Closed lukeheath closed 1 year ago
@roperzh I created this research ticket to investigate the effort required to implement SAML authentication into our MDM unboxing flow.
Please let me know if me or anyone else on the team can provide support.
@lukeheath done, reassigning back to you.
We could reuse the SSO configuration that's set in /settings/organization/sso... Alternatively, provide another set of configs, exactly the same as the ones in /settings/organization/sso...
@roperzh hmm, I think from a UX perspective we want to provide another set of configs. Maybe in some future iteration we'd add UX around using the same values from the existing SSO configuration. Something like a "Use the same SSO you use to log in to Fleet" button.
Roberto, did you get the chance to look into level of effort for these requirements (from #10689)?
- [ ] End user must agree to end user license agreement (EULA) to continue to next step in set up flow
- [ ] During local account creation step in set up flow, the username is set to the end user's username from the IdP
- [ ] During local account creation step in set up flow, the password field requires the password requirements set by a configuration profile (if there is one)
@noahtalerman sounds good, and thanks for the heads up. I'll update the issue with that.
@lukeheath @noahtalerman I updated the issue, the only one that I haven't research (apologies) is:
During local account creation step in set up flow, the password field requires the password requirements set by a configuration profile (if there is one)
we can send a profile, but I don't know if it will enforce the settings when the account is created. I'll have to give that a try.
@lukeheath @noahtalerman sorry for the back-and-forth. I did a (hopefully) final edit to include the items related to the account creation.
@lukeheath @roperzh closing this issue because the research is done.
Unboxing flows ease, SAML authentication, Sky-cities merge paths.
Tasks
Research
https://user-images.githubusercontent.com/4419992/227311113-fb9b3c87-d32f-4d87-a10c-61da6028a634.mov
Back-end
POST /api/v1/fleet/sso
) can be reused, but we need a different endpoint that handles DEP-specific authentication (ie: we can't just reuse that endpoint)POST /api/v1/fleet/sso/callback
) is a bit different but it only needs to:/settings/organization/sso
, but we need to double check with IT admins first if this is okay. It would mean that:/settings/organization/sso
(identity provider name, entity ID, issuer URI, metadata URL)mdm_idp_accounts
to keep a reference of the host being authenticated.Front-end