fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Add end user's IdP information to host vitals

Open noahtalerman opened this issue 1 year ago • 14 comments

Goal

User story
As an IT admin,
I want to add end user's info (e.g. IdP email, full name, IdP groups, etc.) from the identity provider (IdP) to host vitals
so that I can identify which end user is assigned to each host.

Key result

Fleet users can add host vitals from their IdP as variables in configuration profiles

Original requests

#21028

Context

  • Product designer: @marko-lisica

@marko-lisica: LDAP research document

Changes

Product

  • [x] UI changes: Figma link
  • [x] CLI (fleetctl) usage changes: No changes.
  • [x] YAML changes: No changes.
  • [x] REST API changes: #26855
  • [x] Fleet's agent (fleetd) changes: No changes.
  • [x] GitOps mode changes: No changes.
  • [x] Activity changes: No changes.
  • [ ] Permissions changes: Global maintainer and up. Permissions guide PR.
  • [ ] Changes to paid features or tiers: Fleet Premium only. Pricing table PR
  • [x] Transparency changes: No changes.
  • [x] First draft of test plan added
  • [x] Other reference documentation changes: No changes.
  • [ ] Once shipped, requester has been notified
  • [ ] Once shipped, dogfooding issue has been filed

Engineering

  • [x] Test plan is finalized
  • [x] Feature guide changes: #26989
  • [x] Database schema migrations: #27280
  • [x] Load testing: N/A

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: No
  • Risk level: Low
  • Risk description: The effort to update osquery_pert to support IDP is not worth the risk of skipping load testing. We believe the initial sync with the IDP may have an impact on server performance but subsequent updates to user information will be minimal

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

UI

  • [x] On /settings/integrations page there should be new sub page /identity-provider.
  • [x] Make sure that Okta's SCIM integration can be connected to Fleet by following the user guide provided on /settings/integrations/identity-provider in the integration card (learn how link).
  • [x] If users create SCIM integration app in Okta, and something isn't right when they try to test connection, make sure that state of integration card on /settings/integrations/identity-provider isn't changed. It should be changed after the first successful request from Okta SCIM client.
  • [x] Make sure that after the first successful request (IdP connected) from Okta, to always show the latest request from Okta on /settings/integrations/identity-provider page with timestamp. In case of error, make sure that Fleet show error message in a tooltip that appears on hover over text in the integration card.
  • [x] On macOS host details new "User" card should be always visible.
  • [x] On macOS host details in new "User" card, Email (IdP) should be always visible no matter if it has a value.
  • [x] On macOS host details in "User" card, make sure that Email (IdP) is email that's today available in GET /api/v1/fleet/hosts/1/device_mapping with source = 'mdm_idp_accounts' (one that gets assigned to a host when user authenticate during ADE)
  • [x] On macOS host details in new "User" card Google Chrome profiles and Other email fields should be present only if they have a value.
  • [x] On other platforms (except macOS) host details in new "User" card, Email (IdP) shouldn't be present, and only fields that have value should be visible (Google Chrome profiles and other email). If no fields available, hide "User" card.
  • [x] On macOS host details page, in "User" card if Email (IdP) has value and IdP is NOT connected (Fleet didn't receive at least one successful request from IdP), show tooltip over Full name (IdP) and Group (IdP) labels to guide user to connect IdP in Fleet settings.
  • [x] On macOS host details page, in "User" card if Email (IdP) has value and IdP IS connected (Fleet received at least one successful request from IdP), show tooltip over Full name (IdP) label to tell users that this is combination of givenName and familyName SCIM attributes.
  • [ ] On macOS host details in "User" card, if Email (IdP) has a value, then Add user button shouldn't be present.
  • [x] Make sure that Groups in User card match those assigned to user in Okta (IdP).
  • [x] Make sure that the information populated in User card match those that are assigned to user in Okta.
  • [x] Make sure that when user information is updated in Okta, that change is reflected on host details. (e.g. if admin changed lastName in Okta, it should be changed in Fleet, and if user changes userName in Okta it should be changed in Fleet as well.)
  • [x] Make sure that group assignment changes in Okta are reflected in Fleet (e.g user in Okta got assigned to a new group or user got removed from a group).
  • [x] Verify that the human-device mapping (user information - e.g. Chrome Profiles, custom email and IdP email, etc.) is deleted when a host is deleted. That way, when the host re-enrolls after wipe/delete it has a fresh human-device mapping entry
  • [x] Make sure that if the user in Okta doesn't have all required SCIM attributes (userName, givenName, and familyName) Fleet shows error message in settings > integrations > IdP, and Fleet sends error to Okta, which is displayed when you open user page in Okta.
  • [x] Make sure that "Users" card appears on My device page.
  • [x] Make sure that end users don't see tooltips over Groups (IdP) field.

