search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.91k stars 2.87k forks source link

Allow me to make a single sign-on SAML request using the Azure CLI #10012

Open alexwlchan opened 4 years ago

alexwlchan commented 4 years ago

Is your feature request related to a problem? Please describe. I want to make SAML requests to Azure Active Directory using the CLI.

Describe the solution you'd like Ideally, a way to make an HTTP request as the logged-in user.

There’s already an az rest command that looked like it would be close:

$ az rest --method=get --uri='https://login.microsoftonline.com/$TENANTID/saml2?SAMLRequest=$SAMLREQUEST' --skip-authorization-header

but it doesn't seem to work. If I try that, the response is a "Please sign into your account" page.

Describe alternatives you've considered I’m familiar with dtjohnson/aws-azure-login, which is what I’m using, but spinning up a headless browser and scraping the AD login screen feels a bit icky – surely there should be a better way?

Additional context At work, we use Azure Active Directory to manage users, and we’re trying to use SAML to authenticate an AD user with AWS.

As part of this workflow, I want to be able to run a command-line tool that logs me into AD, authenticates with AWS, then uses AWS STS to create some local AWS credentials.

These are the steps I'm doing:

  1. Run az login --allow-no-subscriptions to log into the CLI.

  2. Get my tenant ID by running az account show

  3. Get the app ID URL by running az ad app list --display-name 'AWS' (typically something like https://signin.aws.amazon.com/saml#12)

  4. Construct an AuthnRequest following the instructions in the Single Sign-On SAML protocol docs. That gives me a URL like

    https://login.microsoftonline.com/<TENANT_ID>/saml2/?SAMLRequest=<SAMLRequest>

  5. Somehow open the contents of that URL as a signed-in user.

I’m struggling to do step 5 with the CLI – it knows I’m logged in, but I can’t see how to make an authenticated request.

Am I asking for a new feature, missing something that’s already there, or barking up the wrong tree?

Related: https://github.com/wellcometrust/platform/issues/3753

yugangw-msft commented 4 years ago

Let me cross check whether url query string encoding has an issue here.

alexwlchan commented 4 years ago

I went digging for a bit, and AFAICT the correct URL is getting requested – it’s just not getting any auth data that Active Directory can use to validate the SAML request.

This is the method that gets called for az rest:

https://github.com/Azure/azure-cli/blob/4e1c7ac21625e3512c50f12055cf2beee0445034/src/azure-cli/azure/cli/command_modules/resource/custom.py#L1772-L1783

If you follow that through to where it actually invokes requests, I don't see any auth data there:

https://github.com/Azure/azure-cli/blob/abf92878397f5dc25f75b47f10f8b4f54f30d3f9/src/azure-cli-core/azure/cli/core/util.py#L566-L570

Maybe I need to allow it to create auth tokens? But that also errors, and besides, login.microsoftonline.com isn't an Azure REST API, is it?

yonzhan commented 4 years ago

add to S173