Testing SSO functionality

[c6fc]

NPK supports integration with SAML federated identity providers, which I no longer have reasonable access to for testing. This integration is really awesome for organizations that want to empower teams to use NPK, but I need someone with a configured SAML IdP who is willing to help me test and develop for this use case.

If you are working for an organization that uses or wants to use NPK, and which could benefit from federated identity integrations, please ping me.

[bzekanovic]

@c6fc
So I started testing this feature with Azure AD IP and below is my experience. Also, I'm sure a lot of these will be resolved by documentation.

1. Running deploy.sh throws 3 errors below.

---

Error 1
RUNTIME ERROR: field does not exist: sAMLMetadataUrl
jsonnet/cognito.libsonnet:86:21-45 object
jsonnet/cognito.libsonnet:(84:25)-(87:6) object
jsonnet/cognito.libsonnet:(79:12)-(92:5) object
jsonnet/cognito.libsonnet:(78:36)-(93:4) object
terraform.jsonnet:133:15-41 object
terraform.jsonnet:(132:21)-(135:3) object
During manifestation

FIX - set npk-settings SAML file variable to reflect Terraform config file "sAMLMetadataUrl".

---

Error 2

• • aws_cognito_user_pool_client.npk: 1 error occurred:
    • aws_cognito_user_pool_client.npk: Error updating Cognito User Pool Client: InvalidParameterException: The provider NPKSAML does not exist for User Pool us-west-#######.

**FIX - I had to add provider manually from Cognito to resolve this issue. **

---

Error 3

• • aws_cognito_identity_provider.saml: 1 error occurred:
    • aws_cognito_identity_provider.saml: Error creating Cognito Identity Provider: InvalidParameterException: host parameter is null

NO FIX - I was not able to fix this error, but looks like most of the config was setup within Cognito.

---

NPK SAML Login Experience

1. I logged in via current admin user and this worked just great.
2. I did see that SAML also generates new Cognito group us-west-2_#######_NPKSAML, but it doesn't add current users to the group.
3. Logging in via SAML auto created new user with NPKSAML_usuername@domain.com username.
4. SAML did not auto add this new user to SAML group that was auto created.
5. New SAML group does not work with new NPK Admin settings and User Administration pages.

At the end of the day, I feel like most of my issues could have been avoided if I first asked for your documentation, but let me know what am I missing here and how to proceed with fixing some of these issues.

[c6fc]

I appreciate you running this down as far as you did without the help of documentation. I know it's way behind, but with so much still in flux, it's hard to justify writing up new documentation just yet. I definitely plan to address it once I get a few more things locked down and before I release in the next few days.

Error 3 could be related to whether or not you're using custom domains, and I can work to address it. Are you using a custom domain currently? Also (and I know this is a lot to ask), would you be willing to DM me a metadata XML file I could test with in Dev? I don't need creds or anything, just something actually functional so I can work out basic kinks like parameters being misspelled and infra components being hooked up.

[bzekanovic]

@c6fc
Totally understand regarding documentation and I was not using custom domain when I was testing SAML. Also, I'll need more time on my side to go through some channels before I can share anything, but I did find https://login.microsoftonline.com/contoso.com/FederationMetadata/2007-06/FederationMetadata.xml which has example SAML config file and parent page of this file is https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-protocol-reference. Let me know if this example doesn't work and we can go from there.

Thanks,

[phin3has]

Happy to still provide support w/Ping

[bzekanovic]

@c6fc

Sent you XML file via email from your Github profile.

[c6fc]

There may be a limitation where this is only possible in conjunction with custom DNS. I'll verify and add sanity checks to the deploy.sh if that proves true.

[bzekanovic]

@c6fc

Let me know and I can deploy NPK with custom DNS as well. thx

[bzekanovic]

@c6fc

Deployed NPK with current documentation on SSO piece and couple of things below.

1. Any way to get requirements for Azure AD Enterprise Apps for NPK to work properly? Maybe updating wiki based on Azure AD Enterprise App fields fields etc...
2. With current deployment / knowledge of SSO deployment, I noticed that NPK was re-creating my user within Cognito user directory. Is this correct or can you go into details what flow is supposed to look like?

Thanks,