GoogleCloudPlatform / pbmm-on-gcp-onboarding

GCP Canadian Public Sector Landing Zone overlay on top of the TEF via CFT modules - a secure cloud foundation

https://cloud.google.com/architecture/security-foundations

Apache License 2.0

38 stars 55 forks source link

Active Directory ADFS SSO Federation - with detailed auth/saml workflow diagram #99

Open fmichaelobrien opened 2 years ago

fmichaelobrien commented 2 years ago

Implement Active Directory SSO Federation

Have as a minimum dev environment something like Keycloak for an OSS version

Reading through other IdP (AD...options) as well (should have gone back the source)

Microsoft Azure Active Directory Accounts

under mi*ol.dev - https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers

Deployment Examples

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/deployments.md#environments

see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/82 see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/155

fmichaelobrien commented 1 year ago

20220829: AAD federation option 2: Use Federation with an External Identity provider | sub-Option 1: Consolidate a relevant subset of consumer accounts https://cloud.google.com/architecture/landing-zones/decide-how-to-onboard-identities following "Federating Google Cloud with Azure Active Directory" https://cloud.google.com/architecture/identity/federating-gcp-with-azure-active-directory

Prereq: obrienlabs.dev GCP account - SA account = michael obrienlabs.dev Azure AD account AD User for migration only "landingzoneadmin" https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserProfileMenuBlade/~/overview/userId/1cbfc734-366f-424d-ab40-424d150978a4

Start with empty "unmanaged users" list https://admin.google.com/ac/unmanaged to https://admin.google.com/ac/unmanaged?rapt=AEjHL4P0Ma1NbmBg35xkrLXUddq_j1ugfz9A_zp4IXPwJ1CS0hhZHxMqy6aSicmYYPXLKf9r9-HflG8HYx72fh2_ycxi-bqajg

Step 1 : https://cloud.google.com/architecture/identity/federating-gcp-with-azure-ad-configuring-provisioning-and-single-sign-on

in GCP admin add an OU

obriensystems commented 1 year ago

Issues List

20220829: Red herring - false positive on admin | security | alert center | user suspended

I run into these suspension messages on half of my organizations - they are not valid and can be ignored - but we need a reproduction/root cause. Pending....

20220830: Google Cloud Directory Sync - n/a for ARM

https://cloud.google.com/architecture/identity/federating-gcp-with-active-directory-introduction
https://tools.google.com/dlpage/dirsync/#

https://tools.google.com/dlpage/dirsync/thankyou.html

michaelobrien@mbp7 wse_github % chmod 777 dirsync-linux64.sh 
michaelobrien@mbp7 wse_github % ./dirsync-linux64.sh 
Unpacking JRE ...
Preparing JRE ...
./dirsync-linux64.sh: line 246: bin/unpack200: cannot execute binary file
Error unpacking jar files. The architecture or bitness (32/64)
of the bundled JVM might not match your machine.
michaelobrien@mbp7 wse_github %

fmichaelobrien commented 1 year ago

Identity Federation

SSO only

Verify details of backing IAM Identity user/role as part SSO federated IdP user auth during IAP session https://cloud.google.com/iap/docs/concepts-overview Verify GCP Identity role for application use is available via the IAP session token - thinking https://cloud.google.com/iap/docs/signed-headers-howto#controlling_access_with_sign_in_attributes see https://cloud.google.com/architecture/identity/single-sign-on "To use SSO, a user must have a user account in Cloud Identity or Google Workspace and a corresponding identity in the external IdP"

fmichaelobrien commented 2 months ago

20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4