mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
d4271986e0
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #34529 # Details This PR implements the backend (and some related front-end screens) for allowing Fleet admins to require that users authenticate with an IdP prior to having their devices set up. I'll comment on changes inline but the high-level for the device enrollment flow is: 1. The handler for the `/orbit/enroll` endpoint now checks whether the end-user authentication is required for the team (or globally, if using the global enroll secret). 2. If so, it checks whether a `host_mdm_idp_accounts` row exists with a `host_uuid` matching the identifier sent with the request 3. If a row exists, enroll. If not, return back a new flavor of `OrbitError` with a `401` status code and a message (`END_USER_AUTH_REQUIRED`) that Orbit can interpret and act accordingly. Additionally some changes were made to the MDM SSO flow. Namely, adding more data to the session we store for correlating requests we make to the IdP to initiate SSO to responses aimed at our callback. We now store a `RequestData` struct which contains the UUID of the device making the request, as well as the "initiator" (in this case, "setup_experience"). When our SSO callback detects that the initiator was the setup experience, it attempts to add all of the relevant records to our database to associate the host with an IdP account. This removes the enrollment gate in the `/orbit/enroll` endpoint. # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. Will put the changelog in the last ticket for the story - [X] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) ## Testing - [X] Added/updated automated tests will see if there's any more to update - [X] QA'd all new/changed functionality manually To test w/ SimpleSAML 1. Log in to your local Fleet dashboard with MDM and IdP set up for SimpleSAML 1. Go to Settings -> Integrations -> Identity provider 2. Use "SimpleSAML" for the provider name 3. Use `mdm.test.com` for the entity ID 4. Use `http://127.0.0.1:9080/simplesaml/saml2/idp/metadata.php` for the metadata URL 1. Set up a team (or "no team") to have End User Authentication required (Controls -> Setup experience) 1. Get the enroll secret of that team 1. In the browser console, do: ``` fetch("https://localhost:8080/api/fleet/orbit/enroll", { "headers": { "accept": "application/json, text/plain, */*", "cache-control": "no-cache", "content-type": "application/json", "pragma": "no-cache", }, "body": "{\"enroll_secret\":\"<enroll secret>", \"hardware_uuid\":\"abc123\" }", "method": "POST", }); ``` replacing `<enroll secret>` with your team's enroll secret. 8. Verify in the network tab that you get a 401 error with message `END_USER_AUTH_REQUIRED` 1. Go to https://localhost:8080/mdm/sso?initiator=setup_experience&host_uuid=abc123 1. Verify that a new screen appears asking you to log in to your IdP 1. Log in to SimpleSAML with `sso_user / user123#` 1. Verify that you're taken to a success screen 1. In your database, verify that records exist in the `mdm_idp_accounts` and `host_mdm_idp_accounts` tables with uuid `abc123` 1. Try the `fetch` command in the browser console again, verify that it succeeds. ## fleetd/orbit/Fleet Desktop - [ ] Verified compatibility with the latest released version of Fleet (see [Must rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md)) This is _not_ compatible with the current version of fleetd or the soon-to-be-released 1.49.x. Until #34847 changes are released in fleetd, this will need to be put behind a feature flag or withheld from Fleet releases. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Added support for device UUID linkage during MDM enrollment to enable host-initiated enrollment tracking * Introduced setup experience flow for device authentication during enrollment * Added end-user authentication requirement configuration for macOS MDM enrollment * **Improvements** * Enhanced MDM enrollment process to maintain device context through authentication * Updated authentication UI to display completion status for device setup flows * Refined form layout styling for improved visual consistency <!-- end of auto-generated comment: release notes by coderabbit.ai --> |
||
|---|---|---|
| .. | ||
| testdata | ||
| authorization_request.go | ||
| authorization_request_test.go | ||
| authorization_response.go | ||
| authorization_response_test.go | ||
| saml_provider.go | ||
| session_store.go | ||
| session_store_test.go | ||
| settings.go | ||
| settings_test.go | ||
| validate_test.go | ||