Skip to content

Commit

Permalink
[entraid] add field to support system credentials instead of OIDC
Browse files Browse the repository at this point in the history
This PR introduces two new fields for Entra Plugins' settings:

- `tenant_id`: Is the Directory to sync
- `credentials_source`: defaults to system credentials instead of using OIDC to authenticate to Entra ID

Both these fields are required for clusters whose access is private and can't be reached from the internet. For those cases, Azure can't validate the OIDC token Teleport shares.

Signed-off-by: Tiago Silva <[email protected]>
  • Loading branch information
tigrato committed Oct 23, 2024
1 parent 0437596 commit e82e8fe
Show file tree
Hide file tree
Showing 4 changed files with 1,659 additions and 1,513 deletions.
21 changes: 20 additions & 1 deletion api/proto/teleport/legacy/types/types.proto
Original file line number Diff line number Diff line change
Expand Up @@ -6451,8 +6451,27 @@ message PluginEntraIDSyncSettings {
// DefaultOwners are the default owners for all imported access lists.
repeated string default_owners = 1;

// SSOConnectorID is the name of the Teleport SSO connector created and used by the Entra ID plugin
// SSOConnectorID is the name of the Teleport SSO connector created and used by the Entra ID plugin.
string sso_connector_id = 2;

// credentials_source specifies the source of the credentials used for authentication with Azure.
EntraIDCredentialsSource credentials_source = 3;

// tenant_id refers to the Azure Directory that this plugin synchronizes with.
// This field is populated on a best-effort basis and will be mandatory for new plugins created after this change is implemented.
// For existing plugins, it is filled in using the Entra integration when utilized.
string tenant_id = 4;
}

// EntraIDCredentialsSource defines the credentials source for Entra ID.
enum EntraIDCredentialsSource {
// ENTRAID_CREDENTIALS_SOURCE_UNKNOWN is used when the credentials source is not specified.
ENTRAID_CREDENTIALS_SOURCE_UNKNOWN = 0;
// ENTRAID_CREDENTIALS_SOURCE_OIDC indicates that the plugin will authenticate with Azure/Entra ID using OIDC.
ENTRAID_CREDENTIALS_SOURCE_OIDC = 1;
// ENTRAID_CREDENTIALS_SOURCE_SYSTEM_CREDENTIALS means the plugin will rely on system-provided credentials
// for authentication with Azure Entra ID, especially for clusters with no internet access.
ENTRAID_CREDENTIALS_SOURCE_SYSTEM_CREDENTIALS = 2;
}

// AccessGraphSettings controls settings for syncing access graph specific data.
Expand Down
5 changes: 5 additions & 0 deletions api/types/plugin.go
Original file line number Diff line number Diff line change
Expand Up @@ -318,6 +318,11 @@ func (p *PluginV1) CheckAndSetDefaults() error {
if err := settings.EntraId.Validate(); err != nil {
return trace.Wrap(err)
}
// backfill the credentials source if it's not set.
if settings.EntraId.SyncSettings.CredentialsSource == EntraIDCredentialsSource_ENTRAID_CREDENTIALS_SOURCE_UNKNOWN {
settings.EntraId.SyncSettings.CredentialsSource = EntraIDCredentialsSource_ENTRAID_CREDENTIALS_SOURCE_OIDC
}

case *PluginSpecV1_Scim:
if settings.Scim == nil {
return trace.BadParameter("Must be used with SCIM settings")
Expand Down
5 changes: 3 additions & 2 deletions api/types/plugin_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -855,8 +855,9 @@ func TestPluginEntraIDValidation(t *testing.T) {
return &PluginSpecV1_EntraId{
EntraId: &PluginEntraIDSettings{
SyncSettings: &PluginEntraIDSyncSettings{
DefaultOwners: []string{"admin"},
SsoConnectorId: "myconnector",
DefaultOwners: []string{"admin"},
SsoConnectorId: "myconnector",
CredentialsSource: EntraIDCredentialsSource_ENTRAID_CREDENTIALS_SOURCE_OIDC,
},
},
}
Expand Down
Loading

0 comments on commit e82e8fe

Please sign in to comment.