End user authentication during setup (SAML)

[noahtalerman]

Goal

User story
As an IT admin,
I want to connect Fleet to my identity provider (IdP)
so that I can make sure end users have to authenticate with my IdP to successfully complete the enrollment (set up) flow when unboxing a new Mac.

Requirements

• [ ] IT admin, via CLI, can connect Fleet to Okta and all IdPs that support SAML. Only global admins in Fleet
• [ ] Supports multi-factor authentication (MFA) method
• [ ] End user must authenticate to continue to next step in set up flow

UI

https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=14776-193004

[noahtalerman]

Hey @georgekarrv heads up, I think at some point during today’s sprint kickoff someone mentioned that the end user auth story was missing these wireframes/specs:

• Specify that the EULA webview comes after the auth webview. I think this is covered by this requirement: "End user must authenticate to continue to next step in set up flow: end user license agreement"
• Wireframes for the EULA webview. These are missing and need emergency drafting. I will bring this to tomorrow's design review call so we can add wireframes to this story tomorrow.
  • Emergency drafting process documented in the handbook here: https://fleetdm.com/handbook/product#emergency-drafting
  • Webview be implemented in this subtask https://github.com/fleetdm/fleet/issues/10743)
  • Can you please let the engineers working on this story know that this part of the story was brought back to drafting? Thanks :)

[noahtalerman]

During today's design review we decided to point end users to the Fleet support phone number if they run into an error during setup (here's a link to the wireframe).

Reasoning:

• IT admins have no way of knowing if this error occurs w/o hearing from the end user
• Most end users that see this error are new employees. If they don't know who to contact, they'll be stuck at a dead end
• We want to ship this story this release

IT admins have no way of knowing if this error w/o hearing from the end user

We also decided to prioritize solving the problem highlighted above this problem. This is tracked in this issue: #11153

cc @georgekarrv @mikermcneil @zhumo @dherder

[noahtalerman]

Hey @roperzh I have some questions around docs for this story.

These questions are a follow up to the requirements in this "Document steps required to set up end user auth during setup" issue (now closed in favor of this story): #10284

• If the deployment is self-hosted, the IT admin needs to create an Okta application with a specific set of parameters

Managed cloud users will also have to create an Okta app right?

• Regardless of the previous bullet, the IT admin needs to assign an application to the users that will use the DEP login in Okta

What does this mean? The IT admin has to assign the new Okta app to users in Okta for end user auth during setup to work?

• The DEP profile (JSON file) needs to be configured with:
  • "await_device_configured": true
  • "configuration_web_url": "https://fleet-server-url.com/mdm/apple/dep_login" (the actual path needs to be confirmed and will defined in #10272)

We can remove this part right? My understanding is that await_device_configured doesn't need to be set to true true for end user auth to work. Also, Fleet will be handling updating configuration_web_url.

[roperzh]

hey @noahtalerman , great questions. Answers below:

• If the deployment is self-hosted, the IT admin needs to create an Okta application with a specific set of parameters

Managed cloud users will also have to create an Okta app right?

I think we could create an Okta app that they can use. My suggestion is to ask managed cloud users to create an Okta app for now, and explore having an "official" Fleet app as a follow up. What do you think?

• Regardless of the previous bullet, the IT admin needs to assign an application to the users that will use the DEP login in Okta

What does this mean? The IT admin has to assign the new Okta app to users in Okta for end user auth during setup to work?

Yes, but this is expected of any Okta app. You can create rules, or assign whole groups to apps. This is specific to Okta and I think this will depend on how the IT admin manages this stuff.

• The DEP profile (JSON file) needs to be configured with:

  • "await_device_configured": true
  • "configuration_web_url": "https://fleet-server-url.com/mdm/apple/dep_login" (the actual path needs to be confirmed and will defined in #10272)

We can remove this part right? My understanding is that await_device_configured doesn't need to be set to true true for end user auth to work. Also, Fleet will be handling updating configuration_web_url.

I think so, yes! we can remove all of that now.

[roperzh]

@noahtalerman In the issue description, I see the following two bullets:

• [ ] During local account creation step in set up flow, the username is set to the end user's username from the IdP
• [ ] During local account creation step in set up flow, the password field requires the password requirements set by a configuration profile (if there is one)

IIRC, we decided to tackle that as a separate story: https://github.com/fleetdm/fleet/issues/10744

I wanted to over-communicate that I'm going to remove the two tasks, and not going to implement them during this iteration.

[noahtalerman]

IIRC, we decided to tackle that as a separate story: https://github.com/fleetdm/fleet/issues/10744

@roperzh that's right. Please remove those tasks from this story (#10689). We'll address them in the separate story you called out here: #10744

[noahtalerman]

My suggestion is to ask managed cloud users to create an Okta app for now, and explore having an "official" Fleet app as a follow up. What do you think?

Agreed 👍

[roperzh]

@noahtalerman over-communicating: I couldn't find the authorization requirements for the EULA CREATE/DELETE actions, but I'm going to assume that they are the same as the fields for "Apple Business Manager" in the same page (global admins)

[noahtalerman]

@roperzh yes! Only global admins. Also only global admins for uploading the EULA.

Sorry about the missing permissions specs.

I updated the issue description with this.

[noahtalerman]

@georgekarrv heads up, I broke out a separate story for the EULA requirements here: #11350

This means this story only includes requirements for end user authentication during setup.

This way, we can ship this end user auth story this sprint and ship the EULA story next sprint.

Can you please work with @ghernandez345 and @roperzh to associate the appropriate subtasks to each story?

[noahtalerman]

Hey @roperzh when you get the chance, can you please write docs for how to configure end user auth during set up?

Here's a good place for the docs: https://fleetdm.com/docs/using-fleet/mdm-macos-setup#end-user-authentication

[fleet-release]

SAML authentication, Secure clouds in glass city, Fleet connects, guards flow.

[zhumo]

Confirm and celebrate: Needs docs. Currently focused on shipping the May 19 release. @noahtalerman to check in with @georgekarrv.

[noahtalerman]

Hey @roperzh! When you get the chance, can you please help write docs for how to configure end user auth during set up?

Here's a good place for the docs: https://fleetdm.com/docs/using-fleet/mdm-macos-setup#end-user-authentication

[simonoff]

Hi, with latest release it's really looks strange. I already added SSO in settings and I should to do it again. End even its broken as I'm unable to add a metadata xml as there only asking a link. Google for example don't have a metadata url, just a downloading xml.

[zhumo]

C&C @noahtalerman needs docs under the https://fleetdm.com/docs/using-fleet/mdm-macos-setup#end-user-authentication section

[noahtalerman]

Docs for this story were added in this PR: https://github.com/fleetdm/fleet/pull/13130

[fleet-release]

Amidst cloud cities, SAML aids, secure setup, Peace for IT admins.