Entra ID integration: integration script updates and web onboarding prerequisites #42172
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Not used by the script. It is validated by the "plugins/validate" endpoint.
justinas
changed the title
Lets user know that `az login` has completed and `teleport` is continuing its work.
CTA is 1-to-1 with prehog, but IntegrationEnrollKind is not.
This parameter is no longer accepted by the endpoint
justinas
commented
May 30, 2024
| @@ -26,6 +26,8 @@ const UPGRADE_TEAM_URL = 'https://goteleport.com/r/upgrade-team'; | |||
| const UPGRADE_COMMUNITY_URL = 'https://goteleport.com/r/upgrade-community'; | |||
| // UPGRADE_IGS_URL is enterprise upgrading to enterprise with Identity Governance & Security | |||
| const UPGRADE_IGS_URL = 'https://goteleport.com/r/upgrade-igs'; | |||
| // UPGRADE_POLICY_URL is enterprise upgrading to enterprise with Policy | |||
| export const UPGRADE_POLICY_URL = 'https://goteleport.com/r/upgrade-policy'; | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
i'm sorry, i think i led you astray with how the destination link should be crafted (before policy, it didn't matter so much), do you mind changing both igs and policy destination? https://github.com/gravitational/next/pull/2505#discussion_r1621543575
There was a problem hiding this comment.
We only need to change the redirect destination in next, the URLs in the frontend can stay, right?
|
The PR changelog entry failed validation: The changelog entry must start with a letter. |
justinas
requested review from
kimlisa
and removed request for
avatus and
rudream
|
The PR changelog entry failed validation: The changelog entry must start with a letter. |
jakule
reviewed
May 30, 2024
e
Outdated
There was a problem hiding this comment.
Is this intentional? From what I see this points to your dev branch and not master
There was a problem hiding this comment.
Not intentional, will revert 👍
Comment on lines
+48
to
+50
| if (!url) { | ||
| url = UPGRADE_COMMUNITY_URL; | ||
| if (isEnterprise) { |
There was a problem hiding this comment.
nit:
Suggested change
| if (!url) { | |
| url = UPGRADE_COMMUNITY_URL; | |
| if (isEnterprise) { | |
| if (!url && isEnterprise) { | |
| url = UPGRADE_COMMUNITY_URL; |
There was a problem hiding this comment.
not sure that means the same thing 🤔
There was a problem hiding this comment.
Yeah, if url is defined we want to use it, no matter if enterprise or not.
This reverts commit fc747a0.
kimlisa
approved these changes
May 31, 2024
| @@ -26,6 +26,8 @@ const UPGRADE_TEAM_URL = 'https://goteleport.com/r/upgrade-team'; | |||
| const UPGRADE_COMMUNITY_URL = 'https://goteleport.com/r/upgrade-community'; | |||
| // UPGRADE_IGS_URL is enterprise upgrading to enterprise with Identity Governance & Security | |||
| const UPGRADE_IGS_URL = 'https://goteleport.com/r/upgrade-igs'; | |||
| // UPGRADE_POLICY_URL is enterprise upgrading to enterprise with Policy | |||
| export const UPGRADE_POLICY_URL = 'https://goteleport.com/r/upgrade-policy'; | |||
There was a problem hiding this comment.
i'm sorry, i think i led you astray with how the destination link should be crafted (before policy, it didn't matter so much), do you mind changing both igs and policy destination? https://github.com/gravitational/next/pull/2505#discussion_r1621543575
Comment on lines
+48
to
+50
| if (!url) { | ||
| url = UPGRADE_COMMUNITY_URL; | ||
| if (isEnterprise) { |
There was a problem hiding this comment.
