From e52c9ad9eb667aa74af46c5d386f7f73512e5f4b Mon Sep 17 00:00:00 2001 From: Wouter van Os Date: Tue, 22 Oct 2024 18:14:14 +0200 Subject: [PATCH] core: add prompt_data to auth flow (#11702) I added the prompt_data and user_path to the auth flow. This allows us to more easily sync users details whenever they're logged in through a Source by using the Write stage, identical to an Enrolment flow. This makes sure that mappings etc are automatically taken into consideration, and are passed to the Authentication flow. While I was at it, I made the code consistent with the `handle_enroll` method. Signed-off-by: Wouter van Os --- authentik/core/sources/flow_manager.py | 7 +- .../services/vmware-vcenter/index.md | 89 +++++++++++++------ 2 files changed, 66 insertions(+), 30 deletions(-) diff --git a/authentik/core/sources/flow_manager.py b/authentik/core/sources/flow_manager.py index 5ec95df0c21b..7b1e115e09a7 100644 --- a/authentik/core/sources/flow_manager.py +++ b/authentik/core/sources/flow_manager.py @@ -272,7 +272,6 @@ def handle_auth( connection: UserSourceConnection, ) -> HttpResponse: """Login user and redirect.""" - flow_kwargs = {PLAN_CONTEXT_PENDING_USER: connection.user} return self._prepare_flow( self.source.authentication_flow, connection, @@ -286,7 +285,11 @@ def handle_auth( ), ) ], - **flow_kwargs, + **{ + PLAN_CONTEXT_PENDING_USER: connection.user, + PLAN_CONTEXT_PROMPT: delete_none_values(self.user_properties), + PLAN_CONTEXT_USER_PATH: self.source.get_user_path(), + }, ) def handle_existing_link( diff --git a/website/integrations/services/vmware-vcenter/index.md b/website/integrations/services/vmware-vcenter/index.md index 8095fc2962cd..63f68f7f965f 100644 --- a/website/integrations/services/vmware-vcenter/index.md +++ b/website/integrations/services/vmware-vcenter/index.md @@ -14,15 +14,11 @@ sidebar_label: VMware vCenter > -- https://en.wikipedia.org/wiki/VCenter :::caution -This requires authentik 0.10.3 or newer. -::: - -:::caution -This requires VMware vCenter 7.0.0 or newer. +This requires VMware vCenter 8.03 or newer. ::: :::note -It seems that the vCenter still needs to be joined to the Active Directory Domain, otherwise group membership does not work correctly. We're working on a fix for this, for the meantime your vCenter should be part of your Domain. +The vCenter still needs to be joined to the Active Directory Domain, otherwise group membership does not work correctly. We're working on a fix for this, for the meantime your vCenter should be part of your Domain. ::: ## Preparation @@ -32,7 +28,9 @@ The following placeholders will be used: - `vcenter.company` is the FQDN of the vCenter server. - `authentik.company` is the FQDN of the authentik install. -Since vCenter only allows OpenID-Connect in combination with Active Directory/LDAP, it is recommended to have authentik sync with the same Active Directory. You also have the option of connecting to an authentik managed LDAP outpost for user management. +Since vCenter only allows OpenID-Connect in combination with Active Directory/LDAP, it is recommended to have authentik sync with the same Active Directory. You also have the option of connecting to an authentik-managed LDAP outpost for user management. + +## authentik configuration ### Step 1 @@ -44,7 +42,7 @@ return { } ``` -If you are using an authentik managed LDAP outpost you can use the following expression in your property mapping. This will correctly return the `groups` claim as a list of LDAP DNs instead of their names. +If you are using an authentik-managed LDAP outpost you can use the following expression in your property mapping. This will correctly return the `groups` claim as a list of LDAP DNs instead of their names. ```python ldap_base_dn = "DC=ldap,DC=goauthentik,DC=io" @@ -69,41 +67,76 @@ return { If your Active Directory Schema is the same as your Email address schema, skip to Step 3. ::: -Under _Sources_, click _Edit_ and ensure that "authentik default Active Directory Mapping: userPrincipalName" has been added to your source. +Under _Sources_, click _Edit_ and ensure that `authentik default Active Directory Mapping: userPrincipalName` has been added to your source. ### Step 3 -Under _Providers_, create an OAuth2/OpenID provider with these settings: +Create an application and an OAuth2/OpenID provider, using the authentik Wizard. -- Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode` -- Sub