search

rockcarver / frodo-cli

A CLI to manage ForgeRock platform deployments supporting Identity Cloud tenants, ForgeOps deployments, and classic deployments.
MIT License
17 stars 16 forks source link

Federation Settings for Admin accounts - can they be exported/imported #251

Closed ashleyfrieze closed 1 year ago

ashleyfrieze commented 1 year ago

Frodo CLI version

Installed versions:
cli: v0.24.5
lib: v0.19.2
node: v18.16.0

Describe the issue

We've presently set up an Azure AD integration in our sandbox. We can see this mentioned when we run this command:

$ frodo idm list https://openam-XXX-sandboxeuw2.forgeblocks.com/am

.
.
.
.
fidc/federation-MyAzure
.
.
.
.
<other stuff>

However when I run a command to export all the IDP settings, even though my service account has ALL possible permissions, I get errors:

$ frodo idm export -A -D idm  https://openam-xxx-sandboxeuw2.forgeblocks.com/am

Connected to https://openam-xxx-sandboxeuw2.forgeblocks.com/am [alpha] as service account Deployer [xxxx]
⠦ Exporting config objects...{ code: 403, reason: 'Forbidden', message: 'Access denied' }
Error getting config entity fidc/federation-MyAzure: AxiosError: Request failed with status code 403
⠙ Exporting config objects...{ code: 404, reason: 'Not Found', message: 'Not Found' }
Error getting config entity datasource.jdbc/workflow: AxiosError: Request failed with status code 404
{ code: 404, reason: 'Not Found', message: 'Not Found' }
Error getting config entity workflow: AxiosError: Request failed with status code 404

Is it even possible to do this? Is the limitation with Frodo or the FR tenant?

ashleyfrieze commented 1 year ago

@vscheuber please advise

vscheuber commented 1 year ago

@ashleyfrieze you can try specifying the realm. Admin federation configuration is stored in the root realm, not in alpha or bravo: % frodo idp list volker-dev / Lists the correct provider for me. I'm currently running the new pre-release 2.0.0 code so I am not able to test the export, yet. Please try the export using the latest frodo version (<2.0.0). In your examples you are quoting the frodo idm command... I assume you are using frodo idp?

vscheuber commented 1 year ago

@ashleyfrieze I added frodo admin federation sub-commands list, export, and import in frodo-cli 0.24.6-1 (a pre-release). If could give it a good shake that would be great.

ashleyfrieze commented 1 year ago

@vscheuber - not looking good at all, I'm afraid. I'm having general bad times attempting to use a pre-existing service account added via frodo conn add. The frodo admin federation list will not accept that I've provided credentials. I've also tried using --sa-id with this command to present the service account and jwk file, but this doesn't help. I think your algorithm for detecting a token just doesn't work.

I also tried using host/username/password at command line with my own credentials. I got a timeout after 30 seconds of waiting. Not sure if that was my network connection.

vscheuber commented 1 year ago

@ashleyfrieze the frodo admin federation commands will only work with an admin account, not with a service account. That is not by my choice but is a security decision on the ForgeRock engineering side where only real admin user accounts have the privileges required to manage admin federation, due to the high security impact of this feature.

If you still have issues with the frodo conn save please tell me more and I'll get them fixed. I created tests around your scenario and I believe the issue you reported (#243) to be fixed.