[entraid] add setup script for offline clusters.

This PR adds a cli configuration for Entra ID where it's possible to default to system credentials instead of relying on OIDC for authentication in EntraID. OIDC is not always a possibility specially when the cluster is private and not internet acessible. The UX is the following: ```text Step 1: Run the Setup Script 1. Open **Azure Cloud Shell** (Bash) using **Google Chrome** or **Safari** for the best compatibility. 2. Upload the setup script using the **Upload** button in the Cloud Shell toolbar. 3. Once uploaded, execute the script by running the following command: $ bash entraid.sh **Important Considerations**: - You must have **Azure privileged administrator permissions** to complete the integration. - Ensure you're using the **Bash** environment in Cloud Shell. - During the script execution, you'll be prompted to run 'az login' to authenticate with Azure. **Teleport** does not store or persist your credentials. - **Mozilla Firefox** users may experience connectivity issues in Azure Cloud Shell; using Chrome or Safari is recommended. Once the script completes, type 'continue' to proceed, 'exit' to quit: continue Step 2: Input Tenant ID and Client ID With the output of Step 1, please copy and paste the following information: Enter the Tenant ID: 1056b571-0390-4b08-86c8-2edba8d9ae79 Enter the Client ID: 1056b571-0390-4b08-86c8-2edba8d9ae79 Successfully created EntraID plugin "name". ``` Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
gravitational · Oct 23, 2024 · 4875073 · 4875073
1 parent 0c931bd
commit 4875073
Show file tree

Hide file tree

Showing 7 changed files with 445 additions and 9 deletions.
diff --git a/lib/config/configuration.go b/lib/config/configuration.go
@@ -297,6 +297,9 @@ type IntegrationConfAzureOIDC struct {
 	// When this is true, the integration script will produce
 	// a cache file necessary for TAG synchronization.
 	AccessGraphEnabled bool
+
+	// SkipOIDCConfiguration is a flag indicating that OIDC configuration should be skipped.
+	SkipOIDCConfiguration bool
 }
 
 // IntegrationConfDeployServiceIAM contains the arguments of

diff --git a/lib/integrations/azureoidc/enterprise_app.go b/lib/integrations/azureoidc/enterprise_app.go
@@ -52,7 +52,7 @@ var appRoles = []string{
 //   - Provides Teleport with OIDC authentication to Azure
 //   - Is given the permissions to access certain Microsoft Graph API endpoints for this tenant.
 //   - Provides SSO to the Teleport cluster via SAML.
-func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnectorName string) (string, string, error) {
+func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnectorName string, skipOIDCSetup bool) (string, string, error) {
 	var appID, tenantID string
 
 	tenantID, err := getTenantID()
@@ -120,8 +120,12 @@ func SetupEnterpriseApp(ctx context.Context, proxyPublicAddr string, authConnect
 		}
 	}
 
-	if err := createFederatedAuthCredential(ctx, graphClient, *app.ID, proxyPublicAddr); err != nil {
-		return appID, tenantID, trace.Wrap(err, "failed to create an OIDC federated auth credential")
+	// Skip OIDC setup if requested.
+	// This is useful for clusters that can't use OIDC because they are not reachable from the public internet.
+	if !skipOIDCSetup {
+		if err := createFederatedAuthCredential(ctx, graphClient, *app.ID, proxyPublicAddr); err != nil {
+			return appID, tenantID, trace.Wrap(err, "failed to create an OIDC federated auth credential")
+		}
 	}
 
 	acsURL, err := url.Parse(proxyPublicAddr)