netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

Get Group Names instead of Group IDs

Open Bastika07 opened this issue 1 year ago • 6 comments

Describe the problem

If you have JWT group sync enabled in the self hosted version and are using Entra ID as the IDs, you will get only the group ids, but not the group names

To Reproduce

Steps to reproduce the behavior:

Expected behavior

Se Groupnames instead of Groupids

Are you using NetBird Cloud?

Self Host

NetBird version

0.27.6

NetBird status -d output:

If applicable, add the `netbird status -d' command output.

Screenshots

image

Additional context

Bastika07 avatar May 14 '24 13:05 Bastika07

Hello @Bastika07, this seems to be a limitation from Entra ID. The NetBird service is just reading the groups provided by the identity provider; we've reports from different users with similar issues, but so far, no one has shared if there is a solution for it in Azure.

mlsmaycon avatar May 15 '24 12:05 mlsmaycon

Can you use for this a query with the graph rest api? https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http#http-request https://learn.microsoft.com/en-us/graph/api/resources/groups-overview?view=graph-rest-1.0&tabs=http

I am no coding expert, so can´t help that much.

Bastika07 avatar May 15 '24 13:05 Bastika07

It's possible to get the group names with Entra ID in Netbird, but it's really hidden and only works then groupMembershipClaims is set to ApplicationGroup. Search for cloud_displayname in this documentation about the group claims: https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims#configure-groups-optional-claims

Zaunei avatar May 15 '24 20:05 Zaunei

I configured my App Registration in Entra ID as the following and it works: CleanShot 2024-05-22 at 14 33 43@2x

Keep in mind that you can't select cloud_displayname from the ui and you have to edit the manifest.

"groupMembershipClaims": "ApplicationGroup",

"optionalClaims": {
		"idToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"cloud_displayname"
				]
			}
		],
		"accessToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"cloud_displayname"
				]
			}
		],
		"saml2Token": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"cloud_displayname"
				]

florian-obradovic avatar May 22 '24 12:05 florian-obradovic

If you rename groups in Entra ID, the'll remain in Netbird. Can we track object-id in Netbird and show cloud_displayname or SAMAccountName for onPremise synched groups?

florian-obradovic avatar May 22 '24 12:05 florian-obradovic

Works great, even with groups synched from onprem. active directory:

CleanShot 2024-05-22 at 15 51 42@2x

"optionalClaims": {
		"idToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"cloud_displayname",
                    "sam_account_name"
				]
			}
		],
		"accessToken": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"cloud_displayname",
                    "sam_account_name"
				]
			}
		],
		"saml2Token": [
			{
				"name": "groups",
				"source": null,
				"essential": false,
				"additionalProperties": [
					"cloud_displayname",
                    "sam_account_name"
				]
			}

florian-obradovic avatar May 22 '24 13:05 florian-obradovic