harbor icon indicating copy to clipboard operation
harbor copied to clipboard

Published 20 hours ago verified publisher icon goharbor

Harbor and Azure Active Directory

Open roldancer opened this issue 5 years ago • 12 comments

Hi All, I would like to know if Harbor supports authentication via Azure Active Directory, is there any documentation about that integration ?

Many thanks.

roldancer avatar Sep 22 '19 20:09 roldancer

It is not supported. Can you please test and let us know if there are any issues, and we can support from there? @roldancer

xaleeks avatar Nov 11 '19 09:11 xaleeks

This works when using the oicd provider.

  1. Create an app registraion in azure ad. Note down the tenant id and client id.
  2. Create a secret for the app registration. Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

yaron avatar Feb 21 '20 08:02 yaron

This works when using the oicd provider.

  1. Create an app registraion in azure ad. Note down the tenant id and client id.
  2. Create a secret for the app registration. Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

Thanks for the info!!!! What would be the redirect URL for application registration in Azure AD?

jeremy-chua avatar Feb 22 '21 03:02 jeremy-chua

This works when using the oicd provider.

  1. Create an app registraion in azure ad. Note down the tenant id and client id.
  2. Create a secret for the app registration. Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

Thanks for the info!!!! What would be the redirect URL for application registration in Azure AD?

No worries, i got my answer. It's at the bottom of the OIDC page.

jeremy-chua avatar Feb 22 '21 03:02 jeremy-chua

@stonezdj It seems to me that this issue can be considered resolved as of @yaron's answer. I can also confirm that it works using OIDC with Azure AD, or at least to the same degree as Harbor works with any OIDC provider.

lindhe avatar May 31 '21 16:05 lindhe

@jeremy-chua

No worries, i got my answer. It's at the bottom of the OIDC page.

Mind sharing this answer in this issue thread? It looks to me it has been removed from the documentation.

sspreitzer avatar Dec 29 '21 16:12 sspreitzer

@jeremy-chua It is a misunderstanding. The information is not covered in the documentation, but in the bottom if the configuration page of the harbor instance WebUI.

sspreitzer avatar Jan 04 '22 14:01 sspreitzer

@jeremy-chua It is a misunderstanding. The information is not covered in the documentation, but in the bottom if the configuration page of the harbor instance WebUI.

Yes, you are right. It's like a fine print. :)

jeremy-chua avatar Jan 05 '22 02:01 jeremy-chua

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

github-actions[bot] avatar Jul 07 '22 09:07 github-actions[bot]

This works when using the oicd provider.

  1. Create an app registraion in azure ad. Note down the tenant id and client id.
  2. Create a secret for the app registration. Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

@yaron @xaleeks any information on connecting groups to Azure AD?

melhajal avatar Jul 27 '22 12:07 melhajal

This works when using the oicd provider.

  1. Create an app registraion in azure ad. Note down the tenant id and client id.
  2. Create a secret for the app registration. Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

@yaron @xaleeks any information on connecting groups to Azure AD?

You set Group Claim Name to groups then the groups can be referred to by their ID. It doesn't give you their name field though, so you gotta figure out what ID is what group yourself, but it works.

devopstagon avatar Oct 31 '22 10:10 devopstagon

Just want to document how I got it working in 2022. The steps above are correct but there's a couple other things to note

  1. Azure Active Directory --> App Registrations --> New Registration

  • Name it whatever you want

  • Choose Accounts in this organizational directory only (though your use case may vary)

  • Redirect URI: Web <-- This is important. Make the value: https://YOUR-CORE-HARBOR-DOMAIN/c/oidc/callback <<- This value is also on the bottom of the Configuration --> Authentication tab in the Harbor dashboard.

  • Make note of the Application (client) ID & the Directory (tenant) ID

  • Click Certificates & secrets --> Client secrets --> +New client secret. Have it expire whenever you want to rotate it. Copy this value.

  1. In the Harbor dashboard go to Configuration --> Authentication
  • Auth Mode --> OIDC
  • OIDC Endpoint --> https://login.microsoftonline.com/TENANT ID FROM ABOVE/v2.0
  • OIDC Client ID --> CLIENT ID FROM ABOVE
  • OIDC Client Secret --> SECRET FROM ABOVE
  • Group Claim Name --> groups
  • OIDC Scope --> openid,email,profile,offline_access

Save it.

This will now enable a Groups tab in the Harbor dashboard. It's going to be populated with the Azure AD Object ID of the groups found. I believe it's populated with groups found by users who login.

Have your users go to the Harbor dashboard login screen and choose LOGIN VIA OIDC PROVIDER and they should get it. They do get to choose their user name in Harbor though it is defaults to Firstname_Lastname as a suggestion.

Once logged in they'll have access to basically nothing until you add them to Projects. I added an Azure AD groups Object ID to a project and those users have the specified level of access to that Harbor project now. It doesn't look like Group Name works - you have to use Object ID.

Once logged in I can go to my User Profile and grab the CLI secret, which is what I can use in my docker/podman client to push/pull from the Project(s) my group has access to. User name is whatever is chosen when first registering/logging in.

Hope this helps someone!

bitva77 avatar Nov 16 '22 19:11 bitva77

Does anyone know if it's possible to use Azure AD groups instead of Windows AD groups synced in Azure? We tried many different configurations in Azure including using App Roles, but I think these aren't supported?

UPiotr avatar Jan 20 '23 14:01 UPiotr

Azure AD groups should have unique ids like Windows groups. Get the ID and set that. If it still doesn't work then you misconfiguration something. Azure AD and Windows Server groups are typically on the same domain within your organisation, so you should have both available to set.

On Fri, 20 Jan 2023, 15:20 UPiotr, @.***> wrote:

Does anyone know if it's possible to use Azure AD groups instead of Windows AD groups synced in Azure? We tried many different configurations in Azure including using App Roles, but I think these aren't supported?

— Reply to this email directly, view it on GitHub https://github.com/goharbor/harbor/issues/9193#issuecomment-1398460294, or unsubscribe https://github.com/notifications/unsubscribe-auth/A3RH6OXWHRZOPTOUPLMMCDDWTKNLNANCNFSM4IZEMIRA . You are receiving this because you commented.Message ID: @.***>

devopstagon avatar Jan 22 '23 02:01 devopstagon

I managed to get to working by settings additional group claim on Azure AD side in AppRegistration settings. Then all AD groups have been populated into Harbor using their GroupID.

Edit: still have issue to claim groups....

mts-dyt avatar Mar 22 '23 19:03 mts-dyt

I managed to get to working by settings additional group claim on Azure AD side in AppRegistration settings. Then all AD groups have been populated into Harbor using their GroupID.

Edit: still have issue to claim groups....

Hello, if you have set up Azure AD OIDC auth, then you have to go to

App Registrations >> your harbor app >> Token configuration >> + Add groups claim >> Security groups >> ID >> Group ID >> Access >> Group ID >> SAML >> Group ID.

Like this, when some user will login through OIDC, there will appear group id's in Groups.

But now i need to learn, how to use group names instead of id's.

olinigorov avatar Apr 26 '23 17:04 olinigorov

@olinigorov #12178 - sorry, not really possible out of the box.

johanot avatar May 25 '23 12:05 johanot

@olinigorov did you get the group mapping working this way ? it set person of the group as admin ? in which version of harbor ?

tjouffroy avatar Jul 13 '23 12:07 tjouffroy

I went with Dex in between AAD and Harbor. i.e.:

Harbor -> (oidc) -> Dex -> (microsoft) -> Azure AD

ref: https://dexidp.io/docs/connectors/microsoft/

Dex uses the Microsoft Graph API to enrich the OIDC token group claim with group names.

I might be able to get rid of Dex once I have access to this AzureAD feature: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-fed-group-claims#emit-cloud-only-group-display-name-in-token - which is currently in preview.

johanot avatar Jul 13 '23 13:07 johanot

You can use "app roles " in your azure app registration , link the roles to an azure ad group

As "Group Claim" use "roles"

Group Claim Name --> roles

(https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept)

DT0002 avatar Oct 27 '23 05:10 DT0002

I found a solution for using the group names that requires editing the azure ad application manifest: https://github.com/goharbor/harbor/issues/12178#issuecomment-1853650100

l-drews avatar Dec 13 '23 10:12 l-drews

Just for additional context. if you define Azure/Entera groups for users, and also use app_roles, make sure to map the app_roles to your Azure/Entera groups in the Enterprise Application location of your app registration, using the Edit Assignment button.

You will still get an error in the harbor-core logs about Unable to get groups from claims, but roles and permissions should be mapped correctly, and users will have correct permissions. Inside Harbor, users will have the admin flag set to Unknown.

olhado avatar May 20 '24 18:05 olhado