not sure that means the same thing 🤔
jakule
approved these changes
May 31, 2024
public-teleport-github-review-bot
bot
removed the request for review
from tigrato
justinas
added a commit
that referenced
this pull request
Jun 3, 2024
…rerequisites (#42172) * Remove integration name validation from web script Not used by the script. It is validated by the "plugins/validate" endpoint. * Add required frontend constants for Entra ID * Support Azure/Entra integrations in the list * Add IsPolicyEnabled to web config * Allow custom URL for ButtonLockedFeature * Add CTA_ENTRA_ID event type * Expose TAGInfoCache for use in e * Add LackingIgs option * Add Entra ID icon * Add Entra ID plugin to storybook * Bump e for dev build * Return underlying error in getPrivateAPIToken * Find default Azure subscription instead of the first one * Require user to re-login when provisioning Azure OIDC * Update prehog protos with Entra ID values From https://github.com/gravitational/cloud/pull/9111 * Suppress verbose warnings / information from az * Add an additional message after successful auth Lets user know that `az login` has completed and `teleport` is continuing its work. * Move EntraId constant to the bottom * Revert unintended changes to usageevents CTA is 1-to-1 with prehog, but IntegrationEnrollKind is not. * Remove integrationName validation asserts from test This parameter is no longer accepted by the endpoint * Revert "Bump e for dev build" This reverts commit fc747a0.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jun 4, 2024
…rerequisites (#42172) (#42294) * Remove integration name validation from web script Not used by the script. It is validated by the "plugins/validate" endpoint. * Add required frontend constants for Entra ID * Support Azure/Entra integrations in the list * Add IsPolicyEnabled to web config * Allow custom URL for ButtonLockedFeature * Add CTA_ENTRA_ID event type * Expose TAGInfoCache for use in e * Add LackingIgs option * Add Entra ID icon * Add Entra ID plugin to storybook * Bump e for dev build * Return underlying error in getPrivateAPIToken * Find default Azure subscription instead of the first one * Require user to re-login when provisioning Azure OIDC * Update prehog protos with Entra ID values From https://github.com/gravitational/cloud/pull/9111 * Suppress verbose warnings / information from az * Add an additional message after successful auth Lets user know that `az login` has completed and `teleport` is continuing its work. * Move EntraId constant to the bottom * Revert unintended changes to usageevents CTA is 1-to-1 with prehog, but IntegrationEnrollKind is not. * Remove integrationName validation asserts from test This parameter is no longer accepted by the endpoint * Revert "Bump e for dev build" This reverts commit fc747a0.
justinas
added a commit
that referenced
this pull request
Jun 6, 2024
…rerequisites (#42172) * Remove integration name validation from web script Not used by the script. It is validated by the "plugins/validate" endpoint. * Add required frontend constants for Entra ID * Support Azure/Entra integrations in the list * Add IsPolicyEnabled to web config * Allow custom URL for ButtonLockedFeature * Add CTA_ENTRA_ID event type * Expose TAGInfoCache for use in e * Add LackingIgs option * Add Entra ID icon * Add Entra ID plugin to storybook * Bump e for dev build * Return underlying error in getPrivateAPIToken * Find default Azure subscription instead of the first one * Require user to re-login when provisioning Azure OIDC * Update prehog protos with Entra ID values From https://github.com/gravitational/cloud/pull/9111 * Suppress verbose warnings / information from az * Add an additional message after successful auth Lets user know that `az login` has completed and `teleport` is continuing its work. * Move EntraId constant to the bottom * Revert unintended changes to usageevents CTA is 1-to-1 with prehog, but IntegrationEnrollKind is not. * Remove integrationName validation asserts from test This parameter is no longer accepted by the endpoint * Revert "Bump e for dev build" This reverts commit fc747a0.
