Skip to content

Commit

Permalink
Merge pull request #277 from smallstep/carl/entra
Browse files Browse the repository at this point in the history
Update product names: Google Workspace and Microsoft Entra ID
  • Loading branch information
tashian authored Oct 17, 2023
2 parents b8c886e + 65032c4 commit f30077f
Show file tree
Hide file tree
Showing 12 changed files with 34 additions and 34 deletions.
2 changes: 1 addition & 1 deletion certificate-manager/core-concepts.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ Each Provisioner addresses a particular environment, enabling different use case

- **OIDC Provisioner** - Useful for getting certificates to people,
the OAuth/OpenID Connect (OIDC) Provisioner uses identity tokens for authentication.
With this provisioner, you can use single sign-on with G Suite, Okta, Azure Active Directory, or any other OAuth OIDC provider
With this provisioner, you can use single sign-on with Google Workspace, Okta, Microsoft Entra ID, or any other OAuth OIDC provider
to verify the user's identity before issuing a certificate.
- **ACME Provisioner** - Useful for automating TLS certificates,
the ACME provisioner provides CSR generation, domain ownership verification, certificate download, and installation.
Expand Down
2 changes: 1 addition & 1 deletion certificate-manager/how-it-works.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -302,7 +302,7 @@ Certificates provide a secure, flexible, scalable mechanism for authenticating
people, too (e.g., for SSH access, API access, or to connect to a BeyondCorp
identity-aware proxy). Most organizations already have an identity provider
(IdP) for authenticating people. The `OIDC` provisioner lets you leverage
authentication services from G Suite, Okta, Azure AD, and any other IdP that
authentication services from Google Workspace, Okta, Microsoft Entra ID, and any other IdP that
supports OAuth OIDC to authenticate a certificate request.

![Developer single sign on for TLS certificate](/graphics/cm-hiw-sso.svg 'The certificate command triggers the OIDC Provisioner and the default browser to open the IDP login screen. The developer authenticates to the corporate single sign-on service and, upon successful completion, returns to the terminal with a personal x.509 certificate.')
Expand Down
4 changes: 2 additions & 2 deletions certificate-manager/oidc.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ User certificates enable mutual TLS authentication between humans and APIs, VPNs
Add single sign-on to to the mix, and you get a layer of strong authentication from your existing identity provider (IdP), using tools familiar to your team.
It works for designated admininistrators, too: Admins can get certificates with any name or SAN, simplifying human approval workflows for security teams.

Certificate Manager supports any OAuth [OpenID connect](https://openid.net/connect/) IdP for single sign-on, including Google, Okta, Azure Active Directory, and Keycloak.
Certificate Manager supports any OAuth [OpenID connect](https://openid.net/connect/) IdP for single sign-on, including Google, Okta, Microsoft Entra ID, and Keycloak.

### Connect your identity provider to Certificate Manager in a few steps
1. Create an OIDC application integration with your IdP
Expand Down Expand Up @@ -40,7 +40,7 @@ First, create an OIDC application in your IdP. Be sure to set the following valu

<Alert severity="info">
<div>
For Azure AD you may need to create or update the native application from the command line to specify the redirect URI. The web interface may reject a <code>http://127.0.0.1</code> value. Contact <a href="mailto:[email protected]">Customer Success</a> if you have any questions.
For Microsoft Entra ID you may need to create or update the native application from the command line to specify the redirect URI. The web interface may reject a <code>http://127.0.0.1</code> value. Contact <a href="mailto:[email protected]">Customer Success</a> if you have any questions.
</div>
</Alert>

Expand Down
4 changes: 2 additions & 2 deletions manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,11 @@
"path": "/ssh/acls.mdx"
},
{
"title": "Azure AD Quickstart Guide",
"title": "Entra ID Quickstart Guide",
"path": "/ssh/azure-ad.mdx"
},
{
"title": "G Suite Quickstart Guide",
"title": "Google Workspace Quickstart Guide",
"path": "/ssh/g-suite.mdx"
},
{
Expand Down
4 changes: 2 additions & 2 deletions ssh/README.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,9 @@ identity provider. Note: Single Sign-on through your identity provider requires
SSH Professional + Team level account or higher. [Click here for more pricing
information] (/sso-ssh/pricing/#pricing).

