy and paste the following information: Enter the Tenant ID: 1056b571-0390-4b08-86c8-2edba8d9ae79 Enter the Client ID: 1056b571-0390-4b08-86c8-2edba8d9ae79 Successfully created EntraID plugin "name". ``` Signed-off-by: Tiago Silva <[email protected]> * move function to api * handle code review comments * Apply suggestions from code review Co-authored-by: Marco Dinis <[email protected]> * fix url * enable group claims * add godoc * handle code review comments * fix gomod --------- Signed-off-by: Tiago Silva <[email protected]> Co-authored-by: Marco Dinis <[email protected]>
gravitational · Oct 29, 2024 · 6d30e67 · 6d30e67
1 parent 254c4c4
commit 6d30e67
Show file tree

Hide file tree

Showing 11 changed files with 526 additions and 12 deletions.
diff --git a/api/utils/entraid/federation_metadata.go b/api/utils/entraid/federation_metadata.go
@@ -0,0 +1,33 @@
+/*
+Copyright 2024 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package entraid
+
+import (
+	"net/url"
+	"path"
+)
+
+// FederationMetadataURL returns the URL for the federation metadata endpoint
+func FederationMetadataURL(tenantID, appID string) string {
+	return (&url.URL{
+		Scheme: "https",
+		Host:   "login.microsoftonline.com",
+		Path:   path.Join(tenantID, "federationmetadata", "2007-06", "federationmetadata.xml"),
+		RawQuery: url.Values{
+			"appid": {appID},
+		}.Encode(),
+	}).String()
+}
diff --git a/go.mod b/go.mod
@@ -82,6 +82,7 @@ require (
 	github.com/elastic/go-elasticsearch/v8 v8.13.1
 	github.com/elimity-com/scim v0.0.0-20240320110924-172bf2aee9c8
 	github.com/evanphx/json-patch v5.9.0+incompatible
+	github.com/fatih/color v1.17.0
 	github.com/fsouza/fake-gcs-server v1.48.0
 	github.com/fxamacker/cbor/v2 v2.6.0
 	github.com/ghodss/yaml v1.0.0
@@ -313,7 +314,6 @@ require (
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fatih/camelcase v1.0.0 // indirect
-	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.7.0

diff --git a/lib/config/configuration.go b/lib/config/configuration.go
@@ -296,6 +296,9 @@ type IntegrationConfAzureOIDC struct {
 	// When this is true, the integration script will produce
 	// a cache file necessary for TAG synchronization.
 	AccessGraphEnabled bool
+
+	// SkipOIDCConfiguration is a flag indicating that OIDC configuration should be skipped.
+	SkipOIDCConfiguration bool
 }
 
 // IntegrationConfDeployServiceIAM contains the arguments of

diff --git a/lib/integrations/azureoidc/enterprise_app.go b/lib/integrations/azureoidc/enterprise_app.go
@@ -52,7 +52,7 @@ var appRoles = []string{
 //   - Provides Teleport with OIDC authentication to Azure
 //   - Is given the permissions to access certain Microsoft Graph API endpoints for this tenant.
 //   - Provides SSO to the Teleport cluster via SAML.
-func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnectorName string) (string, string, error) {
+func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnectorName string, skipOIDCSetup bool) (string, string, error) {
 	var appID, tenantID string
 
 	tenantID, err := getTenantID()
@@ -120,8 +120,12 @@ func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnect
 		}
 	}
 
-	if err := createFederatedAuthCredential(ctx, graphClient, *app.ID, proxyPublicAddr); err != nil {
-		return appID, tenantID, trace.Wrap(err, "failed to create an OIDC federated auth credential")
+	// Skip OIDC setup if requested.
+	// This is useful for clusters that can't use OIDC because they are not reachable from the public internet.
+	if !skipOIDCSetup {
+		if err := createFederatedAuthCredential(ctx, graphClient, *app.ID, proxyPublicAddr); err != nil {
+			return appID, tenantID, trace.Wrap(err, "failed to create an OIDC federated auth credential")
+		}
 	}
 
 	acsURL, err := url.Parse(proxyPublicAddr)

diff --git a/lib/integrations/azureoidc/provision_sso.go b/lib/integrations/azureoidc/provision_sso.go
@@ -48,6 +48,9 @@ func setupSSO(ctx context.Context, graphClient *msgraph.Client, appObjectID stri
 	webApp := &msgraph.WebApplication{}
 	webApp.RedirectURIs = &uris
 	app.Web = webApp
+	securityGroups := new(string)
+	*securityGroups = "SecurityGroup"
+	app.GroupMembershipClaims = securityGroups
 
 	err = graphClient.UpdateApplication(ctx, appObjectID, app)
 

diff --git a/lib/msgraph/models.go b/lib/msgraph/models.go
@@ -18,6 +18,7 @@ package msgraph
 
 import (
 	"encoding/json"
+	"slices"
 
 	"github.com/gravitational/trace"
 )
@@ -34,6 +35,12 @@ type DirectoryObject struct {
 
 type Group struct {
 	DirectoryObject
+	GroupTypes []string `json:"groupTypes,omitempty"`
+}
+
+func (g *Group) IsOffice365Group() bool {
+	const office365Group = "Unified"
+	return slices.Contains(g.GroupTypes, office365Group)
 }
 
 func (g *Group) isGroupMember() {}
@@ -53,9 +60,10 @@ func (u *User) GetID() *string { return u.ID }
 type Application struct {
 	DirectoryObject
 
-	AppID          *string         `json:"appId,omitempty"`
-	IdentifierURIs *[]string       `json:"identifierUris,omitempty"`
-	Web            *WebApplication `json:"web,omitempty"`
+	AppID                 *string         `json:"appId,omitempty"`
+	IdentifierURIs        *[]string       `json:"identifierUris,omitempty"`
+	Web                   *WebApplication `json:"web,omitempty"`
+	GroupMembershipClaims *string         `json:"groupMembershipClaims,omitempty"`
 }
 
 type WebApplication struct {