Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to use external. notation with Azure AD and AD FS SAML attributes #19118

Closed
pschisa opened this issue Dec 6, 2022 · 2 comments · Fixed by #47211
Closed

Document how to use external. notation with Azure AD and AD FS SAML attributes #19118

pschisa opened this issue Dec 6, 2022 · 2 comments · Fixed by #47211
Assignees
@ptgott
Labels
azure c-ptc Internal Customer Reference documentation sso Used for single sign on related tasks.

Comments

@pschisa
Copy link
Contributor

pschisa commented Dec 6, 2022

Applies To

https://goteleport.com/docs/access-controls/sso/azuread/?scope=enterprise
https://goteleport.com/docs/access-controls/sso/adfs/?scope=enterprise

Details

When using Azure AD or ADFS, the attribute names passed in are not simple strings but full URLs (example: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups). This does not play nicely with our standard examples for RBAC (https://goteleport.com/docs/access-controls/guides/role-templates/?scope=enterprise#sso-users) and other places where the typical external.attributename format is used. In order to use AD traits, you have to pass the full URL in with the following example syntax:

For logins fields where the quotes don't have to be escaped:
'{{external["http://schemas.microsoft.com/identity/claims/displayname"]}}'

for an x-forwarded app header where the double quotes must be escaped.
- "X-Forwarded-User: {{external[\"http://schemas.microsoft.com/identity/claims/displayname\"]}}"

My recommendation is to update the two SSO documents with example syntax help when using these attributes. Also update the examples within these SSO docs to use the correct syntax.
@pschisa pschisa added documentation c-ptc Internal Customer Reference labels Dec 6, 2022
@pschisa
Copy link
Contributor Author

pschisa commented Dec 19, 2022

Note that the ADFS does call out the non-escaped reference (not in the Azure AD guide though): https://goteleport.com/docs/access-controls/sso/adfs/?scope=enterprise#create-teleport-roles

@zmb3 zmb3 added azure sso Used for single sign on related tasks. labels Aug 29, 2024
@ptgott ptgott mentioned this issue Sep 9, 2024
Closed
@ptgott
Copy link
Contributor

ptgott commented Sep 9, 2024

See #20269 for some more context and a screenshot with an Azure AD example.

@ptgott ptgott self-assigned this Oct 4, 2024
ptgott added a commit that referenced this issue Oct 4, 2024
@ptgott
Clarify lookups of Micorsoft IdP attributes
15f6e14 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
ptgott added a commit that referenced this issue Oct 4, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes
196bf6a 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
@ptgott ptgott mentioned this issue Oct 4, 2024
Merged
ptgott added a commit that referenced this issue Oct 7, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes
d245bce 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
ptgott added a commit that referenced this issue Oct 15, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes
b8334a1 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
ptgott added a commit that referenced this issue Oct 15, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes
f6c562e 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
github-merge-queue bot pushed a commit that referenced this issue Oct 15, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes (#47211)
5a586e3 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
github-actions bot pushed a commit that referenced this issue Oct 15, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes
905e851 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
github-actions bot pushed a commit that referenced this issue Oct 15, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes
2907128 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
github-actions bot pushed a commit that referenced this issue Oct 15, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes
d180960 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
mvbrock pushed a commit that referenced this issue Oct 16, 2024
@ptgott @mvbrock
Clarify lookups of Microsoft IdP attributes (#47211)
0fc379c 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
github-merge-queue bot pushed a commit that referenced this issue Oct 17, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes (#47595)
a9584eb 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
github-merge-queue bot pushed a commit that referenced this issue Oct 17, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes (#47596)
4b1e447 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
github-merge-queue bot pushed a commit that referenced this issue Oct 17, 2024
@ptgott
Clarify lookups of Microsoft IdP attributes (#47597)
b6fa860 
Closes #19118

Edit the Role Reference, Azure AD, and AD FS guides to explain that you
must use bracket notation to look up Azure AD and AD FS attributes in
roles.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ptgott ptgott

Labels
azure c-ptc Internal Customer Reference documentation sso Used for single sign on related tasks.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Clarify lookups of Microsoft IdP attributes gravitational/teleport
3 participants
@zmb3 @ptgott @pschisa