hashicorp boundary conditional access

[MChorfa]

Is your feature request related to a problem? Please describe. We need a way to verify the client host a trustable. Like verifying the connection originated from a know mac address or particular TPM or Known Host Asset in the inventory

Describe the solution you'd like Allow the configure/apply conditional access policy on predefined criteria or dynamically read the client host asset info and act on it

Describe alternatives you've considered Network access control or NAC, solutions support network visibility and access management through policy enforcement on devices and users of corporate networks.

Flow Client -> Boundary -> Condiontal Access -> Ressource

Thank you

[xingluw]

Hi @MChorfa, thank you for bringing this up, right now this kind of client verification auth is not on Boundary's immediate roadmap since there are alternatives that are possible through OIDC identify providers. For example, users could install a client/hardware verification software on the client device, and have that authenticate with the identity provider as part of MFA.

What kind of client host asset information are you looking for? Do you want to verify that it is an organization-managed device? Or do you want to ensure that the client/hardware passes the security requirements?

[MChorfa]

Hi @xingluw! Thank for the follow-up :) We need to verify that the client/hardware passes the security requirements and is easily identifiable. The idea avoids granting access to client/hardware (BYOD) that is not safe. Even if the client gets the through the OIDC/MFA process. Thank you

[xingluw]

Would you be using a third party software installed on that client to verify that it pass security? And you want it to send the verification to Boundary as part of the auth process?

[MChorfa]

Yes, ideally Boundary Client on the host collects the client info/assessment and sends it to the Boundary server. Then, the evaluation gets performed on the Boundary Sever via a set of policies to decide whether the access is granted or not.

[xingluw]

This is something we can consider for future roadmap, I will leave this ticket open to gauge interest from the community.

[covetocove]

Hi @MChorfa have you considered Boundary's OIDC managed groups feature for this usecase?

Managed groups are a way to support the dynamic assignment of role memberships in Boundary based on IDP permission claims. This can be used with Azure Active Directory, Auth0, Google, Okta, and other popular IDPs.

Each managed group has an Administrator-defined filter that is used to evaluate user memberships based on the user’s permission claims from their IDP. Permission claim metadata is captured in the Javascript web token exchanged from the IDP to Boundary and login time. So long as your IDP supports your preferred client host validation and include it in the JWT they issue to Boundary, you should be able to perform a conditional access workflow using managed groups.

A tutorial for getting started with OIDC groups is available here.

Does this sound like it will meet your usecase?