identity: add support for self hosted active directory (ad directory services)

[supertassu]

Is your feature request related to a problem? Please describe.

I'm trying to keep everything self-hosted and use AD for authentication.

Describe the solution you'd like

Support for using self-hosted AD as an identity provider.

Describe alternatives you've considered

I tried to run the Azure AD provider with my self-hosted AD but it did not work (oauth callback : error redeeming authenticate code: identity/microsoft: could not retrieve groups Unauthorized Request 222ccbe8-118a-478e-a26c-f1189662ec61).

Using Azure AD (not self-hosted) or other software.

Explain any additional use-cases

Universal OpenID with just the configuration url (not a pre-configured provider) would be also nice.

[thuandt]

microsoft.go implement using GraphQL API from microsoft to get groups. I don't think self hosted AD support that features.

For self host AD, we maybe need implement new feature.

Before when I working on Jenkins SSO with Azure AD by using SAML, Azure AD will return all groups in callback so authentication can get those groups id and mapping into groups name.

For ADDS maybe this can help for new implementation https://github.com/go-ldap/ldap/issues/28

[desimone]

Hi @supertassu ,

As @thuandt mentioned, supporting on-premise active directory would be a pretty huge undertaking we currently don't have the bandwidth for. At the moment we only support OIDC identity providers.

That said, I think using a bridge like dex with pomerium should work.

Universal OpenID with just the configuration url (not a pre-configured provider) would be also nice.

Pomerium does support generic open id configurations but it's currently undocumented . I'll follow up with an issue to document the process better using something like keycloak.

Hope that helps, and if you go that route, let me know how it goes!

[supertassu]

Doesn't AD FS support OIDC? I'll try that generic provider shortly.

[supertassu]

# config.yaml
idp_provider: oidc
idp_provider_url: 'https://fs.xxxx.com/adfs'
idp_client_id: pomerium
idp_client_secret: '[secret]'

Well, it almost worked.

[desimone]

@supertassu Go figure, TIL ADFS now supports OIDC! That's awesome!

What version of ADFS is this?

What if you add the email claim? https://medium.com/the-new-control-plane/the-mystery-of-the-missing-adfs-jwt-claims-7658d9cdeaac

Can you also add group and email claims?

[supertassu]

Hi @desimone,

What version of ADFS is this?

PS C:\Users\taavi> (Get-Item C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe).VersionInfo.ProductVersion
10.0.17763.1

What if you add the email claim?

No luck with that. Sorry.

[desimone]

@supertassu

No luck with that. Sorry.

Can you tell me a little more about that? Is it that AD isn't returning it? The default scope set for the generic oidc provider should be requesting and setting it. Thanks!

[supertassu]

Hi @desimone,

I've been really busy lately and can't look into this just at the moment. I'll try to get back to you on the weekend.

[supertassu]

Hi,

apologies for the delay. I added the extra rules mapping like the following image:

As far as as I can see, the token does not contain the e-mail.

Huge thanks for maintaining Pomerium. it looks really cool.

[desimone]

Dang! That screenshot makes it look like it should be added. If you don't mind posting a raw-id_token, I'd be really curious what that looks like. I'd love to support AD but don't have the infrastructure at my fingertips unfortunately.

On Wed, Sep 25, 2019 at 5:16 AM Taavi Väänänen notifications@github.com wrote:

Hi,

apologies for the delay. I added the extra rules mapping like the following image:

[image: Capture] https://user-images.githubusercontent.com/9721638/65599248-1caa5180-dfa6-11e9-8921-fe321ea35bd1.PNG

As far as as I can see, the token does not contain the e-mail.

Huge thanks for maintaining Pomerium. it looks really cool.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pomerium/pomerium/issues/298?email_source=notifications&email_token=AALZFMOVCOHALOAV7NIJDVTQLNJARA5CNFSM4IWGBCY2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7RVUPI#issuecomment-534993469, or mute the thread https://github.com/notifications/unsubscribe-auth/AALZFMPXL5C2U4NKT6AGDFTQLNJARANCNFSM4IWGBCYQ .

[supertassu]

The token payload looks something like this (details censored):

{
  "aud": "pomerium",
  "iss": "https://fs.xxxx.xxx/adfs",
  "iat": 1569692081,
  "nbf": 1569692081,
  "exp": 1569695681,
  "auth_time": 1569688602,
  "sub": "xxxxtQAkkaS77xubJofOkgPO1IDDd1HwtPh980Fxxxx=",
  "upn": "taavi@xxxx.xxx",
  "unique_name": "XXXX\\taavi",
  "sid": "S-1-5-21-3692666532-3814811588-2933365228-xxxx"
}

[Elegant996]

Is there any further info we could provide to have support added? Thanks!

[desimone]

The biggest barrier for me right now is having a test instance to work with. Maybe you @Elegant996 or @supertassu could help me get access to such an instance?

Thanks!

[supertassu]

You can set AD DS & AD FS on a virtual machine, as you can use Windows Server 2019 trial version for 180 days for free. Let me know if you need help with that.

[desimone]

Do either of you have a test server up and running we could use? Maybe we could schedule a time to work in sync. I think the capability is there, I just don't have the cycles right now to futz with setting up windows. :(

[supertassu]

Apologies for the delay (as always).

I don't currently have an instance I'm comfortable opening up the internet, however I'll see what I can do for you.

[Neustradamus]

Any news on it?

[desimone]

@Neustradamus No news , but from my understanding, modern AD supports OIDC and should work with Pomerium with minimal configuration .

[wesleyw72]

I've had a go with ADFS OIDC. It almost works but I hit an issue where when Pomerium hits the userinfo endpoint it gets an unauthorised.

Looking in the ADFS logs shows:

UserInfoListener.ValidateAccessToken: The access token in the request doesn't have required audience 'urn:microsoft:userinfo'. Actual audience 'microsoft:identityserver:<client_id>'

I've had a Google around and it seems that ADFS requires a non standard resource parameter (link also mentioned in their docs).

However, there's little value from the userinfo endpoint on ADFS as it only gives back the subject claim.

I see two potential ways forward for ADFS support: 1) Support the MS specific resource parameter somehow 2) Allow users to configure whether the userinfo endpoint is even hit, for situations like this where they show little value.

[servo1x]

With this change: https://github.com/pomerium/pomerium/pull/1542

It seems like we would just need the ability to disable querying the userinfo endpoint?