fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Add end user's IdP information from authentik to host vitals

Open marko-lisica opened this issue 7 months ago • 2 comments

Goal

User story
As an IT admin,
I want to add end user's info (e.g. IdP email, full name, IdP groups, etc.) from the authentik identity provider (IdP) to host vitals
so that I can so that I can identify which end user is assigned to each host.

Key result

Different apps, OS settings, and queries for different employees based on department

Original requests

#21028

Context

  • Product Designer: @marko-lisica

Changes

Product

  • [ ] UI changes: No changes.
  • [ ] CLI (fleetctl) usage changes: No changes.
  • [ ] YAML changes: No changes.
  • [ ] REST API changes: No changes.
  • [ ] Fleet's agent (fleetd) changes: No changes.
  • [ ] GitOps mode changes: No changes.
  • [ ] Activity changes: No changes.
  • [ ] Permissions changes: No changes.
  • [ ] Changes to paid features or tiers: Fleet Premium only. Pricing table PR
  • [ ] My device and fleetdm.com/better changes: No changes
  • [ ] First draft of test plan added
  • [ ] Other reference documentation changes: No changes.
  • [ ] Once shipped, requester has been notified
  • [ ] Once shipped, dogfooding issue has been filed

Engineering

  • [ ] Test plan is finalized
  • [ ] Contributor API changes: N/A
  • [ ] Feature guide changes: Bring back authentik part from this doc.
  • [ ] Database schema migrations: N/A
  • [ ] Load testing: N/A

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

  • Requires load testing: No
  • Risk level: Low

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

  • [x] Make sure that Google Workspace can be connected to authentik by following the user guide provided here.
  • [x] Make sure that authentik SCIM integration can be connected to Fleet by following the user guide provided here.
  • [x] If users create SCIM integration in authentik, and something isn't right when they try to test the connection, make sure that the state of integration card on /settings/integrations/identity-provider isn't changed. It should be changed after the first successful request from authentik SCIM client.
  • [x] Make sure that after the first successful request (IdP connected) from authentik, to always show the latest request from authentik on /settings/integrations/identity-provider page with timestamp. In case of error, make sure that Fleet shows an error message in a tooltip that appears on hover over text in the integration card.
  • [x] Make sure that Groups in the User card match those assigned to a user in Google Workspace (IdP).
  • [x] Make sure that the information populated in the User card matches those that are assigned to user in Google Workspace.
  • [x] Make sure that when user information is updated in Google Workspace, that change is reflected on host details. (e.g. if admin changes lastName in Google Workspace, it should be changed in Fleet, and if admin changes userName in Google Workspace it should be changed in Fleet as well.)
  • [x] Make sure that group assignment changes in Google Workspace are reflected in Fleet (e.g user in Google Workspace got assigned to a new group or user got removed from a group).

Happy path

  1. Create Google Workspace LDAP integration to authentik and SCIM integration in authentik to connect it to Fleet, following Fleet's user guide that's linked in Fleet UI.
  2. Enroll new host via ADE (with end user authentication enabled)
  3. After successful enrollment, go to host details of that host and make sure that Username (IdP), Full name (IdP) and Groups (IdP) are populated based on IdP username that's assigned to user via ADE enrollment flow.
  4. Go to Google Workspace, go to that user that's mapped to a host above, change its last name, and make sure that the change is reflected in Fleet.

Testing notes

Confirmation

  1. [x] Engineer: Added comment to user story confirming successful completion of test plan.
  2. [x] QA: Added comment to user story confirming successful completion of test plan.

Demo video

https://youtu.be/5cuR3uO1Rbk

marko-lisica avatar Apr 14 '25 12:04 marko-lisica

authentik is already integrated with (and appears to be working on) Dogfood.

getvictor avatar May 08 '25 21:05 getvictor

QA Test Results:

✅ Successfully completed the test plan and happy path using a different Google Workspace instance (not Dogfood).

PezHub avatar May 31 '25 05:05 PezHub

Authentik info shared, Nurtures security, like leaves, Host vitals, now paired.

fleet-release avatar Jul 23 '25 11:07 fleet-release