Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[automate-2530] document supported LDAP/SAML configurations #2636

Merged
merged 3 commits into from
Jan 16, 2020
Merged

[automate-2530] document supported LDAP/SAML configurations #2636

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
09c5092
add list of supported idms
Jan 15, 2020
ed95142
internal list of configurations for our reference
Jan 15, 2020
d42d230
address review comments
Jan 15, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions components/automate-chef-io/content/docs/ldap.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@ Local, MSAD, and LDAP users will have their Chef Automate sessions refreshed whi
browsing session of the Chef Automate UI or until they sign out directly.
{{< /info >}}

## Supported Identity Management Systems

- Azure Active Directory
- Microsoft Active Directory (MSAD)

## Overview

This is documentation for configuring Chef Automate's Lightweight Directory Application Protocol (LDAP) and Microsoft Active Directory (MSAD) integrations. LDAP is an established and open standard protocol for interacting with directory servers. A directory server stores information--in this case information for authenticating and authorizing users--in a tree of entries. (It is not a relational database.)
Expand Down
8 changes: 8 additions & 0 deletions components/automate-chef-io/content/docs/saml.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,14 @@ Local, MSAD, and LDAP users will have their Chef Automate sessions refreshed whi
browsing session of the Chef Automate UI or until they sign out directly.
{{< /info >}}

## Supported Identity Management Systems

- Office365
- OKTA
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing these are in order of prevalence but I expected them to be alphabetized πŸ€·β€β™€

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ya alphabetized would look better

- OneLogin
- Ping
- Tivoli Federated Identity Manager

## SAML Configuration Settings

The SAML configuration settings are:
Expand Down
23 changes: 18 additions & 5 deletions dev-docs/auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,28 @@ We added our own [authn-service](https://github.com/chef/authn-service) as glue

For further questions, the team can be reached at [#auth-team](https://chefio.slack.com/messages/C61F9HHKK/)

## OpenID Connect aka Dex
## Supported Identity Management Systems

If you want to use google as an IdP (Identity Provider) or our internal test LDAP server, there are a few variables you can set.
OKTA with SAML and AD with LDAP are the most common configurations among our users.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AD with LDAP are the most common configurations among our users. This is a bit misleading since most people using AD are using the AD specific configuration instead of LDAP. I understand what this is saying but the world configurations might be a bit overloaded here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh just also realized this was a dev doc. That's an ignorable nit in that case.

We have also had success with the following configurations:

To use a test OIDC provider we set up, look for `test oidc provider` on lastpass. Export the value for `Username` as `GOOGLE_CLIENT_ID` and the value for `Password` as `GOOGLE_CLIENT_SECRET`.
### SAML

For our test ldap server, look up `ldap testhost` and set `LDAP_HOST` to the `Hostname` value. Also look up `ldapbind user` and
set `LDAP_BIND_DN` and `LDAP_BIND_PW` to the values for `Username` and `Password`, respectively.
- OKTA
- Ping
- OneLogin
- Office365
- Tivoli Federated Identity Manager

### LDAP

- Microsoft Active Directory (MSAD)

### Configurations with Known Issues
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets move this section to somewhere in the repo instead of in the docs

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these are dev docs so they're not part of the docs we deploy to customers. but i could move it to the authn README if that seems a little more out of the way

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh lol sorry, ignore me.


- Azure AD with SAML: we cannot support SAML with Azure AD because Automate cannot consume SAML IdP metadata, which Azure relies on to rotate keys.
- Appleconnect with SAML: invalid signature error.
- In general, dex does not support idP initiated SSO. There is a [PR](https://github.com/dexidp/dex/pull/1514) in progress to add this functionality, last updated Sep 24, 2019.

## authn-service

Expand Down