search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
3.93k stars 531 forks source link

MeshCentral SSO via Microsoft Azure creates a new user at MeshCentral instead of using the existing, same user from the local LDAP AD with the authorization groups #6241

Closed tobias9931 closed 1 month ago

tobias9931 commented 1 month ago

Describe the bug We have MeshCentral in operation with authentication via the local AD with LDAP. AD groups are also used to control which user receives authorization to which MeshCentral device group. This works wonderfully!

Now, we would also like to offer users the option of logging in via SSO, as this simply saves them time and means they don't have to enter their user name and password every time. We also offer this option for other applications. Either manual login with username and password or use SSO.

I have created the authStrategy azure in the config.json, see source code below. This works for login correct. The users are forwarded to our Microsoft Tenant and logged in with correct user data.

BUT a second user is now created at MeshCentral for the login via Azure. The users then have a MeshCentral user for the login via LDAP and a user for the login via Azure SSO. This is very problematic, as the authorization group is not included with the Azure login users. The users can log in to MeshCentral, but the user does not receive any automatic authorizations for device groups.

MeshCentral User Account created by Login via LDAP: image

MeshCentral User Account created by Azure SSO: image

To Reproduce Steps to reproduce the behavior: Set up a Microsoft AD. Synchronize the local Microsoft AD users to the Microsoft Azure AAD. Give the users an authorization group for different MeshCentral Device Groups. Set up MeshCentral with LDAP. Add Azure SSO to MeshCentral. Log in the user once with LDAP, log in the user the other time via Azure SSO. Monitor the created users at MeshCentral.

Expected behavior The same user account should be used for MeshCentral. No matter of whether the user logs in via LDAP or via Azure SSO. His account is based on the same Microsoft AD account.

OR Also synchronize the authorization groups via Azure

Server Software (please complete the following information):

Client Device (please complete the following information): independent

Remote Device (please complete the following information): independent

Your config.json file

{
    "settings": {
        "cert": "mc.company.cloud",
        "Port": 443,
        "RedirPort": 0,
        "agentIdleTimeout": 600,
        "_maintenanceMode": true,
        "webRTC": true,
        "WANonly": true,
        "amtscanner": false
    },
    "domaindefaults": {
        "title": "MeshCentral",
        "title2": "TEST"
    },
    "domains": {
        "": {
            "auth": "LDAP",
            "ldapoptions": {
                "url": [
                    "ldap://server1.company.inhouse:389/",
                    "ldap://server2.company.inhouse:389/"
                ],
                "bindDN": "CN=_Mesh Central,OU=Service_Accounts,DC=company,DC=inhouse",
                "bindCredentials": "SECRET",
                "searchBase": "DC=company,DC=inhouse",
                "searchFilter": "(sAMAccountName={{username}})"
            },
            "ldapsiteadmingroups": "CN=gl_adm_meshcentral,OU=Admin_Groups,OU=Admin_Objects,DC=company,DC=inhouse",
            "ldapuserrequiredgroupmembership": [
                "CN=gl_adm_meshcentral,OU=Admin_Groups,OU=Admin_Objects,DC=company,DC=inhouse",
                "CN=gl_aad_meshcentral_inspection,OU=AAD_Groups,OU=BERG,DC=company,DC=inhouse",
                "CN=gl_aad_meshcentral_office,OU=AAD_Groups,OU=BERG,DC=company,DC=inhouse",
                "CN=gl_aad_meshcentral_production,OU=AAD_Groups,OU=BERG,DC=company,DC=inhouse",
                "CN=gl_aad_meshcentral_external,OU=AAD_Groups,OU=BERG,DC=company,DC=inhouse",
                "CN=gl_aad_meshcentral_special,OU=AAD_Groups,OU=BERG,DC=company,DC=inhouse"
            ],
            "ldapsyncwithusergroups": {
                "filter": [
                    "gl_adm_meshcentral",
                    "gl_aad_meshcentral_inspection",
                    "gl_aad_meshcentral_production",
                    "gl_aad_meshcentral_office",
                    "gl_aad_meshcentral_external",
                    "gl_aad_meshcentral_special"

                ]
            },
            "authStrategies": {
                "azure": {
                    "clientid": "SECRET",
                    "clientsecret": "SECRET",
                    "tenantid": "SECRET",
                    "newAccounts": true
                }
            },
            "consentMessages": {
                "Title": "company Meshcentral",
                "consentTimeout": 60,
                "autoAcceptOnTimeout": false,
                "desktopnotify": true,
                "terminalnotify": true,
                "filenotify": true,
                "desktopprompt": true,
                "terminalprompt": true,
                "fileprompt": true,
                "desktopprivacybar": true
            },
            "agentTag": {
                "ServerName": 0,
                "ServerDesc": 1,
                "ServerTags": 3
            },
            "hidePowerTimeline": true,
            "userSessionIdleTimeout": 120,
            "userSessionsSort": "Username",
            "ldapusername": "sAMAccountName",
            "ldapUserKey": "sAMAccountName",
            "ldapuseremail": "mail",
            "ldapuserrealname": "{{{givenName}}} {{{sn}}}",
            "ldapuserphonenumber": "telephoneNumber",
            "title": "MeshCentral TEST",
            "title2": "MC",
            "footer": "ITI TEST",
            "userAllowedIP": "10.112.0.0/16,10.113.64.0/20,10.138.0.0/16,10.124.0.0/16,10.132.0.0/16,10.116.0.0/16,10.14.2.0/24,10.4.107.0/24",
            "autoRemoveInactiveDevices": "5",
            "welcomePictureFullScreen": true,
            "welcomePicture": "company.jpg",
            "agentCustomization": {
                "foregroundColor": "200,0,0",
                "backgroundColor": "230,189,76"
            }
        }
    }
}
si458 commented 1 month ago

you shouldnt really have 2 authentication methods! you should only have one or the other! please try looking at the OIDC docs here for azure and try setting it up that way https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#azure-preset

tobias9931 commented 1 month ago

Why not have 2 authentication methods? It works in general with my configuration. The users can log in correctly with LDAP or Azure SSO.

My only problem is that when logging in via Azure, the group memberships are not automatically transferred. To solve this, you could either coding that the email address is used as the user identifier because it is equally unique for both accounts and so bundle both logins in one MeshCentral user account or The group memberships must also be synchronized in the Azure login. With LDAP, we do this with "ldapuserrequiredgroupmembership" and "ldapsyncwithusergroups". Unfortunately, I don't see these or similar options for Azure. Here there only seems to be "siteadmin" synonymous with "ldapsiteadmingroups" for LDAP.

si458 commented 1 month ago

@tobias9931 as explained above, please look into the new oidc docs https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/#azure-preset the is support in that for syncing groups etc, but sadly from the looks of the source code etc, groups arent synced when using the old azure auth method

si458 commented 1 month ago

@tobias9931 if you are happy to, please email me with some temp credentials/temp secret keys etc and i can look into it more for you (i dont use azure so i cannot test/fix it for you)

si458 commented 1 month ago

ive had a look at this again, sadly i dont think its going to be possible to merge both users for example, when i login with azure sso (i got a free entra id with azure for testing hehe) this my user id user//~azure:billybob@myemailaddresshere.onmicrosoft.com but if i login with ad (i use openldap but you could use AD with azure cloud link) this is my user id user//billybob they have totally different userids, so when groups have to link by the userids the reason they are different is because we need to know if its an external auth like azure, google, etc so hide things like password resets/email changes, etc