mlbiam
commented
9 months ago @bagutzu thanks for the really detailed writeup. I don't see any issue with integrating this support. stay tuned for an image you can test with.
Closed bagutzu closed 9 months ago
mlbiam
commented
9 months ago @bagutzu thanks for the really detailed writeup. I don't see any issue with integrating this support. stay tuned for an image you can test with.
mlbiam
commented
9 months ago @bagutzu give this image a try: docker.io/tremolosecurity/betas:1.0.40. Both the oidc auth mech and the AzureAD target should respect global java proxy settings
bagutzu
commented
9 months ago @mlbiam it works ! Thank you very much. When can we expect this to be released in the official image ?
mlbiam
commented
9 months ago should be out by the end of the month. going to leave this issue open for now so i can do some more testing. thanks for the quick response.
bagutzu
commented
9 months ago Thank you also !
Hello,
We are trying to setup OpenUnison inside some AWS EKS kubernetes clusters, that should work with AzureAD authentication. The issue is the clusters are inside a VPC and connection to the internet is done through a proxy. We have managed to make it work using group ids instead of group names, however, when we try to activate the translation that is described in the documentation here:
https://openunison.github.io/identity%20providers/azuread/#mapping-technical-details
We are facing issue when trying to contact graph.microsoft.com, because of the proxy. If we setup the proxy variables in JAVA_OPTS inside the helm chart (e.g. -Dhttps.proxyHost, -Dhttps.proxyPort, -Dhttps.nonProxyHosts), we arrive at the following documented issue:
https://openunison.github.io/knowledgebase/broken_dashboard/
However, setting K8S_DB_SSO: saml2, still doesn't work as we need OIDC authentication.
We have debugged and we think that the problem is in the following function:
https://github.com/TremoloSecurity/OpenUnison/blob/3c7ce5c896c5892ce6e72cea4a56d7f3e57c2845/unison/unison-server-core/src/main/java/com/tremolosecurity/provisioning/core/providers/AzureADProvider.java#L613
The main idea is that apache.http client in java seems to not support the nonProxyHosts by default (as described here), so we end up without connectivity to the dashboard loadbalancer because of this, and there is no available workaround to make it work.
Our java expertise is little so we are wondering if it would be possible to support the proxy variables inside the http client.