**[Azure AD Quickstart Guide](./azure-ad.mdx)**
**[Microsoft Entra ID Quickstart Guide](./azure-ad.mdx)**

**[G Suite Quickstart Guide](./g-suite.mdx)**
**[Google Workspace Quickstart Guide](./g-suite.mdx)**

**[Okta Quickstart Guide](./okta.mdx)**

Expand Down
20 changes: 10 additions & 10 deletions ssh/azure-ad.mdx
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Azure AD Quickstart
html_title: Azure AD Quickstart | SSH
title: Microsoft Entra ID Quickstart
html_title: Microsoft Entra ID Quickstart | SSH
description: SSH Azure Quickstart | Smallstep Documentation
---

Expand All @@ -22,7 +22,7 @@ The following provisioning features are supported:
* Reactivate Users

## Overview
1. Create Groups in Azure Active Directory
1. Create Groups in Microsoft Entra ID
2. Tell us your directory's Tenant ID
3. Add the Smallstep SSH Azure Enterprise Application to your tenant
4. Enable user provisioning (SCIM) in Azure
Expand Down Expand Up @@ -55,18 +55,18 @@ When creating your groups, give them names and accept the defaults on all other

1. Sign in to Smallstep at `https://smallstep.com/app/[Team ID]`
2. Follow the Getting Started workflow.
3. Choose the **Users** tab, and choose **Azure AD** as your identity provider.
3. Choose the **Users** tab, and choose **Microsoft Entra ID** as your identity provider.
4. Enter your **Tenant ID** and **Whitelisted Domains**, and **Save**.
5. Now run `step ssh login your@email`.
Your browser will open to an Azure AD single sign-on flow,
Your browser will open to an Entra ID single sign-on flow,
and you'll be prompted to add the Smallstep SSH enterprise application to your tenant.

![Azure consent screenshot](/graphics/quickstart/azure-consent.png)
6. Choose **Consent on behalf of your organization.**
7. Accept the application for your tenant, and finish the sign-on flow.

> 🤦‍♂️ If you encounter "The username may be incorrect", you'll need to use a different account to accept the application into your tenant.
> Specifically, you cannot use a Microsoft Account or a Guest account; the account must be an Azure AD account.
> Specifically, you cannot use a Microsoft Account or a Guest account; the account must be an Entra ID account.
#### Assign groups to your application

Expand Down Expand Up @@ -137,13 +137,13 @@ Return to the Smallstep dashboard.
![](/graphics/quickstart/scim-logs.png "SCIM Logs")

* Navigate to the USERS menu. If the onboarding dialog is open, press `Esc` to close.
* You should see your Users and Groups synced over from Azure AD.
* You should see your Users and Groups synced over from Entra ID.

> **Don't see your users and groups?** Microsoft's SCIM service may add a 40-minute delay after you set it up. You can force an update by clicking **Restart provisioning** in the Provisioning panel. Even then, it may take a minute to sync with Smallstep.
### Azure AD Configuration Complete
### Entra ID Configuration Complete

