SSO Config Wizard - Server Downtime?

[Darren Appanah]

Hi Support,

We currently have Velociraptor server installed. We have configured the settings for SSO via Azure Active Directory. https://docs.velociraptor.app/blog/2020/2020-08-17-velociraptor-sso-authentication-6dd68d46dccf/#microsoft-azure-oauth2-flow

We are currently on the stage where it advises to " Now we have both the client id and secret from the previous screen. We simply need to copy those to the configuration wizard. This time we need to provide the tenant ID as well."

On this part that I've have highlighted in red. Will it by any means break the server at all by adding the Client ID, Tenant ID and Secret to the config wizard as this server is in production and we don't want any downtime?

Kind Regards,

Darren

[Mike Cohen]

All the wizard does is fill in the config file parameters based on questions. If you already have a config file you can just manually edit it. The config file reference is here

You can just update the authenticator type to azure https://docs.velociraptor.app/docs/deployment/references/#GUI.authenticator.type and add the relevant parameters by hand:

https://docs.velociraptor.app/docs/deployment/references/#GUI.authenticator.oauth_client_id

https://docs.velociraptor.app/docs/deployment/references/#GUI.authenticator.oauth_client_secret

https://docs.velociraptor.app/docs/deployment/references/#GUI.authenticator.tenant

Back the old settings up (or just comment them with # in the yaml) and restart the server.

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/772bca6b-8600-4769-8e19-dd563d76c380n%40googlegroups.com.

[Darren Appanah]

Thank you.

Do we have to restart the server for the configuration to take its new config?

Kind Regards,

Darren

[Mike Cohen]

Yes. restart the server to accept the new config.

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/d265ac15-7706-442a-bfd5-071837a803c7n%40googlegroups.com.

[Darren Appanah]

Hi Mike,

We followed this process for Azure on your documentation and after we inputted the configuration for SSO and rebooted the server we was not able to gain gui access back onto the server. This is how we wrote out the config file:

authenticator:

    oauth_client_id cdcxxxx

    oauth_client_secret x234xxxx

    tenant 0kxxxxx

Is this the correct format for the integration of SSO on Azure, are we missing something?

These are required for the oauth flow - get from the OIDC provider.
• oauth_client_id
  C123445
• oauth_client_secret
  X23456
This is specifically required by the Azure authenticator only.
• tenant
  O...

Kind Regards,

Darren

[Mike Cohen]

This looks right - what version are you using? What actually happens when you try to log in? do you 

get redirected to the auth provider?

There was a small breakage in oauth in rc3 you should try to use 0.6.8 now

Thanks

Mike 

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/46136d51-24db-4a4a-aa76-3cf4cd87a0d4n%40googlegroups.com.

[Darren Appanah]

Hi Mike,

Thanks for you're swift response.

I have just seen on documentation that we might of missed a parameter in the config file do we need to specify the type? For example:

authenticator:

     type: azure (Is this what we might be missing for our config to work?)

    oauth_client_id cdcxxxx

    oauth_client_secret x234xxxx

    tenant 0kxxxxx

We are currently using 0.6.7-4. We already have this in production. Is there any other way around this?

Kind Regards,

Darren

[Darren Appanah]

We don't get redirected to anything. Its just comes up with an error page. 

The connection to the page is doesn't redirect to URL or anything. 

[Mike Cohen]

0.6.7-4 should be fine. The issue I was thinking about occurred only in 0.6.8-rc3 but was caught early by the community :-)

You do need to set the type of authenticator to azure (otherwise we dont know which one to use). 

You can follow the blog here https://docs.velociraptor.app/blog/2020/2020-08-17-velociraptor-sso-authentication-6dd68d46dccf/#microsoft-azure-oauth2-flow and just to see what it looks like, run the config wizard and inspect the config it generates as a reference.

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/7f13fa27-2071-4d10-afd5-83670833810cn%40googlegroups.com.

[Darren Appanah]

Hi Mike,

This is our setup atm, please have a look at my questions. 

1) authenticator:

 

    type: azure (We missed this parameter)

 

    oauth_client_id cdcxxxx

    oauth_client_secret x234xxxx

    tenant 0kxxxxx

 

 

2) Another thing we may have missed stated in documentation is the URL redirect used for the SSO which will bring up a splash page like this when logging onto gui for the first time:

 

 

Now i am not sure if we use a predefined URL https://velociraptor.equiticonsultant.com/ or create one as in the documentation it states to use the the App Registration > Display Name (3)

 

Our display name is:

 

Do we use our Display Name on Azure App Registration or the URL that has been created for the server GUI access: https://velociraptor.equiticonsultant.com/ ?

 

In the docs it uses the config wizard and it shows this which is the Azure App registration Name:

 

 

It states 'What is the public DNS name of the frontend' Is this the Azure App Registration Display name or the Local host URL?

Please let me know you're thoughts.

Kind regards,

Darren

[Darren Appanah]

Are you free for a conference call to go over this?

[Mike Cohen]

Hi Darren,

   Sorry I can't see any of the images in this email. Maybe they were not attached correctly or were stripped by the mailing list? Feel free to jump on discord and paste your images there or DM me with questions.

Normally when you go through the config wizard it tells you the relevant endpoint url to put into the Azure setup. In the case of Azure this is

https://example.com/auth/azure/callback

https://github.com/Velocidex/velociraptor/blob/9ca09fc04b587a6b66d6fb23990685994f85d07c/api/authenticators/azure.go#L65

For the question 'What is the public DNS name of the frontend' it is asking for a dns name like www.example.com not a URL. It will be used to build the client connection URLs and other things (including the callback URL).

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/ac1c627c-cfc3-4e34-b457-897c1ce88a40n%40googlegroups.com.

[Darren Appanah]

Hi Mike,

When running the config wizard will this overwrite all the current config or just the SSO part of the config or just append to the config?

Kind Regards,

Darren

[Mike Cohen]

It creates a new config. You can look at it as a template to compare to what you already have to see what needs to be changed.

You probably don't want to just use that config because it will have new generated keys which will not talk to existing deployed clients

Thanks

Mike

To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/a9c3cdca-b9b5-4a7d-9b31-f0d3e52a8403n%40googlegroups.com.

[Darren Appanah]

Hi Mike,

Thanks for the information. This helped and the SSO took place when we done this.

I wanted to ask, how do we restrict users access permissions via each user that has been applied for SSO via Azure Active Directory for the Velociraptor UI and Server?

Kind Regards,

Darren 

[Mike Cohen]

I'm not sure how to manage SSO on the Azure side but Velociraptor needs it's own user ACL for each SSO account. It is not enough for SSO to provision a user, that user also needs ACL and role within the relevant org in the Velociraptor GUI.

This is because Velociraptor hands off the authentication process to SSO but still need authorisation within the app itself.

Thanks

Mike

To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/b78d546a-c89e-49dd-90b3-8f1750664dc9n%40googlegroups.com.

[Darren Appanah]

Okay understood.

So once users from Azure AD authenticate via SSO we can mange there restrictions from the Velociraptor web UI and create an ACL for this user?

I'm just a bit confused as the users are not in the velociraptor server database yet as it would be the first time that they would be logging in via this SSO process or once they authenticate they will be cahced into the database and we can configure relevant parameters from web ui?

Kind Regards,

Darren

[Mike Cohen]

The only place where Velociraptor interfaces with SSO is via the OIDC authenticator in the GUI. What happens is that the user browser connects, then Velociraptor redirect them to the relevant authentication service and that service essentially comes back with "yes this user is who they say they are" (this is what authentication means).

Next Velociraptor attempts to load their ACL (for authorization) so at this point Velociraptor has no idea who the user is if they are not already provisioned. When that happens the error message the user gets is "user X...@gmail.com not registered" or something like that.

The admin needs to assign the user to the org with the correct roles/ACLs  - there is no way around it and we do not delegate authorization to SSO so the only way a new user can be added is via an existing user adding them in the GUI. This is a deliberate choice to avoid roles and authorization from being managed with SSO only authentication is managed (otherwise a domain admin can grant Velociraptor rights and we dont want that).

First add a new user - with SSO the username has to be exactly the same as what the SSO provider gives - usually users will see the exact name in the "not registered" message above (and you can also see it in the audit logs). It will usually be an email address at the auth provider.

Then give the user the right role on the right org you want:

Adding the user and the user logging in through SSO are independent so you can add a user before they log in the first time or after.

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/043114be-740d-48df-9b2a-851dd3da62d5n%40googlegroups.com.

[Darren Appanah]

Thank you Michael.

This is working perfectly now!

Thanks for the help :)

Kind Regards,

Darren

[Darren Appanah]

Hi Michael,

One last thing. Is there a way to specify a session timeout for logged in users?

Kind Regards,

Darren

[Mike Cohen]

https://docs.velociraptor.app/docs/deployment/references/#GUI.authenticator.default_session_expiry_min

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/2aec2a55-da6c-45f6-9cf2-c207890252fcn%40googlegroups.com.