Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harbor and Azure Active Directory #9193

Closed
roldancer opened this issue Sep 22, 2019 · 22 comments
Closed

Harbor and Azure Active Directory #9193

roldancer opened this issue Sep 22, 2019 · 22 comments
Assignees
@stonezdj
Labels
area/ldap kind/requirement New feature or idea on top of harbor

Comments

@roldancer
Copy link

Hi All, I would like to know if Harbor supports authentication via Azure Active Directory, is there any documentation about that integration ?

Many thanks.
@stonezdj stonezdj added the kind/requirement New feature or idea on top of harbor label Oct 10, 2019
@stonezdj stonezdj self-assigned this Oct 10, 2019
@xaleeks
Copy link
Contributor

xaleeks commented Nov 11, 2019

It is not supported. Can you please test and let us know if there are any issues, and we can support from there? @roldancer

@yaron
Copy link

yaron commented Feb 21, 2020

This works when using the oicd provider.

  1. Create an app registraion in azure ad.
    Note down the tenant id and client id.
  2. Create a secret for the app registration.
    Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

@fl-max fl-max mentioned this issue Jul 20, 2020
Closed
@jeremy-chua
Copy link

jeremy-chua commented Feb 22, 2021
edited
Loading

This works when using the oicd provider.

  1. Create an app registraion in azure ad.
    Note down the tenant id and client id.
  2. Create a secret for the app registration.
    Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

Thanks for the info!!!!
What would be the redirect URL for application registration in Azure AD?

@jeremy-chua
Copy link

This works when using the oicd provider.

  1. Create an app registraion in azure ad.
    Note down the tenant id and client id.
  2. Create a secret for the app registration.
    Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

Thanks for the info!!!!
What would be the redirect URL for application registration in Azure AD?

No worries, i got my answer.
It's at the bottom of the OIDC page.

@lindhe
Copy link

lindhe commented May 31, 2021

@stonezdj It seems to me that this issue can be considered resolved as of @yaron's answer. I can also confirm that it works using OIDC with Azure AD, or at least to the same degree as Harbor works with any OIDC provider.

@sspreitzer
Copy link

@jeremy-chua

No worries, i got my answer.
It's at the bottom of the OIDC page.

Mind sharing this answer in this issue thread? It looks to me it has been removed from the documentation.

@sspreitzer
Copy link

@jeremy-chua It is a misunderstanding. The information is not covered in the documentation, but in the bottom if the configuration page of the harbor instance WebUI.

@jeremy-chua
Copy link

@jeremy-chua It is a misunderstanding. The information is not covered in the documentation, but in the bottom if the configuration page of the harbor instance WebUI.

Yes, you are right. It's like a fine print. :)

@github-actions
Copy link

github-actions bot commented Jul 7, 2022

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

@github-actions github-actions bot added Stale and removed Stale labels Jul 7, 2022
@melhajal
Copy link

melhajal commented Jul 27, 2022
edited
Loading

This works when using the oicd provider.

  1. Create an app registraion in azure ad.
    Note down the tenant id and client id.
  2. Create a secret for the app registration.
    Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

@yaron @xaleeks any information on connecting groups to Azure AD?

@devopstagon
Copy link

This works when using the oicd provider.

  1. Create an app registraion in azure ad.
    Note down the tenant id and client id.
  2. Create a secret for the app registration.
    Note down the secret.
  3. In Harbor select the oicd authentication method.
  4. The name can be anything you want.
  5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
  6. Enter the client-id and secret
  7. Use the scope "openid,email,profile" (no spaces).
  8. Testing the connection should work.
  9. Save, log out and try to login using the "Login using OICD" button.

@yaron @xaleeks any information on connecting groups to Azure AD?

You set Group Claim Name to groups then the groups can be referred to by their ID. It doesn't give you their name field though, so you gotta figure out what ID is what group yourself, but it works.

@bitva77
Copy link

bitva77 commented Nov 16, 2022

Just want to document how I got it working in 2022. The steps above are correct but there's a couple other things to note

  1. Azure Active Directory --> App Registrations --> New Registration

  • Name it whatever you want

  • Choose Accounts in this organizational directory only (though your use case may vary)

  • Redirect URI: Web <-- This is important. Make the value: https://YOUR-CORE-HARBOR-DOMAIN/c/oidc/callback <<- This value is also on the bottom of the Configuration --> Authentication tab in the Harbor dashboard.

