Replies: 9 comments
-
Hi @B3DTech, I'm not sure if this is related, but it's worth trying. For OIDC we open a random port in 127.0.0.1 and use it as redirect_uri, this is how the standard recommends this kind of authorization. But for some reason, Azure AD doesn't make it easy, for example, 127.0.0.1 can only be set if you use the cli, but not the web UI, and I think there was something related to use a random port, at least some IdP have this problem. To address this problem you can the property You can try with something like
Of if it doesn't work with 127.0.0.1 you can also try with
You use any port number, make sure is not a standard one. Let me know if this works. |
Beta Was this translation helpful? Give feedback.
-
Yes! Kind of :) What is the OIDC claim you're looking to get back from the server? name, upn, nameid? Looks like I'm getting two different errors depending on what I'm doing: I got a success in the browser after defining the listenAddress. However on the console, I got "token is not supported" In the output.log file on the step-ca server, I see the following - not sure if it's related or indicative of anything: time="2020-10-20T11:40:41-04:00" level=info duration="197.022µs" duration-ns=197022 fields.time="2020-10-20T11:40:41-04:00" method=GET name=ca path="/provisioners?limit=100" protocol=HTTP/2.0 referer= remote-address=10.85.148.134 request-id=bu7g9ua9kojtkapoltc0 size=1280 status=200 user-agent="Smallstep CLI/0.15.2 (darwin/amd64)" user-id= When I do a step ssh login [email protected] ✔ CA: https://hq-1pssh01.internal.domain.com On the server: |
Beta Was this translation helpful? Give feedback.
-
@B3DTech By default OIDC is looking for the $ echo eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IllRNFdfUzl0UmxIbWdVLVZXOUpLczdEVVBNNCIsImtpZCI6IllRNFdfUzl0UmxIbWdVLVZXOUpLczdEVVBNNCJ9.eyJhdWQiOiIyZGM0YzcwOS1kZjhiLTQwYjktYWZhYS1lODIyZDU0Njc3ZTAiLCJpc3MiOiJodHRwczovL2FkZnMuaWVlZWdsb2JhbHNwZWMuY29tL2FkZnMiLCJpYXQiOjE2MDMyMTM0MTYsImV4cCI6MTYwMzIxNzAxNiwiYXV0aF90aW1lIjoxNjAzMjEzNDE2LCJub25jZSI6IjU3ZGEzNWVkMjUyYTBiOGIxMDUwN2Q5MjM1ZDA2OWI5ZTljNDNhYmU4ZmQxNjMzNWYwN2M3ZGQ2NmNkZjE1MWEiLCJzdWIiOiJWVU1tTG5KNmRjUndKQ0ZXbG5TN3E0d2xncjEwRTd2OXBrSk5CcG9QYmhRPSIsInVwbiI6Im1kaW9yaW9AZ2xvYmFsc3BlYy5jb20iLCJ1bmlxdWVfbmFtZSI6IklOVEVSTkFMXFxtZGlvcmlvIiwicHdkX2V4cCI6IjM0MzI2NSIsInNpZCI6IlMtMS01LTIxLTI1MDk1OTAxNzMtMzM4OTk4ODkxNC0yNDk4MjU5MzI3LTExMDkifQ.L53kfvdqsc9ST-Cyu_ye53i9jwRBF92pPPwhqJOdls4x3xE7xACUFMIHxCjFPfNZRKmjs-yWzG4m91qK2NdH2w4TGPM3uWovI3iEPgIl21t0-F7iuuNrR7yKmmh-eXOxM72c4bJ2gB6cJYr60tURE-x4GAWxT5mjQR0CcC_3tKM9NfJ8UoLPyt5Sxg0AH6Ta7A4pNNBe8sIZQVZEJ0BsspHa76L-6dSepyskCX90CvgNmvlKYxge5oDESgyYXHhIsJvYZ8C-KbwENAAwmC9GcaY88_HhxXFDp1nsOpu9iKC1HEo596w_5_JwO2Ayn5B-qGJY96NTJUepTKPPpeWL9w | step crypto jwt inspect --insecure
{
"header": {
"alg": "RS256",
"kid": "YQ4W_S9tRlHmgU-VW9JKs7DUPM4",
"typ": "JWT",
"x5t": "YQ4W_S9tRlHmgU-VW9JKs7DUPM4"
},
"payload": {
"aud": "2dc4c709-df8b-40b9-afaa-e822d54677e0",
"iss": "https://adfs.ieeeglobalspec.com/adfs",
"iat": 1603213416,
"exp": 1603217016,
"auth_time": 1603213416,
"nonce": "57da35ed252a0b8b10507d9235d069b9e9c43abe8fd16335f07c7dd66cdf151a",
"sub": "VUMmLnJ6dcRwJCFWlnS7q4wlgr10E7v9pkJNBpoPbhQ=",
"upn": "[email protected]",
"unique_name": "INTERNAL\\mdiorio",
"pwd_exp": "343265",
"sid": "S-1-5-21-2509590173-3389988914-2498259327-1109"
},
"signature": "L53kfvdqsc9ST-Cyu_ye53i9jwRBF92pPPwhqJOdls4x3xE7xACUFMIHxCjFPfNZRKmjs-yWzG4m91qK2NdH2w4TGPM3uWovI3iEPgIl21t0-F7iuuNrR7yKmmh-eXOxM72c4bJ2gB6cJYr60tURE-x4GAWxT5mjQR0CcC_3tKM9NfJ8UoLPyt5Sxg0AH6Ta7A4pNNBe8sIZQVZEJ0BsspHa76L-6dSepyskCX90CvgNmvlKYxge5oDESgyYXHhIsJvYZ8C-KbwENAAwmC9GcaY88_HhxXFDp1nsOpu9iKC1HEo596w_5_JwO2Ayn5B-qGJY96NTJUepTKPPpeWL9w"
} The current code REQUIRES the certificates/authority/provisioner/oidc.go Lines 370 to 372 in 4c8bf87 This is not the case for X.509 certificate, in these certificates that token will create a URI subject alternative name (SAN) like We'll need to think about removing the email requirement for SSH certificates. |
Beta Was this translation helpful? Give feedback.