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jun 7, 2024
* Entra ID reconciler: directory reconciler prerequisites (#40778) * Add Entra ID resource origin * Ignore ID and Revision from `header` in cmp * Add e_imports for MS Graph SDK * Entra ID integration: add proto definitions (#40997) * Entra ID integration boilerplate (#40998) * Add e imports for MS Graph SDK * Add ability to sign Entra ID OIDC JWTs, rework KID handling - Synthesize Key IDs for our JWT keys. For backwards compatibility, also include the same keys with an empty `kid` in JWKS. - Sign AWS OIDC tokens with a `kid=""` header claim, rather than omitting the `kid` claim altogether. See comment for details. * Add validation for Entra ID plugin * Fix typo in assertion function name * Update the OIDC JWKS test to expect the same key twice * Add Entra ID plugin type constant * go mod tidy * Fix expected JWKS size in integration test * Add basic tests for KeyID * Move Azure auth settings from Plugin to Integration * Address review comments * Add a unit test to ensure KeyID compatibility * Add license header to token_generator.go * Rename validation function per new conventions * Access Graph: sync AWS identity providers (#41368) * Add AWSSAMLProviderV1 to access graph proto * Access Graph: sync AWS SAML Providers * Parse SAML entity descriptor before sending to TAG * Add protos for AWS OIDC providers * Fetch AWS OIDC providers * Fetch signing certificates for AWS SAML providers * Deflake identity provider fetch test The concrete implementation of IAM mock uses a map, resulting in non-deterministic iteration order. Sort the results before comparing to alleviate. * Update lib/srv/discovery/fetchers/aws-sync/iam_test.go Co-authored-by: Jakub Nyckowski <[email protected]> --------- Co-authored-by: Jakub Nyckowski <[email protected]> * Access Graph: Entra ID application sync prerequisites (#41650) * Add access graph settings to Entra ID plugin * Move Entra ID labels to OSS * Add Entra resources and RPC to Access Graph proto * Add azure-oidc integration to web. Current code assumes that Integration is always either AwsOidc, or an external audit storage integration * Change app sso cache to a repeated field * Entra ID integration: add onboarding script (#41811) * Add Entra ID integration onboarding script * Adapt after proto update * Validate names in azure script handler, add test * Add license headers * Update Entra plugin test with SSO connector field * Fix lint * Remove leftover panics * Adjust success message * Downgrade log message level * Expect exactly 1 SP for MS Graph, improve errors * Properly extract hostname for enterprise app name * Comment on assuming the first subscription * Address review nits * Factor out sso info fetch into a function * fixup refactor * Add retry logic to app role assignment * Make godoc conventional * Entra ID integration: integration script updates and web onboarding prerequisites (#42172) * Remove integration name validation from web script Not used by the script. It is validated by the "plugins/validate" endpoint. * Add required frontend constants for Entra ID * Support Azure/Entra integrations in the list * Add IsPolicyEnabled to web config * Allow custom URL for ButtonLockedFeature * Add CTA_ENTRA_ID event type * Expose TAGInfoCache for use in e * Add LackingIgs option * Add Entra ID icon * Add Entra ID plugin to storybook * Bump e for dev build * Return underlying error in getPrivateAPIToken * Find default Azure subscription instead of the first one * Require user to re-login when provisioning Azure OIDC * Update prehog protos with Entra ID values From https://github.com/gravitational/cloud/pull/9111 * Suppress verbose warnings / information from az * Add an additional message after successful auth Lets user know that `az login` has completed and `teleport` is continuing its work. * Move EntraId constant to the bottom * Revert unintended changes to usageevents CTA is 1-to-1 with prehog, but IntegrationEnrollKind is not. * Remove integrationName validation asserts from test This parameter is no longer accepted by the endpoint * Revert "Bump e for dev build" This reverts commit fc747a0. * `go mod tidy` secondary modules --------- Co-authored-by: Jakub Nyckowski <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This (together with the Enterprise counterpart https://github.com/gravitational/teleport.e/pull/4273) is the last large changeset for the initial version of Entra ID integration.
This PR:
az loginto make sure we have the necessary token to make calls to the "private" Azure API during onboarding.changelog: Added support for Microsoft Entra ID directory synchronization (Teleport Enterprise only, preview)