API

  • [x] Make sure that /api/v1/fleet/scim and /api/v1/fleet/scim/<any_other_route> is available for Premium users only.
  • [x] Make sure that /api/v1/fleet/scim and /api/v1/fleet/scim/<any_other_route> is available for Maintainer and Admin roles.

Happy path

  1. Create Okta SCIM application and connect it to Fleet, following Fleet's user guide that's linked in Fleet UI
  2. Assigns users and push groups from Okta SCIM application to Fleet, following Fleet's user guide.
  3. Enroll new host via ADE (with end user authentication enabled)
  4. After successful enrollment, go to host details of that host and make sure that Email (IdP), Full name (IdP) and Groups (IdP) are populated based on IdP email that's assigned to user via ADE enrollment flow.
  5. Go to Okta, go to that user that's mapped to a host above, change it's last name and make sure that change is reflected in Fleet.

Testing notes

Confirmation

  1. [x] Engineer (@getvictor): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.

noahtalerman avatar Oct 25 '24 14:10 noahtalerman

Hey @marko-lisica, left some feedback in a Loom video here.

noahtalerman avatar Nov 05 '24 22:11 noahtalerman

related: https://github.com/fleetdm/fleet/issues/21028

nonpunctual avatar Nov 12 '24 17:11 nonpunctual

FYI @marko-lisica I presented wireframes to Mike and got feedback that I think we want to address when we come back this story.

Feedback and Gong recording are in this Google doc: https://docs.google.com/document/d/1CVWjE23RiUIpR7b4orojkxFp4gEzr4qDLmSv-TNxf6M/edit?tab=t.0

noahtalerman avatar Nov 22 '24 14:11 noahtalerman

Linked to Unthread ticket:

Conversation #3476

JoStableford avatar Nov 27 '24 14:11 JoStableford

Hey @marko-lisica, I recorded some UI feedback here: https://drive.google.com/file/d/1amow8wVZrNkZI80Ri9Sb2QSDWgRsEYB8/view?usp=sharing

It's a longer video because I did some wireframing (added proposed tweaks).

noahtalerman avatar Mar 10 '25 22:03 noahtalerman

@marko-lisica Is there a new API endpoint for SCIM requests to Fleet? How is authentication handled? We don't want random requests messing with our IdP data.

getvictor avatar Mar 12 '25 15:03 getvictor

@marko-lisica Is there a new API endpoint for SCIM requests to Fleet? How is authentication handled? We don't want random requests messing with our IdP data.

@getvictor It's described in the feature guide PR here.

TL;DR: we'll add new SCIM endpoints to accept requests from SCIM clients (e.g. Okta, Entra ID). Fleet admin will create API-only users and use API token from that user in IdP.

marko-lisica avatar Mar 17 '25 18:03 marko-lisica

As long as the tokens are secure & can be invalidated & don't leak in my opinion this is fine & similar to the way other tools intergrate things like this.

nonpunctual avatar Mar 17 '25 19:03 nonpunctual

@georgekarrv just a reminder that this story is ready to spec. Can you please work with the folks on #g-mdm to fill out the "TODOs" in the engineering section so we can estimate this one tomorrow? Thanks!

noahtalerman avatar Mar 18 '25 13:03 noahtalerman

Hey @georgekarrv just following up to say this story, along with several other #g-mdm stories are in the "Ready to spec" column.

@georgekarrv please let @marko-lisica and I know if we can be helpful getting the stories ready for estimation today!

noahtalerman avatar Mar 19 '25 13:03 noahtalerman

https://developer.okta.com/docs/api/openapi/okta-scim/guides/scim-20/

https://scim.cloud/

each of these should endpoints should accept POST, GET, DELETE, PUT and PATCH

georgekarrv avatar Mar 19 '25 15:03 georgekarrv

Estimation occurred on March 19th

georgekarrv avatar Mar 19 '25 18:03 georgekarrv

@marko-lisica can you please add Entra and Google Workspace (w/ Authentik) to the test plan and work with the team to make sure we're testing that before release?

noahtalerman avatar Apr 01 '25 14:04 noahtalerman

Successfully did QA. Outstanding issues in Slack thread: https://fleetdm.slack.com/archives/C03C41L5YEL/p1744303587829669

getvictor avatar Apr 10 '25 20:04 getvictor

QA Test Results

Successfully completed test plan and confirmed all unreleased bugs have been resolved.

PezHub avatar Apr 17 '25 19:04 PezHub

IdP data flows into Fleet, Host vitals gain depth and heat. Admin's task is sweet.

fleet-release avatar Apr 28 '25 17:04 fleet-release