-
OK - I have a successful cert issued via ADFS: Here are the steps to get ADFS working: A) It has to be Server 2016 or higher In the ADFS console, go to Application Groups. Select Add Application Group... Give it a name and select Web browser accessing a web application (this allows you to send custom claim attributes): Copy the Client Identifier, you'll need this in the provisioner configuration. Enter the Redirect URI as https://127.0.0.1:10000 (this will need to be configured in the ca.json file as well) Chose your access control policy appropriate for your organization: Finish the wizard. Open the newly created Application Group and edit the Web Application: On the Identifiers tab, enter in the server FQDN for the Relaying Party Identifier: On the Issuance Transformation Rules, Add a new rule. Give it a name, chose your attribute store, and set the LDAP attribute to one that will be your user's email address, and the Outgoing Claim Type as E-Mail Address. Save and close the Wizard. In the ca.json file on the cert-ca server, add a provisioner. Copy the Client Identifier from above to the clientID field. Set your configurationEndpoint to the OIDC ADFS endpoint URL. Set the listenAddress to 127.0.0.1:10000 - same as was used in the config above. This can be any high value, unused port across your environment (needs to be available on every client that will use cert-ca). You do not use clientSecret in this configuration.
Save and restart cert-ca and issue yourself a cert: step ca certificate [email protected] personal.crt personal.key ✔ CA: https://hq-1pssh01.internal.domain.com |
Beta Was this translation helpful? Give feedback.
-
step ssh login [email protected] is still not working.... The request was forbidden by the certificate authority error="authority.SignSSH: ssh certificate keyID cannot be empty" |
Beta Was this translation helpful? Give feedback.
-
@B3DTech I think this is a known issue that was solved a couple of months ago but is still not in a formal release. But I think it should be solved in this release candidate or building step from source. And thanks for the detailed tutorial to add the email claim. |
Beta Was this translation helpful? Give feedback.
-
And I think it only happens if your email is marked as an admin in the provisioner. |
Beta Was this translation helpful? Give feedback.
-
The RC fixed that issue. And I still couldn't ssh into my host, but I fixed that too... - selinux! It was rejecting on read, open and getattr. After allowing that, it works! So I'm wondering if there's a better way to handle this? Where should the steppath be? By default it seems to want to place it in /root/.step/ |
Beta Was this translation helpful? Give feedback.
-
Yes, $ cat /etc/systemd/system/step-ssh-renew.timer
[Unit]
Description=Step SSH renewer timer
[Timer]
OnBootSec=60
OnUnitActiveSec=28800
AccuracySec=1
[Install]
WantedBy=multi-user.target and assuming you are using the ecdsa key: $ cat /etc/systemd/system/step-ssh-renew.service
[Unit]
Description=Step SSH certificate renewer
[Service]
ExecStart=/usr/bin/step ssh renew --force /etc/ssh/ssh_host_ecdsa_key-cert.pub /etc/ssh/ssh_host_ecdsa_key For this to work you need to enable an SSHPOP provisioner: {
"type": "SSHPOP",
"name": "SSH POP",
"claims": {
"disableRenewal": false,
"enableSSHCA": true
}
} You can also create a new cert with other provisioners like JWK, but SSHPOP will use the current certificate to authenticate the renewed one. |
Beta Was this translation helpful? Give feedback.
-
When using the OIDC provisioner against ADFS - ADFS throws errors. When looking at the ADFS audit event logs, I see some very strange entries in the redirect_uri, and some unicode (not sure if that's the event log or what ADFS in interpreting).
Sanitized:
{"Connection":"keep-alive","Accept":"image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5","Accept-Encoding":"gzip, deflate, br","Accept-Language":"en-us","Host":"adfs.domain.cloud","Referer":"https://adfs.domain.cloud/adfs/oauth2/authorize/?client_id=adfsgeneratedclientID\u0026code_challenge=adfsCodeChallenge\u0026code_challenge_method=S256\u0026nonce=7e75720bee66469ddfca01cbe9b760dff2c020999f46e644b4d456b325203534\u0026redirect_uri=http%3A{"Connection":"keep-alive","Accept":"image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5","Accept-Encoding":"gzip, deflate, F{"Connection":"keep-alive","Accept":"image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5","Accept-Encoding":"gzip, deflate, F127.0.0.1%3A59058\u0026re sponse_type=code\u0026scope=openid+email\u0026state=I2001yF5pifkR8hPx2K7RBb2RlOzT02X","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15","X-MS-Endpoint-Absolute-Path":"/adfs/portal/illustration/illustration.jpg"}
Your environment
Steps to reproduce
ADFS is running on Server 2016
Beta Was this translation helpful? Give feedback.
All reactions