Skip to content

Commit

Permalink
core: add prompt_data to auth flow (#11702)
Browse files Browse the repository at this point in the history
I added the prompt_data and user_path to the auth flow. This allows us to more easily sync users details whenever they're logged in through a Source by using the Write stage, identical to an  Enrolment flow.

This makes sure that mappings etc are automatically taken into consideration, and are passed to the Authentication flow.

While I was at it, I made the code consistent with the `handle_enroll` method.

Signed-off-by: Wouter van Os <wouter0100@gmail.com>
  • Loading branch information
Wouter0100 authored and Tana M Berry committed Oct 22, 2024
1 parent 2fa50de commit e52c9ad
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 30 deletions.
7 changes: 5 additions & 2 deletions authentik/core/sources/flow_manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,6 @@ def handle_auth(
connection: UserSourceConnection,
) -> HttpResponse:
"""Login user and redirect."""
flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user}
return self._prepare_flow(
self.source.authentication_flow,
connection,
Expand All @@ -286,7 +285,11 @@ def handle_auth(
),
)
],
**flow_kwargs,
**{
PLAN_CONTEXT_PENDING_USER: connection.user,
PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties),
PLAN_CONTEXT_USER_PATH: self.source.get_user_path(),
},
)

def handle_existing_link(
Expand Down
89 changes: 61 additions & 28 deletions website/integrations/services/vmware-vcenter/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,11 @@ sidebar_label: VMware vCenter
> -- https://en.wikipedia.org/wiki/VCenter
:::caution
This requires authentik 0.10.3 or newer.
:::

:::caution
This requires VMware vCenter 7.0.0 or newer.
This requires VMware vCenter 8.03 or newer.
:::

:::note
It seems that the vCenter still needs to be joined to the Active Directory Domain, otherwise group membership does not work correctly. We're working on a fix for this, for the meantime your vCenter should be part of your Domain.
The vCenter still needs to be joined to the Active Directory Domain, otherwise group membership does not work correctly. We're working on a fix for this, for the meantime your vCenter should be part of your Domain.
:::

## Preparation
Expand All @@ -32,7 +28,9 @@ The following placeholders will be used:
- `vcenter.company` is the FQDN of the vCenter server.
- `authentik.company` is the FQDN of the authentik install.

Since vCenter only allows OpenID-Connect in combination with Active Directory/LDAP, it is recommended to have authentik sync with the same Active Directory. You also have the option of connecting to an authentik managed LDAP outpost for user management.
Since vCenter only allows OpenID-Connect in combination with Active Directory/LDAP, it is recommended to have authentik sync with the same Active Directory. You also have the option of connecting to an authentik-managed LDAP outpost for user management.

## authentik configuration

### Step 1

Expand All @@ -44,7 +42,7 @@ return {
}
```

If you are using an authentik managed LDAP outpost you can use the following expression in your property mapping. This will correctly return the `groups` claim as a list of LDAP DNs instead of their names.
If you are using an authentik-managed LDAP outpost you can use the following expression in your property mapping. This will correctly return the `groups` claim as a list of LDAP DNs instead of their names.

```python
ldap_base_dn = "DC=ldap,DC=goauthentik,DC=io"
Expand All @@ -69,41 +67,76 @@ return {
If your Active Directory Schema is the same as your Email address schema, skip to Step 3.
:::

Under _Sources_, click _Edit_ and ensure that "authentik default Active Directory Mapping: userPrincipalName" has been added to your source.
Under _Sources_, click _Edit_ and ensure that `authentik default Active Directory Mapping: userPrincipalName` has been added to your source.

### Step 3

Under _Providers_, create an OAuth2/OpenID provider with these settings:
Create an application and an OAuth2/OpenID provider, using the authentik Wizard.

- Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode`
- Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...". If you are using authentik's managed LDAP outpost, chose "Based on the User's username"
- Scopes: Select the Scope Mapping you've created in Step 1
- Signing Key: Select any available key
1. Log into authentik as an admin, and navigate to **Applications --> Applications**, and then click **Create with Wizard**.

![](./authentik_setup.png)
2. In the Wizard, follow the prompts to create an application and its provider.

### Step 4
Create the application with these settings:

Create an application which uses this provider. Optionally apply access restrictions to the application.
- Select OIDC as the provider type.
- Ensure that the **Redirect URI Setting** is left empty.

Set the Launch URL to `https://vcenter.company/ui/login/oauth2`. This will skip vCenter's User Prompt and directly log you in.
Create the provider with these settings:

:::caution
This Launch URL only works for vCenter < 7.0u2. If you're running 7.0u2 or later, set the launch URL to `https://vcenter.company/ui/login`
:::
- Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode`
- Ensure that the signing key is provided (or you accept the default to authentik's Self-signed Certificate).

3. Click **Submit** to create the application and provider, and then click **Close** to close the Wizard.

Optionally, you can use a policy to apply access restrictions to the application.

## vCenter Setup

Login as local Administrator account (most likely ends with vsphere.local). Using the Menu in the Navigation bar, navigate to _Administration -> Single Sing-on -> Configuration_.
1. Log in to VCenter with your local Administrator account. Using the menu in the left navigation bar, navigate to _Administration -> Single Sing-on -> Configuration_.

2. Click _Change Provider_ in the top-right corner, and then select **Okta** from the drop-down list.

3. In the wizard, click **RUN PRECHECKS**, select the confirmation box, and then click **Next**.

- Enter the Directory Name, for example `authentik.company` or any other name.
- Add a Domain Name, for example `authentik.company`.
- Click on the Plus (+) sign to show the default domain name.

4. Click **Next**.

5. On the OpenID Connect page, enter the following values:

- Set `Identity Provider Name` to `authentik`.
- Set `Client Identifier` to the client ID from authentik.
- Set `Shared secret` to the client secret from authentik.
- Set `OpenID Address` to the *OpenID Configuration URL* from authentik.

6. Click **Next**, and then **Finish**.

Click on _Change Identity Provider_ in the top-right corner.
7. On the **Single Sign On -> Configuration** page, in the `User Provisioning` area, take the following steps:
- Copy the **Tenant URL** and save to a safe place.
- Click on `Generate` to generate a SCIM token.
- Click **Generate** in the newly opened modal box.
- Copy the token and save to a safe place.

In the wizard, select "Microsoft ADFS" and click Next.
8. Return to the authentik Admin interface.

Fill in the Client Identifier and Shared Secret from the Provider in authentik. For the OpenID Address, click on _View Setup URLs_ in authentik, and copy the OpenID Configuration URL.
- Create a SCIM provider with the name `vcenter-scim`.
- Paste the Tenant URL into URL field for the provider.
- Paste the token you saved into the Token field.
- Check verify certificate setting (note: not merged yet)
- Configure options under `User filtering` to your needs.
- Save the provider.
- Edit the application that you created earlier and select this newly created SCIM provider as backchannel provider.
- Navigate to the provider and trigger a sync.

On the next page, fill in your Active Directory Connection Details. These should be similar to what you have set in authentik.
9. Return to VCenter.

![](./vcenter_post_setup.png)
- Navigate to **Administration -> Access Control -> Global Permissions**.
- Click **Add**.
- Select the Domain created above from the dropdown.
- Enter the name of the group to which you want to assign permissions.
- Select the role.

If your vCenter was already setup with LDAP beforehand, your Role assignments will continue to work.
10. Click **Save**.

0 comments on commit e52c9ad

Please sign in to comment.