mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
949a1eeabb
This change allows configuring a separate URL for SSO callbacks, which is useful when organizations have different URLs for admin access vs agent/API access. Fixes #31480 the SSO issue where organizations with dual URL setups were getting 'Destination does not match requested URL' errors after upgrading to v4.71.0 with the new SAML library. Video demo: https://www.youtube.com/watch?v=dFzNpUY3XKI # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. ## Testing - [x] Added/updated automated tests - [ ] QA'd all new/changed functionality manually ## New Fleet configuration settings - [x] Verified that the setting is exported via `fleetctl generate-gitops` - [x] Verified the setting is documented in a separate PR to [the GitOps documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485) - Same PR since this is going to be a 4.71.1 patch - [ ] Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional) - [x] Verified that any relevant UI is disabled when GitOps mode is enabled <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Summary by CodeRabbit * **New Features** * Added support for configuring a dedicated SSO URL, allowing organizations to restrict SSO authentication to a specific URL. * The new SSO URL option is available in both the UI and API configuration settings. * **Documentation** * Updated configuration and API documentation to include the new SSO URL option with usage examples. * **Bug Fixes** * Resolved authentication issues for organizations using separate URLs for admin and agent/API access. * **Tests** * Added new unit and integration tests to verify SSO behavior with and without the dedicated SSO URL. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
124 lines
4.1 KiB
YAML
124 lines
4.1 KiB
YAML
features:
|
|
enable_host_users: true
|
|
enable_software_inventory: true
|
|
additional_queries:
|
|
time: "SELECT * FROM time"
|
|
macs: "SELECT mac FROM interface_details"
|
|
detail_query_overrides:
|
|
users:
|
|
mdm: "SELECT enrolled, server_url, installed_from_dep, payload_identifier FROM mdm;"
|
|
fleet_desktop:
|
|
transparency_url: https://fleetdm.com/transparency
|
|
host_expiry_settings:
|
|
host_expiry_enabled: false
|
|
host_expiry_window: 59995
|
|
integrations:
|
|
conditional_access_enabled: true
|
|
custom_scep_proxy:
|
|
- challenge: ___GITOPS_COMMENT_5___
|
|
name: some-custom-scep-proxy-name
|
|
url: https://some-custom-scep-proxy-url.com
|
|
digicert:
|
|
- api_token: ___GITOPS_COMMENT_3___
|
|
certificate_common_name: some-digicert-certificate-common-name
|
|
certificate_seat_id: some-digicert-certificate-seat-id
|
|
certificate_user_principal_names:
|
|
- some-digicert-certificate-user-principal-name
|
|
- some-other-digicert-certificate-user-principal-name
|
|
name: some-digicert-name
|
|
profile_id: some-digicert-profile-id
|
|
url: https://some-digicert-url.com
|
|
google_calendar:
|
|
- api_key_json:
|
|
owl: hoot
|
|
private_key: ___GITOPS_COMMENT_0___
|
|
domain: fleetdm.com
|
|
jira:
|
|
- api_token: ___GITOPS_COMMENT_1___
|
|
enable_failing_policies: false
|
|
enable_software_vulnerabilities: false
|
|
project_key: some-jira-project-key
|
|
url: https://some-jira-url.com
|
|
username: some-jira-username
|
|
ndes_scep_proxy:
|
|
admin_url: https://some-ndes-admin-url.com
|
|
password: ___GITOPS_COMMENT_4___
|
|
url: https://some-ndes-scep-proxy-url.com
|
|
username: some-ndes-username
|
|
zendesk:
|
|
- api_token: ___GITOPS_COMMENT_2___
|
|
email: some-zendesk-email@example.com
|
|
enable_failing_policies: false
|
|
enable_software_vulnerabilities: false
|
|
group_id: 123456789
|
|
url: https://some-zendesk-url.com
|
|
mdm:
|
|
apple_business_manager:
|
|
- ios_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
|
|
ipados_team: "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
|
|
macos_team: "\U0001F4BB Workstations"
|
|
organization_name: Fleet Device Management Inc.
|
|
apple_server_url: http://some-apple-server-url.com
|
|
end_user_authentication:
|
|
entity_id: some-mdm-entity-id.com
|
|
idp_name: some-other-idp-name
|
|
issuer_uri: https://some-mdm-issuer-uri.com
|
|
metadata: ___GITOPS_COMMENT_6___
|
|
metadata_url: ___GITOPS_COMMENT_7___
|
|
end_user_license_agreement: ./lib/eula/test.pdf
|
|
volume_purchasing_program:
|
|
- location: Fleet Device Management Inc.
|
|
teams:
|
|
- "\U0001F4BB Workstations"
|
|
- "\U0001F4BB\U0001F423 Workstations (canary)"
|
|
- "\U0001F4F1\U0001F3E2 Company-owned mobile devices"
|
|
- "\U0001F4F1\U0001F510 Personal mobile devices"
|
|
org_info:
|
|
contact_url: https://fleetdm.com/company/contact
|
|
org_logo_url: http://some-org-logo-url.com
|
|
org_logo_url_light_background: http://some-org-logo-url-light-background.com
|
|
org_name: Fleet
|
|
secrets:
|
|
- secret: ___GITOPS_COMMENT_8___
|
|
server_settings:
|
|
ai_features_disabled: false
|
|
debug_host_ids:
|
|
- 1
|
|
- 3
|
|
deferred_save_host: false
|
|
enable_analytics: true
|
|
live_query_disabled: false
|
|
query_report_cap: 1
|
|
query_reports_disabled: false
|
|
scripts_disabled: false
|
|
server_url: https://dogfood.fleetdm.com
|
|
sso_settings:
|
|
enable_jit_provisioning: true
|
|
enable_sso: true
|
|
enable_sso_idp_login: false
|
|
entity_id: dogfood.fleetdm.com
|
|
idp_image_url: http://some-sso-idp-image-url.com
|
|
idp_name: some-idp-name
|
|
metadata: ___GITOPS_COMMENT_9___
|
|
metadata_url: ___GITOPS_COMMENT_10___
|
|
sso_server_url: https://sso.fleetdm.com
|
|
webhook_settings:
|
|
activities_webhook:
|
|
destination_url: https://some-activities-webhook-url.com
|
|
enable_activities_webhook: true
|
|
failing_policies_webhook:
|
|
destination_url: https://some-failing-policies-webhook-url.com
|
|
enable_failing_policies_webhook: true
|
|
host_batch_size: 2
|
|
policy_ids: []
|
|
host_status_webhook:
|
|
days_count: 5
|
|
destination_url: https://some-host-status-webhook-url.com
|
|
enable_host_status_webhook: true
|
|
host_percentage: 20
|
|
interval: 6h0m0s
|
|
vulnerabilities_webhook:
|
|
destination_url: https://some-vulerabilities-webhook-url.com
|
|
enable_vulnerabilities_webhook: true
|
|
host_batch_size: 3
|
|
yara_rules: {}
|