-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document how to use external. notation with Azure AD and AD FS SAML attributes #19118
Labels
Comments
Note that the ADFS does call out the non-escaped reference (not in the Azure AD guide though): https://goteleport.com/docs/access-controls/sso/adfs/?scope=enterprise#create-teleport-roles |
See #20269 for some more context and a screenshot with an Azure AD example. |
ptgott
added a commit
that referenced
this issue
Oct 4, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
ptgott
added a commit
that referenced
this issue
Oct 4, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
ptgott
added a commit
that referenced
this issue
Oct 7, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
ptgott
added a commit
that referenced
this issue
Oct 15, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
ptgott
added a commit
that referenced
this issue
Oct 15, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
github-merge-queue bot
pushed a commit
that referenced
this issue
Oct 15, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
github-actions bot
pushed a commit
that referenced
this issue
Oct 15, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
github-actions bot
pushed a commit
that referenced
this issue
Oct 15, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
github-actions bot
pushed a commit
that referenced
this issue
Oct 15, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
mvbrock
pushed a commit
that referenced
this issue
Oct 16, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
github-merge-queue bot
pushed a commit
that referenced
this issue
Oct 17, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
github-merge-queue bot
pushed a commit
that referenced
this issue
Oct 17, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
github-merge-queue bot
pushed a commit
that referenced
this issue
Oct 17, 2024
Closes #19118 Edit the Role Reference, Azure AD, and AD FS guides to explain that you must use bracket notation to look up Azure AD and AD FS attributes in roles.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Applies To
https://goteleport.com/docs/access-controls/sso/azuread/?scope=enterprise
https://goteleport.com/docs/access-controls/sso/adfs/?scope=enterprise
Details
When using Azure AD or ADFS, the attribute names passed in are not simple strings but full URLs (example:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
). This does not play nicely with our standard examples for RBAC (https://goteleport.com/docs/access-controls/guides/role-templates/?scope=enterprise#sso-users) and other places where the typicalexternal.attributename
format is used. In order to use AD traits, you have to pass the full URL in with the following example syntax:For logins fields where the quotes don't have to be escaped:
'{{external["http://schemas.microsoft.com/identity/claims/displayname"]}}'
for an x-forwarded app header where the double quotes must be escaped.
- "X-Forwarded-User: {{external[\"http://schemas.microsoft.com/identity/claims/displayname\"]}}"
My recommendation is to update the two SSO documents with example syntax help when using these attributes. Also update the examples within these SSO docs to use the correct syntax.
The text was updated successfully, but these errors were encountered: