From a3634ab21d3e703b7c943f5c6ed1560f0d43e4ce Mon Sep 17 00:00:00 2001 From: Tana M Berry Date: Thu, 16 May 2024 17:00:03 -0500 Subject: [PATCH] website/docs: new PR for the Entra provider docs (ignore old one) (#9741) * new PR * ken edits * tweaks --------- Co-authored-by: Tana M Berry --- .../providers/entra/add-entra-provider.md | 66 +++++++++++++++++++ website/docs/providers/entra/index.md | 50 ++++++++++++++ website/docs/providers/entra/setup-entra.md | 31 +++++++++ website/sidebars.js | 12 ++++ 4 files changed, 159 insertions(+) create mode 100644 website/docs/providers/entra/add-entra-provider.md create mode 100644 website/docs/providers/entra/index.md create mode 100644 website/docs/providers/entra/setup-entra.md diff --git a/website/docs/providers/entra/add-entra-provider.md b/website/docs/providers/entra/add-entra-provider.md new file mode 100644 index 0000000000..be7656bd87 --- /dev/null +++ b/website/docs/providers/entra/add-entra-provider.md @@ -0,0 +1,66 @@ +--- +title: Add an Entra ID provider +--- + +Enterprise + +--- + +For more information about using an Entra ID provider, see the [Overview](./index.md) documentation. + +:::info +This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues). +::: + +## Prerequisites + +To create an Entra ID provider provider in authentik, you must have already [configured Entra ID](./setup-entra.md) to integrate with authentik. You will need to obtain from Entra three values: the Application (client) ID, the Directory (tenant) ID, and the Client secret. When adding an Entra ID provider in authentik, you must provide these values. + +:::info +As detailed in the steps below, when you add an Entra ID provider in authentik you must define the **Backchannel provider** using the name of the Entra ID provider that you created in authentik. If you have also configured Entra ID to log in using authentik, then this configuration can be done on the same app. +::: + +### Create the Entra ID provider in authentik + +1. Log in as an admin to authentik, and go to the Admin interface. +2. In the Admin interface, navigate to **Applications -> Providers**. +3. Click **Create**, and in the **New provider** modal box select **Microsoft Entra Provider** as the type and click **Next**. +4. Define the following fields: + + - **Name**: define a descriptive name, such as "Entra provider". + + - **Protocol settings** + + - **Client ID**: enter the Client ID that you [copied from your Entra app](./setup-entra.md). + - **Client Secret**: enter the secret from Entra. + - **Tenant ID**: enter the Tenant ID from Entra. + - **User deletion action**: determines what authentik will do when a user is deleted from the Entra ID system. + - **Group deletion action**: determines what authentik will do when a group is deleted from the Entra ID system. + + **User filtering** + + - **Exclude service accounts**: set whether to include or exclude service accounts. + - **Group**: select any specific groups to enforce that filtering (for all actions) is done only for the selected groups. + + **Attribute mapping** + + - **User Property Mappings**: select any applicable mappings, or use the default. + - **Group Property Mappings**: select any applicable mappings, or use the default. + +5. Click **Finish**. + +### Create an Entra ID application in authentik + +1. Log in as an admin to authentik, and go to the Admin interface. +2. In the Admin interface, navigate to **Applications -> Applications**. +3. Click **Create**, and in the **Create Application** modal box define the following fields: + + - **Name**: provide a descriptive name. + - **Slug**: enter the name of the app as you want it to appear in the URL. + - **Group**: optionally, chose a group; apps in the same group are displayed together on the **My applications** page. + - **Provider**: when _not_ used in conjunction with the Entra ID SAML configuration this field should be left empty. + - **Backchannel Providers**: this field is required for Entra ID. Select the name of the Entra ID provider that you created in the steps above. + - **Policy engine mode**: select **any** or **all** to set your policy mode. + - **UI settings**: leave these fields empty for Entra ID. + +4. Click **Create**. diff --git a/website/docs/providers/entra/index.md b/website/docs/providers/entra/index.md new file mode 100644 index 0000000000..6703fa91d7 --- /dev/null +++ b/website/docs/providers/entra/index.md @@ -0,0 +1,50 @@ +--- +title: Microsoft Entra ID provider +--- + +Enterprise + +--- + +:::info +This feature is in technical preview, so please report any bugs on [GitHub](https://github.com/goauthentik/authentik/issues). +::: + +With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values. + +- For instructions to configure your Entra ID tenant to integrate with authentik, refer to [Configure Entra ID](./setup-entra). +- For instructions to add Entra ID as a provider in authentik, refer to [Create a Entra ID provider](./add-entra-provider). + +## About using Entra ID with authentik + +The following sections discuss how Entra ID operates with authentik. + +### Discovery + +When first creating and configuring the provider, authentik will run a discovery process and query your Entra ID for all users and groups, and attempt to match them with their respective counterparts in authentik. This discovery takes into consideration any **User filtering** options configured in the provider, such as only linking to authentik users in a specific group or excluding service accounts. + +This discovery happens every time before a full sync is started. + +### Synchronization + +There are two types of synchronization: a direct sync and a full sync. + +A _direct sync_ happens when a user or group is created, updated or deleted in authentik, or when a user is added to or removed from a group. When one of these events happens, the direct sync automatically forwards those changes to Entra ID. + +The _full sync_ happens when the provider is initially created and when it is saved. The full sync goes through all users and groups matching the **User filtering** options set and will create/update them in Entra ID. After the initial sync, authentik will run a full sync every four hours to ensure the consistency of users and groups. + +During either sync, if a user or group was created in authentik and a matching user/group exists in Entra ID, authentik will automatically link them together. Furthermore, users present in authentik but not in Entra ID will be created and and linked. + +When a property mapping has an invalid expression, it will cause the sync to stop to prevent errors from being spammed. To handle any kind of network interruptions, authentik will detect transient request failures and retry any sync tasks. + +### Customization for data mapping + +There are a couple of considerations in regard to how authentik data is mapped to Entra ID user/group data by default. + +- For users, authentik only saves the full display name, not separate first and family names. +- By default, authentik synchs a user’s email, a user’s name, and their active status between Entra ID and authentik. For groups, the name is synced. + +Refer to Microsoft documentation for further details. + +- https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#request-body +- https://learn.microsoft.com/en-us/graph/api/group-post-groups?view=graph-rest-1.0&tabs=http#request-body diff --git a/website/docs/providers/entra/setup-entra.md b/website/docs/providers/entra/setup-entra.md new file mode 100644 index 0000000000..70b4a588b0 --- /dev/null +++ b/website/docs/providers/entra/setup-entra.md @@ -0,0 +1,31 @@ +--- +title: Configure Entra ID +--- + +Enterprise + +--- + +The configuration of your Microsoft Entra ID environment must be completed before you [add the new provider](./add-entra-provider.md) in authentik. + +For detailed instructions, refer to Microsoft Entra ID documentation. + +## Configure Entra ID + +1. Log into the Azure portal and on the Home page, under Azure services, click on or search for **App registrations**. +2. On the **App registrations** page, click **New registration**. +3. On the **Register an application** page, define the **Name** of the app, and under **Supported account types** select **Accounts in this organizational directory only**. Leave **Redirect URI** empty. +4. Click **Register**. + The app's detail page displays. +5. On the app detail page, copy both the **Application (client) ID** and the **Directory (tenant) ID** values and store in a temporary place. These values will be needed when you [create the Entra ID provider](./add-entra-provider) in authentik. +6. Next, click on **Certificates and Secrets** in the near-left navigation pane and create a new secret. +7. On the **Certificates and Secrets** page, on the **Client secrets** tab, copy the **Value** of the secret and store it in a temporary place. Like with the client ID and the tenant ID, this secret will be needed when you [create the Entra ID provider](./add-entra-provider) in authentik. +8. Next, click on **API permissions** in the near-left navigation pane. +9. Click on **Add a permission** and add the following permissions by selecting **Microsoft Graph** and then **Application Permissions**: + - `Group.Create` + - `Group.ReadWrite.All` + - `GroupMember.ReadWrite.All` + - `User.Read` + - `User.ReadWrite.All` + +Now you are ready to [add Entra ID as a provider](./add-entra-provider.md) in authentik. diff --git a/website/sidebars.js b/website/sidebars.js index 2e89e00045..80e50cb852 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -95,6 +95,18 @@ const docsSidebar = { }, items: ["providers/ldap/generic_setup"], }, + { + type: "category", + label: "Microsoft Entra ID Provider", + link: { + type: "doc", + id: "providers/entra/index", + }, + items: [ + "providers/entra/setup-entra", + "providers/entra/add-entra-provider", + ], + }, { type: "category", label: "OAuth2 Provider",