## Troubleshooting Tips

* Initial activation of Azure AD OIDC provisioning in Smallstep SSH requires entering your **Application (client) ID**, **Client secret**, and **Configuration Endpoint** into the Smallstep UI. Contact smallstep support with any questions | [[email protected]](mailto:[email protected])
* Note: When users are deactivated in Azure AD, they will be deactivated in Smallstep. Users will not be able to SSH to servers, but their user accounts will remain on smallstep managed hosts. To permanently delete user data on smallstep managed hosts, contact Smallstep Support | [[email protected]](mailto:[email protected])
* Initial activation of Entra ID OIDC provisioning in Smallstep SSH requires entering your **Application (client) ID**, **Client secret**, and **Configuration Endpoint** into the Smallstep UI. Contact smallstep support with any questions | [[email protected]](mailto:[email protected])
* Note: When users are deactivated in Entra ID, they will be deactivated in Smallstep. Users will not be able to SSH to servers, but their user accounts will remain on smallstep managed hosts. To permanently delete user data on smallstep managed hosts, contact Smallstep Support | [[email protected]](mailto:[email protected])
20 changes: 10 additions & 10 deletions ssh/g-suite.mdx
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: G Suite Quickstart
description: SSH G Suite Quickstart | Smallstep Documentation
title: Google Workspace Quickstart
description: SSH Google Workspace Quickstart | Smallstep Documentation
---

### Prerequisites
Expand All @@ -10,20 +10,20 @@ You will need:
* An account on the smallstep platform. Need one? [Register here](https://smallstep.com/signup?product=ssh)
* Google Admin console privileges for your organization.
* A single domain name that your users will use, added and verified in the Google Admin console.
* A Google Cloud Platform (GCP) project in your G Suite Organization.
* A Google Cloud Platform (GCP) project in your Google Workspace Organization.
* [Create a GCP project here](https://console.cloud.google.com/projectcreate) if you don't yet have one.

### Features

The following provisioning features are supported:

* New Users and Periodical Pull of All Groups
* New users created through G Suite will be created in the third party application.
* New users created through Google Workspace will be created in the third party application.
* Groups and Memberships will be synchronized periodically
* Push Profile Updates
* Updates made to the user's profile through G Suite will be pushed to the third party application.
* Updates made to the user's profile through Google Workspace will be pushed to the third party application.
* Push User Deactivation
* Deactivating the user or disabling the user's access to the application through G Suite will deactivate the user in the third party application.
* Deactivating the user or disabling the user's access to the application through Google Workspace will deactivate the user in the third party application.
* Note: For this application, deactivating a user means removing access to login, but maintaining the user's ssh access information as an inactive user.
* Reactivate Users
* User accounts can be reactivated in the application.
Expand All @@ -32,7 +32,7 @@ The following provisioning features are supported:
1. Create an OAUTH client ID
2. Enter OIDC details into the Smallstep SSH UI
3. Set up API client access
4. Configure G Suite settings in Smallstep SSH UI
4. Configure Google Workspace settings in Smallstep SSH UI

## Step-by-step Instructions

Expand Down Expand Up @@ -81,12 +81,12 @@ When you're finished, the Manage API Client Access screen page should resemble t

![](/graphics/quickstart/g-suite-api-clients.png)

### Step 4. Configure G Suite Settings in Smallstep
### Step 4. Configure Google Workspace Settings in Smallstep

1. Fill in your **domain name** and **the email address of a Google Admin** in your organization, and Save.
2. Wait while we configure and sync your G Suite directory. Please note that G Suite sync is periodical and might take a few minutes.
2. Wait while we configure and sync your Google Workspace directory. Please note that Google Workspace sync is periodical and might take a few minutes.
3. You should see your directory with users and groups synced.

## Troubleshooting Tips

* Note: When users are deactivated in G Suite, they will be deactivated in Smallstep. Users will not be able to SSH to servers, but their user accounts will remain on smallstep managed hosts. To permanently delete user data on smallstep managed hosts, contact Smallstep Support, ([[email protected]](mailto:[email protected])).
* Note: When users are deactivated in Google Workspace, they will be deactivated in Smallstep. Users will not be able to SSH to servers, but their user accounts will remain on smallstep managed hosts. To permanently delete user data on smallstep managed hosts, contact Smallstep Support, ([[email protected]](mailto:[email protected])).
2 changes: 1 addition & 1 deletion ssh/how-it-works.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ The same offering is available in an on-premise configuration that brings the si

