Closed noahtalerman closed 1 year ago
Hey @georgekarrv heads up, I think at some point during today’s sprint kickoff someone mentioned that the end user auth story was missing these wireframes/specs:
During today's design review we decided to point end users to the Fleet support phone number if they run into an error during setup (here's a link to the wireframe).
Reasoning:
IT admins have no way of knowing if this error w/o hearing from the end user
We also decided to prioritize solving the problem highlighted above this problem. This is tracked in this issue: #11153
cc @georgekarrv @mikermcneil @zhumo @dherder
Hey @roperzh I have some questions around docs for this story.
These questions are a follow up to the requirements in this "Document steps required to set up end user auth during setup" issue (now closed in favor of this story): #10284
- If the deployment is self-hosted, the IT admin needs to create an Okta application with a specific set of parameters
Managed cloud users will also have to create an Okta app right?
- Regardless of the previous bullet, the IT admin needs to assign an application to the users that will use the DEP login in Okta
What does this mean? The IT admin has to assign the new Okta app to users in Okta for end user auth during setup to work?
- The DEP profile (JSON file) needs to be configured with:
- "await_device_configured": true
- "configuration_web_url": "https://fleet-server-url.com/mdm/apple/dep_login" (the actual path needs to be confirmed and will defined in #10272)
We can remove this part right? My understanding is that await_device_configured doesn't need to be set to true true for end user auth to work. Also, Fleet will be handling updating configuration_web_url.
hey @noahtalerman , great questions. Answers below:
- If the deployment is self-hosted, the IT admin needs to create an Okta application with a specific set of parameters
Managed cloud users will also have to create an Okta app right?
I think we could create an Okta app that they can use. My suggestion is to ask managed cloud users to create an Okta app for now, and explore having an "official" Fleet app as a follow up. What do you think?
- Regardless of the previous bullet, the IT admin needs to assign an application to the users that will use the DEP login in Okta
What does this mean? The IT admin has to assign the new Okta app to users in Okta for end user auth during setup to work?
Yes, but this is expected of any Okta app. You can create rules, or assign whole groups to apps. This is specific to Okta and I think this will depend on how the IT admin manages this stuff.
The DEP profile (JSON file) needs to be configured with:
- "await_device_configured": true
- "configuration_web_url": "https://fleet-server-url.com/mdm/apple/dep_login" (the actual path needs to be confirmed and will defined in #10272)
We can remove this part right? My understanding is that await_device_configured doesn't need to be set to true true for end user auth to work. Also, Fleet will be handling updating configuration_web_url.
I think so, yes! we can remove all of that now.
@noahtalerman In the issue description, I see the following two bullets:
- [ ] During local account creation step in set up flow, the username is set to the end user's username from the IdP
- [ ] During local account creation step in set up flow, the password field requires the password requirements set by a configuration profile (if there is one)
IIRC, we decided to tackle that as a separate story: https://github.com/fleetdm/fleet/issues/10744
I wanted to over-communicate that I'm going to remove the two tasks, and not going to implement them during this iteration.
IIRC, we decided to tackle that as a separate story: https://github.com/fleetdm/fleet/issues/10744
@roperzh that's right. Please remove those tasks from this story (#10689). We'll address them in the separate story you called out here: #10744
My suggestion is to ask managed cloud users to create an Okta app for now, and explore having an "official" Fleet app as a follow up. What do you think?
Agreed 👍
@noahtalerman over-communicating: I couldn't find the authorization requirements for the EULA CREATE/DELETE actions, but I'm going to assume that they are the same as the fields for "Apple Business Manager" in the same page (global admins)
@roperzh yes! Only global admins. Also only global admins for uploading the EULA.
Sorry about the missing permissions specs.
I updated the issue description with this.
@georgekarrv heads up, I broke out a separate story for the EULA requirements here: #11350
This means this story only includes requirements for end user authentication during setup.
This way, we can ship this end user auth story this sprint and ship the EULA story next sprint.
Can you please work with @ghernandez345 and @roperzh to associate the appropriate subtasks to each story?
Hey @roperzh when you get the chance, can you please write docs for how to configure end user auth during set up?
Here's a good place for the docs: https://fleetdm.com/docs/using-fleet/mdm-macos-setup#end-user-authentication
SAML authentication, Secure clouds in glass city, Fleet connects, guards flow.
Confirm and celebrate: Needs docs. Currently focused on shipping the May 19 release. @noahtalerman to check in with @georgekarrv.
Hey @roperzh! When you get the chance, can you please help write docs for how to configure end user auth during set up?
Here's a good place for the docs: https://fleetdm.com/docs/using-fleet/mdm-macos-setup#end-user-authentication
Hi, with latest release it's really looks strange. I already added SSO in settings and I should to do it again. End even its broken as I'm unable to add a metadata xml as there only asking a link. Google for example don't have a metadata url, just a downloading xml.
C&C @noahtalerman needs docs under the https://fleetdm.com/docs/using-fleet/mdm-macos-setup#end-user-authentication section
Docs for this story were added in this PR: https://github.com/fleetdm/fleet/pull/13130
Amidst cloud cities, SAML aids, secure setup, Peace for IT admins.
Goal
Requirements
UI
https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=14776-193004