search

snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
11.04k stars 3.18k forks source link

Azure AD/SCIM User Provisioning #10412

Closed adagioajanes closed 2 years ago

adagioajanes commented 2 years ago

Snipe-IT Version

5.3.3

Operating System

Windows

Web Server

IIS

PHP Version

7.4.21

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Snipe IT supports user sync via LDAP. But LDAP is not supported by many cloud only identity models such as Azure AD.

Describe the solution you'd like A clear and concise description of what you want to happen.

I would like to see integration of a user provisioning API that can be connected with a standard SCIM service provider, such as Azure AD. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sync-scim http://www.simplecloud.info/

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

I have considered requesting the addition of SAML just in time (JIT) provisioning, but this would not be useful in Snipe IT. When I need to mark an asset as checked out by a user, they need to already exist in the system. JIT provisioning would require me to have every user login to Snipe IT at least once before I could check it out.

LDAP is currently available. But LDAP is not supported by many cloud first identity systems.

Additional context Add any other context or screenshots about the feature request here.

No response

adagioajanes commented 2 years ago

This is also a continuing discussion of #1118. However, that was closed as it more directly referred to SAML login support, which was already completed :)

JDangles commented 2 years ago

I'm hoping for this functionality as well!

snipe commented 2 years ago

LDAP is most certainly supported by Azure. Azure is MS, and Active Directory is an MS product (one of the few I’d say they do well). https://snipe-it.readme.io/docs/hosted-ldap-providers

Snipe-IT Documentation
- Hosted LDAP Providers
Your Azure AD needs to have LDAP enabled, and password hash synchronization enabled, and it needs to be accessible to the server running Snipe-IT on port 389 and/or 636. Microsoft's documentation on LDAP is here: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-config...
adagioajanes commented 2 years ago

@snipe What you are referring to is Azure Managed AD DS. So, for ultimate fairness, LDAP is only supported by deploying the Domain Services (DS) portion of Azure AD.

I tried to go down this path originally, but was met with a few problems. First, Domain Services carries a significant cost over standalone Azure AD (minimum $109.50/month). https://azure.microsoft.com/en-us/pricing/details/active-directory-ds/

Next, per Microsoft's own documentation... "An Azure AD DS managed domain lets you run legacy applications in the cloud that can't use modern authentication methods, or where you don't want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud." https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview

LDAP is the legacy way of synchronizing users. Azure AD DS was developed to support those older applications. It is, of course, usable by Snipe IT. But, it isn't the best way to handle it when the SCIM standards are really what should be used with a cloud identity model.

Traditional AD is, of course, not dead. But, Azure AD and other cloud IDAM providers are becoming the new standard. New businesses traditionally don't buy servers anymore, nor do they setup a traditional AD (unless REQUIRED by their applications). You will be hard pressed to have someone shell out $109.50/month, just so Snipe IT can sync users.

In a previous thread #1118, I mentioned that I was lucky to have LDAP available, as I have a domain controller running in the cloud already. It was cheaper than the $109.50/month to have Azure manage it for me. But, that is simply not an option for a lot of people (for even more reasons that would derail this discussion too much).

But in reality, off the top of my head I have three applications left that are still currently relying on my LDAP.

  1. EHR/PM (medical records software)
  2. Jira
  3. Snipe IT

Everything else at this point (and were talking about like, 50 different applications) supports SCIM or some other user provisioning model (like SAML JIT).

SCIM is the new way to provision users in a cloud only fashion and is an open standard supported by more than just Azure. It supports the full identity and access management lifecycle of a user. For current and future support of cloud IDAM, the best path forward would be to add support for SCIM. :)

Pricing - Azure Active Directory Domain Services | Microsoft Azure
Azure Active Directory Domain Services provides scalable, high-performance, managed domain services such as domain-join, LDAP, Kerberos, Windows Integrated authentication, and group policy. With the click of a button, IT administrators can enable managed domain services for virtual machines an...
Overview of Azure Active Directory Domain Services
In this overview, learn what Azure Active Directory Domain Services provides and how to use it in your organization to provide identity services to applications and services in the cloud.
adagioajanes commented 2 years ago

Oh, and something extremely important to highlight, because this is not obvious to people who don't work with Azure AD daily...

Azure AD != AD DS They are different things entirely.

Azure AD != Azure AD DS They are also completely different technologies.

I would be happy to sit down with you and walk you through some of this IDAM nonsense. There's alot of acronyms, and Microsoft is shooting admins in the foot by not properly establishing the difference between Azure AD and AD DS. And why Azure AD somewhat supports LDAP (and traditional Active Directory style connections), but, it really doesn't...

JemTaylorUHI commented 2 years ago

Agree completely with @adagioajanes who has explained more concisely than I can why large enterprises and new cloud-only businesses are right to want this. I have spent the last couple of years getting the bulk of our major systems migrated off LDAPS and onto SCIM, alongside generally moving from on-prem to SaaS so that we can shut a datacentre and slash our environmental impact. Strategically I want to shut down cloud access to our LDAPS service, which we will be able to do after a new Library Management System goes live in summer 2022. By then all the other LDAPS based SaaS platforms will be migrated. So for my University, I don't want Snipe-IT (which is new for us) to create a reason to keep LDAP long term, especially for SaaS, and enterprise users like us really do need Snipe-IT to grow a SCIM interface 😃 If this is accepted for development, we will be willing to put some human effort into helping with doing it, as well as testing etc.

louisdj commented 2 years ago

+1 on this topic, we're using SAML and LDAP now, as SAML is being used for login and LDAP for sync users, but it would make more sense for us to use SCIM instead of having some 'legacy' LDAP for the synchronisation of the users. With SCIM we can automate on- & offboarding of users better.

adagioajanes commented 2 years ago

Been digging into this more to see if I could make any headway on it. But, it's definitely going to take alot more research and learning to even make a draft.

So far, I have got as far as finding this... https://github.com/arietimmerman/laravel-scim-server

It looks like it could implement alot of the initial groundwork for SCIM on a Laravel application. Perhaps it can be utilized to hook into the current user system?

GitHub
GitHub - arietimmerman/laravel-scim-server: SCIM 2.0 Server implementation for Laravel
SCIM 2.0 Server implementation for Laravel. Contribute to arietimmerman/laravel-scim-server development by creating an account on GitHub.
nesretep commented 2 years ago

+1 for me on this as well. Having modern identity management option would make Snipe-IT that much more attractive to your existing and new customers.

LoganTheHippo commented 2 years ago

+1 - This would be great for our org. Currently scripting user syncing from Onelogin via API

uberbrady commented 2 years ago

Hey folks - I have a test branch that’s not quite yet ready for prime-time, but I’m hoping that it will be pretty soon. Once I have it a little closer to being ready for production, I think we’re going to roll it into the next (and hopefully final!!!) v6 candidate.

I was hoping for some help testing, and maybe even some help on how to update our documentation for these new features. Any adventurous takers who want to help out?