### Identity Provider

1. Configure the smallstep application in your Okta, Azure AD, or G Suite identity provider interface.
1. Configure the smallstep application in your Okta, Microsoft Entra ID, or Google Workspace identity provider interface.
1. Activate OIDC flow for single sign-on workflows
2. Activate SCIM to synchronize user groups
2. Assign users to SSH groups (or repurpose existing groups)
Expand Down
2 changes: 1 addition & 1 deletion step-ca/README.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ They offer different modes of authorization for the CA.
For example, you can have your CA issue certificates in exchange for:
- [ACME challenge responses](../tutorials/acme-protocol-acme-clients.mdx) from any ACMEv2 client
- [OAuth OIDC single sign-on tokens](https://smallstep.com/blog/easily-curl-services-secured-by-https-tls.html), e.g.:
- ID tokens from Okta, G Suite, Azure AD and Auth0
- ID tokens from Okta, Google Workspace, Microsoft Entra ID and Auth0
- ID tokens from an OAuth OIDC service you host, like [Keycloak](https://www.keycloak.org/) or [Dex](https://github.com/dexidp/dex)
- [Cloud instance identity documents](https://smallstep.com/blog/embarrassingly-easy-certificates-on-aws-azure-gcp/) for VMs on AWS, GCP, and Azure
- [Single-use, short-lived JWK tokens](./provisioners.mdx#jwk), e.g., issued by your CD tool — Puppet, Chef, Ansible, Terraform, etc.
Expand Down
4 changes: 2 additions & 2 deletions step-ca/provisioners.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -481,7 +481,7 @@ To remove this key:
### OAuth/OIDC Single Sign-on
Sometimes it's useful to issue certificates to people.
So `step-ca` supports single sign-on with identity providers (IdPs) like Google, Okta, Azure Active Directory, Keycloak,
So `step-ca` supports single sign-on with identity providers (IdPs) like Google, Okta, Microsoft Entra ID, Keycloak,
or any other provider that supports OAuth's [OpenID Connect extension](https://openid.net/connect/).
OpenID Connect is an extension to OAuth 2.0 that adds an identity layer.
Expand Down Expand Up @@ -1437,7 +1437,7 @@ In the `ca.json`, an Azure provisioner looks like:
- **name**: a string used to identify the provider when the CLI is used.
- **tenantId**: the Azure account tenant id for this provisioner. This
id is the Directory ID available in the Azure Active Directory properties.
id is the Directory ID available in the Microsoft Entra ID properties.
- **audience**<Reference id="star10" marker="*" />: defaults to `https://management.azure.com/` but it can
be changed if necessary.
Expand Down
2 changes: 1 addition & 1 deletion tutorials/ssh-certificate-login.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)

As you can see the _testhost_ VM will welcome you with a matching _testuser@testhost_ prompt.

Learn how to use OAuth OIDC providers like G Suite or Instance Identity Documents to bootstrap SSH host and user certificates in the [`step` reference](../step-cli/reference/).
Learn how to use OAuth OIDC providers like Google Workspace or Instance Identity Documents to bootstrap SSH host and user certificates in the [`step` reference](../step-cli/reference/).

## Generate ssh host certificates

Expand Down
2 changes: 1 addition & 1 deletion tutorials/user-authentication.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Smallstep makes running your own private CA and managing certificates for intern

## Personal certificates via OAuth OpenID Connect

User identities are usually already managed by your existing G-Suite, Okta, Salesforce, or Microsoft Azure Active Directory _identity provider_.
User identities are usually already managed by your existing G-Suite, Okta, Salesforce, or Microsoft Entra ID _identity provider_.
_IDPs_ leverage a single database of user accounts to provide single sign on login to a wide array of applications and services.
The [OpenID Connect](https://openid.net/connect/faq/) protocol is commonly used to facilitate the exchange between the application, user, and IDP.
You can leverage OpenID Connect to authenticate with `step-ca` to make issuance of personal certificates simple for your whole team.
Expand Down

0 comments on commit f30077f

Please sign in to comment.