Mode: If your Email address Schema matches your UPN, select "Based on the User's Email...", otherwise select "Based on the User's UPN...". If you are using authentik's managed LDAP outpost, chose "Based on the User's username" -- Scopes: Select the Scope Mapping you've created in Step 1 -- Signing Key: Select any available key +1. Log into authentik as an admin, and navigate to **Applications --> Applications**, and then click **Create with Wizard**. -![](./authentik_setup.png) +2. In the Wizard, follow the prompts to create an application and its provider. -### Step 4 +Create the application with these settings: -Create an application which uses this provider. Optionally apply access restrictions to the application. +- Select OIDC as the provider type. +- Ensure that the **Redirect URI Setting** is left empty. -Set the Launch URL to `https://vcenter.company/ui/login/oauth2`. This will skip vCenter's User Prompt and directly log you in. +Create the provider with these settings: -:::caution -This Launch URL only works for vCenter < 7.0u2. If you're running 7.0u2 or later, set the launch URL to `https://vcenter.company/ui/login` -::: +- Redirect URI: `https://vcenter.company/ui/login/oauth2/authcode` +- Ensure that the signing key is provided (or you accept the default to authentik's Self-signed Certificate). + +3. Click **Submit** to create the application and provider, and then click **Close** to close the Wizard. + +Optionally, you can use a policy to apply access restrictions to the application. ## vCenter Setup -Login as local Administrator account (most likely ends with vsphere.local). Using the Menu in the Navigation bar, navigate to _Administration -> Single Sing-on -> Configuration_. +1. Log in to VCenter with your local Administrator account. Using the menu in the left navigation bar, navigate to _Administration -> Single Sing-on -> Configuration_. + +2. Click _Change Provider_ in the top-right corner, and then select **Okta** from the drop-down list. + +3. In the wizard, click **RUN PRECHECKS**, select the confirmation box, and then click **Next**. + + - Enter the Directory Name, for example `authentik.company` or any other name. + - Add a Domain Name, for example `authentik.company`. + - Click on the Plus (+) sign to show the default domain name. + +4. Click **Next**. + +5. On the OpenID Connect page, enter the following values: + + - Set `Identity Provider Name` to `authentik`. + - Set `Client Identifier` to the client ID from authentik. +- Set `Shared secret` to the client secret from authentik. + - Set `OpenID Address` to the *OpenID Configuration URL* from authentik. + +6. Click **Next**, and then **Finish**. -Click on _Change Identity Provider_ in the top-right corner. +7. On the **Single Sign On -> Configuration** page, in the `User Provisioning` area, take the following steps: + - Copy the **Tenant URL** and save to a safe place. + - Click on `Generate` to generate a SCIM token. + - Click **Generate** in the newly opened modal box. + - Copy the token and save to a safe place. -In the wizard, select "Microsoft ADFS" and click Next. +8. Return to the authentik Admin interface. -Fill in the Client Identifier and Shared Secret from the Provider in authentik. For the OpenID Address, click on _View Setup URLs_ in authentik, and copy the OpenID Configuration URL. + - Create a SCIM provider with the name `vcenter-scim`. + - Paste the Tenant URL into URL field for the provider. + - Paste the token you saved into the Token field. + - Check verify certificate setting (note: not merged yet) + - Configure options under `User filtering` to your needs. + - Save the provider. + - Edit the application that you created earlier and select this newly created SCIM provider as backchannel provider. + - Navigate to the provider and trigger a sync. -On the next page, fill in your Active Directory Connection Details. These should be similar to what you have set in authentik. +9. Return to VCenter. -![](./vcenter_post_setup.png) + - Navigate to **Administration -> Access Control -> Global Permissions**. + - Click **Add**. + - Select the Domain created above from the dropdown. + - Enter the name of the group to which you want to assign permissions. + - Select the role. -If your vCenter was already setup with LDAP beforehand, your Role assignments will continue to work. +10. Click **Save**.