  • Make note of the Application (client) ID & the Directory (tenant) ID

  • Click Certificates & secrets --> Client secrets --> +New client secret. Have it expire whenever you want to rotate it. Copy this value.

  1. In the Harbor dashboard go to Configuration --> Authentication
  • Auth Mode --> OIDC
  • OIDC Endpoint --> https://login.microsoftonline.com/TENANT ID FROM ABOVE/v2.0
  • OIDC Client ID --> CLIENT ID FROM ABOVE
  • OIDC Client Secret --> SECRET FROM ABOVE
  • Group Claim Name --> groups
  • OIDC Scope --> openid,email,profile,offline_access

Save it.

This will now enable a Groups tab in the Harbor dashboard. It's going to be populated with the Azure AD Object ID of the groups found. I believe it's populated with groups found by users who login.

Have your users go to the Harbor dashboard login screen and choose LOGIN VIA OIDC PROVIDER and they should get it. They do get to choose their user name in Harbor though it is defaults to Firstname_Lastname as a suggestion.

Once logged in they'll have access to basically nothing until you add them to Projects. I added an Azure AD groups Object ID to a project and those users have the specified level of access to that Harbor project now. It doesn't look like Group Name works - you have to use Object ID.

Once logged in I can go to my User Profile and grab the CLI secret, which is what I can use in my docker/podman client to push/pull from the Project(s) my group has access to. User name is whatever is chosen when first registering/logging in.

Hope this helps someone!

@UPiotr
Copy link

UPiotr commented Jan 20, 2023

Does anyone know if it's possible to use Azure AD groups instead of Windows AD groups synced in Azure? We tried many different configurations in Azure including using App Roles, but I think these aren't supported?

@devopstagon
Copy link

devopstagon commented Jan 22, 2023 via email

@mts-dyt
Copy link

mts-dyt commented Mar 22, 2023
edited
Loading

I managed to get to working by settings additional group claim on Azure AD side in AppRegistration settings. Then all AD groups have been populated into Harbor using their GroupID.

Edit: still have issue to claim groups....

@olinigorov
Copy link

I managed to get to working by settings additional group claim on Azure AD side in AppRegistration settings. Then all AD groups have been populated into Harbor using their GroupID.

Edit: still have issue to claim groups....

Hello, if you have set up Azure AD OIDC auth, then you have to go to

App Registrations >> your harbor app >> Token configuration >> + Add groups claim >> Security groups >> ID >> Group ID >> Access >> Group ID >> SAML >> Group ID.

Like this, when some user will login through OIDC, there will appear group id's in Groups.

But now i need to learn, how to use group names instead of id's.

@johanot
Copy link

johanot commented May 25, 2023

@olinigorov #12178 - sorry, not really possible out of the box.

@tjouffroy
Copy link

@olinigorov did you get the group mapping working this way ? it set person of the group as admin ?
in which version of harbor ?

@johanot
Copy link

johanot commented Jul 13, 2023

I went with Dex in between AAD and Harbor. i.e.:

Harbor -> (oidc) -> Dex -> (microsoft) -> Azure AD

ref: https://dexidp.io/docs/connectors/microsoft/

Dex uses the Microsoft Graph API to enrich the OIDC token group claim with group names.

I might be able to get rid of Dex once I have access to this AzureAD feature: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-fed-group-claims#emit-cloud-only-group-display-name-in-token - which is currently in preview.

@DT0002
Copy link

DT0002 commented Oct 27, 2023
edited
Loading

You can use "app roles " in your azure app registration , link the roles to an azure ad group

As "Group Claim" use "roles"

Group Claim Name --> roles

(https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept)

@l-drews
Copy link

l-drews commented Dec 13, 2023

I found a solution for using the group names that requires editing the azure ad application manifest: #12178 (comment)

@olhado
Copy link

olhado commented May 20, 2024

Just for additional context. if you define Azure/Entera groups for users, and also use app_roles, make sure to map the app_roles to your Azure/Entera groups in the Enterprise Application location of your app registration, using the Edit Assignment button.

You will still get an error in the harbor-core logs about Unable to get groups from claims, but roles and permissions should be mapped correctly, and users will have correct permissions. Inside Harbor, users will have the admin flag set to Unknown.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stonezdj stonezdj

Labels
area/ldap kind/requirement New feature or idea on top of harbor
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests