Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Allow login only for specific Entra group #596

Open
2 tasks done
valluwtf opened this issue Oct 18, 2024 · 2 comments
Open
2 tasks done

Feature: Allow login only for specific Entra group #596

valluwtf opened this issue Oct 18, 2024 · 2 comments

Comments

@valluwtf
Copy link

valluwtf commented Oct 18, 2024

Is there an existing request for this feature?

  • I have searched the existing issues and found none that matched mine

Describe the feature

It would be great if one could allow multiple users to authenticate on multiple servers with different access rights through group membership, but all in one Entra ID Application by adding the users to groups in Entra which authd then allows.

Describe the ideal solution

I edit the broker config file with allowed groups on each host

allowed_group: <HOSTNAME1>

and on login, authd validates with the token if the user is part of that group and then allows or declines login.

Alternatives and current workarounds

Currently I would say the only workaround for granting dedicated access is to have a single Entra Application for each host, which would work but is not really ideal if you have more than a handful of hosts....

System information and logs

Environment

  • broker version: please run snap info authd-msentraid
  • authd version: please run /usr/libexec/authd version
  • gnome shell version: please run apt policy gnome-shell
  • Distribution: (NAME in /etc/os-release)
  • Distribution version: (VERSION_ID on /etc/os-release):

Log files

Please redact/remove sensitive information:

Authd entries:

journalctl -u authd.service

MS Entra ID broker entries:

journalctl -u snap.authd-msentraid.authd-msentraid.service

Application settings

Please redact/remove sensitive information:

Broker configuration:

cat /var/snap/authd-msentraid/current/broker.conf

Broker authd configuration:

cat /etc/authd/brokers.d/msentraid.conf

Relevant information

No response

Double check your logs

  • I have redacted any sensitive information from the logs
@valluwtf
Copy link
Author

Well.. I just added AllowGroups setting in sshd.config and that fixes this easily so this feature is not really necessary for us anymore since we only use ssh login.

@namato1
Copy link

namato1 commented Dec 20, 2024

you can also set a group when creating the Azure Application as well. it limits who can login

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants