Harbor and Azure Active Directory

[roldancer]

Hi All, I would like to know if Harbor supports authentication via Azure Active Directory, is there any documentation about that integration ?

Many thanks.

[xaleeks]

It is not supported. Can you please test and let us know if there are any issues, and we can support from there? @roldancer

[yaron]

This works when using the oicd provider.

1. Create an app registraion in azure ad.
   Note down the tenant id and client id.
2. Create a secret for the app registration.
   Note down the secret.
3. In Harbor select the oicd authentication method.
4. The name can be anything you want.
5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
6. Enter the client-id and secret
7. Use the scope "openid,email,profile" (no spaces).
8. Testing the connection should work.
9. Save, log out and try to login using the "Login using OICD" button.

[jeremy-chua]

This works when using the oicd provider.

1. Create an app registraion in azure ad.
   Note down the tenant id and client id.
2. Create a secret for the app registration.
   Note down the secret.
3. In Harbor select the oicd authentication method.
4. The name can be anything you want.
5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
6. Enter the client-id and secret
7. Use the scope "openid,email,profile" (no spaces).
8. Testing the connection should work.
9. Save, log out and try to login using the "Login using OICD" button.

Thanks for the info!!!!
What would be the redirect URL for application registration in Azure AD?

[jeremy-chua]

This works when using the oicd provider.

1. Create an app registraion in azure ad.
   Note down the tenant id and client id.
2. Create a secret for the app registration.
   Note down the secret.
3. In Harbor select the oicd authentication method.
4. The name can be anything you want.
5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
6. Enter the client-id and secret
7. Use the scope "openid,email,profile" (no spaces).
8. Testing the connection should work.
9. Save, log out and try to login using the "Login using OICD" button.

Thanks for the info!!!!
What would be the redirect URL for application registration in Azure AD?

No worries, i got my answer.
It's at the bottom of the OIDC page.

[lindhe]

@stonezdj It seems to me that this issue can be considered resolved as of @yaron's answer. I can also confirm that it works using OIDC with Azure AD, or at least to the same degree as Harbor works with any OIDC provider.

[sspreitzer]

@jeremy-chua

No worries, i got my answer.
It's at the bottom of the OIDC page.

Mind sharing this answer in this issue thread? It looks to me it has been removed from the documentation.

[sspreitzer]

@jeremy-chua It is a misunderstanding. The information is not covered in the documentation, but in the bottom if the configuration page of the harbor instance WebUI.

[jeremy-chua]

@jeremy-chua It is a misunderstanding. The information is not covered in the documentation, but in the bottom if the configuration page of the harbor instance WebUI.

Yes, you are right. It's like a fine print. :)

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[melhajal]

This works when using the oicd provider.

1. Create an app registraion in azure ad.
   Note down the tenant id and client id.
2. Create a secret for the app registration.
   Note down the secret.
3. In Harbor select the oicd authentication method.
4. The name can be anything you want.
5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
6. Enter the client-id and secret
7. Use the scope "openid,email,profile" (no spaces).
8. Testing the connection should work.
9. Save, log out and try to login using the "Login using OICD" button.

@yaron @xaleeks any information on connecting groups to Azure AD?

[devopstagon]

This works when using the oicd provider.

1. Create an app registraion in azure ad.
   Note down the tenant id and client id.
2. Create a secret for the app registration.
   Note down the secret.
3. In Harbor select the oicd authentication method.
4. The name can be anything you want.
5. The endpoint is https://login.microsoftonline.com/{tenant-id}/v2.0 (note that it does not end with a /, and does not include the ".well-known/openid-configuration" part).
6. Enter the client-id and secret
7. Use the scope "openid,email,profile" (no spaces).
8. Testing the connection should work.
9. Save, log out and try to login using the "Login using OICD" button.

@yaron @xaleeks any information on connecting groups to Azure AD?

You set Group Claim Name to groups then the groups can be referred to by their ID. It doesn't give you their name field though, so you gotta figure out what ID is what group yourself, but it works.

[bitva77]

Just want to document how I got it working in 2022. The steps above are correct but there's a couple other things to note

1. Azure Active Directory --> App Registrations --> New Registration

• Name it whatever you want

• Choose Accounts in this organizational directory only (though your use case may vary)

• Redirect URI: Web <-- This is important. Make the value: https://YOUR-CORE-HARBOR-DOMAIN/c/oidc/callback <<- This value is also on the bottom of the Configuration --> Authentication tab in the Harbor dashboard.

• Make note of the Application (client) ID & the Directory (tenant) ID

• Click Certificates & secrets --> Client secrets --> +New client secret. Have it expire whenever you want to rotate it. Copy this value.

2. In the Harbor dashboard go to Configuration --> Authentication

• Auth Mode --> OIDC
• OIDC Endpoint --> https://login.microsoftonline.com/TENANT ID FROM ABOVE/v2.0
• OIDC Client ID --> CLIENT ID FROM ABOVE
• OIDC Client Secret --> SECRET FROM ABOVE
• Group Claim Name --> groups
• OIDC Scope --> openid,email,profile,offline_access

Save it.

This will now enable a Groups tab in the Harbor dashboard. It's going to be populated with the Azure AD Object ID of the groups found. I believe it's populated with groups found by users who login.

Have your users go to the Harbor dashboard login screen and choose LOGIN VIA OIDC PROVIDER and they should get it. They do get to choose their user name in Harbor though it is defaults to Firstname_Lastname as a suggestion.

Once logged in they'll have access to basically nothing until you add them to Projects. I added an Azure AD groups Object ID to a project and those users have the specified level of access to that Harbor project now. It doesn't look like Group Name works - you have to use Object ID.

Once logged in I can go to my User Profile and grab the CLI secret, which is what I can use in my docker/podman client to push/pull from the Project(s) my group has access to. User name is whatever is chosen when first registering/logging in.

Hope this helps someone!

[UPiotr]

Does anyone know if it's possible to use Azure AD groups instead of Windows AD groups synced in Azure? We tried many different configurations in Azure including using App Roles, but I think these aren't supported?

[devopstagon]

Azure AD groups should have unique ids like Windows groups. Get the ID and set that. If it still doesn't work then you misconfiguration something. Azure AD and Windows Server groups are typically on the same domain within your organisation, so you should have both available to set.

…

On Fri, 20 Jan 2023, 15:20 UPiotr, ***@***.***> wrote: Does anyone know if it's possible to use Azure AD groups instead of Windows AD groups synced in Azure? We tried many different configurations in Azure including using App Roles, but I think these aren't supported? — Reply to this email directly, view it on GitHub <#9193 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A3RH6OXWHRZOPTOUPLMMCDDWTKNLNANCNFSM4IZEMIRA> . You are receiving this because you commented.Message ID: ***@***.***>

[mts-dyt]

I managed to get to working by settings additional group claim on Azure AD side in AppRegistration settings. Then all AD groups have been populated into Harbor using their GroupID.

Edit: still have issue to claim groups....

[olinigorov]

I managed to get to working by settings additional group claim on Azure AD side in AppRegistration settings. Then all AD groups have been populated into Harbor using their GroupID.

Edit: still have issue to claim groups....

Hello, if you have set up Azure AD OIDC auth, then you have to go to

App Registrations >> your harbor app >> Token configuration >> + Add groups claim >> Security groups >> ID >> Group ID >> Access >> Group ID >> SAML >> Group ID.

Like this, when some user will login through OIDC, there will appear group id's in Groups.

But now i need to learn, how to use group names instead of id's.

[johanot]

@olinigorov #12178 - sorry, not really possible out of the box.

[tjouffroy]

@olinigorov did you get the group mapping working this way ? it set person of the group as admin ?
in which version of harbor ?

[johanot]

I went with Dex in between AAD and Harbor. i.e.:

Harbor -> (oidc) -> Dex -> (microsoft) -> Azure AD

ref: https://dexidp.io/docs/connectors/microsoft/

Dex uses the Microsoft Graph API to enrich the OIDC token group claim with group names.

I might be able to get rid of Dex once I have access to this AzureAD feature: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-fed-group-claims#emit-cloud-only-group-display-name-in-token - which is currently in preview.

[DT0002]

You can use "app roles " in your azure app registration , link the roles to an azure ad group

As "Group Claim" use "roles"

Group Claim Name --> roles

(https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/groups-concept)

[l-drews]

I found a solution for using the group names that requires editing the azure ad application manifest: #12178 (comment)

[olhado]

Just for additional context. if you define Azure/Entera groups for users, and also use app_roles, make sure to map the app_roles to your Azure/Entera groups in the Enterprise Application location of your app registration, using the Edit Assignment button.

You will still get an error in the harbor-core logs about Unable to get groups from claims, but roles and permissions should be mapped correctly, and users will have correct permissions. Inside Harbor, users will have the admin flag set to Unknown.

[hkhan-apporto]

can we automate this authmode: OIDC from values.yaml file

[bmhkb4]

@johanot can you give me a sample of your dex config that could enrich the token to get me the AD group info from Azure? I am having problems getting dex to work correctly.

[bmhkb4]

can we automate this authmode: OIDC from values.yaml file

you could try terraform since auth is kind of day 30 type operation anyway

https://registry.terraform.io/providers/goharbor/harbor/latest/docs/resources/config_auth

[bmhkb4]

I was able to get Azure AD group names to come through without dex by when adding the Token Configuration in the App Registration for Harbor, instead of using Group ID, I selected sAMAccountName.