Closed esilverberg closed 5 months ago
Hello @esilverberg. Thanks for the PR. I've finally had a chance to look at your changes and here's some feedback based on my experience:
gsts
with it's built-in chromium binary and load the endpoint verification extension manually, it will throw a Can't sync because of a Keychain authorization error. message on the extension's UIgsts
to use Chrome and keep the same binary interacting with the keychain entry (--engine-executable-path="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
) although I'm not completely sure the use of another user data (profile) directory would create other problems.gsts
, as every login attempt will require a headful popup (interaction won't be needed, but a window will pop up).Unless I'm missing something, the only possible successfull path for Chrome Endpoint Verification in gsts
is if you meet the following conditions:
--engine-executable-path="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
) to avoid the keychain error (presumably).If you confirm this experience, I'm not sure if an organization would prefer applying other policies (non device-policies) specifically to this SAML integration as a counter-measure.
Thank you for this feedback!
--engine-executable-path="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
we can avoid the keychain error 🎉gsts
vs aws-google-auth
At this point the tradeoff is between allowing our employees to load unpacked extensions in Chrome, vs reducing the attack surface against our AWS endpoints from "anyone who obtains employee credentials and the second factor" to "anyone who obtains employee credentials + the second factor + one of a few dozen physical devices". Given that Chrome in this configuration is run for a narrow period of time, and my developers already have effective root access to their laptops, that seems like a tradeoff very much worth making.
Lastly, I also believe that Google would endorse this approach in their BeyondCorp architecture: https://cloud.google.com/beyondcorp
Endpoint Verification is basically Google productizing their BeyondCorp philosophy:
At this point the only sticking point with this implementation is the race condition that exists just after you successfully login -- the login completes and attempts to auth with AWS SAML before Endpoint Verification extension has sync'd. The first time through it will always land on an error page. You have to hit the back button after the extension has sync'd, and then the page + gsts script complete with success. I'm not sure that it's possible to add a delay between the successful login on Google's side at the attempt to https://signin.aws.amazon.com/saml
.
This PR adds support for the Endpoint Verification extension to support Context Aware Access to your AWS SAML app, which is a feature of Cloud Identity Premium.
This means, for example, that you can ensure that users of gsts are running on the latest version of MacOS, on a laptop whose serial number is registered to your company.
This PR works by detecting whether or not the Endpoint Verification Extension has already been installed on your system (presumably it would have been if this is a feature your organization is trying to use). If so, it tells Chromium about the local path, because the only way to get Chromium to use extensions if if they are already downloaded locally.