Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't create SAML-based AAD apps using az ad app create #7579

Open
mattdot opened this issue Oct 16, 2018 · 21 comments

Comments

@mattdot
Copy link

@mattdot mattdot commented Oct 16, 2018

Is your feature request related to a problem? Please describe.
I can't create a SAML-based SSO AAD app registration using the az CLI.

It's possible to create it manually in the Azure portal by going to "Enterprise Applications" > "New Application". The by choosing "Non-gallery application". Apps created this way show a "Manage > Single sign-on" configuration blade which is not available in apps created using the az CLI.

From my research this seems to be caused because the CLI does not have an option to set the proper Portal UI tag. Showing it as an enterprise application in portal requires the Portal UI tag of WindowsAzureActiveDirectoryIntegratedApp.

Describe the solution you'd like
I'd like a way to create SAML-based SSO applications with the az CLI, perhaps using a flag to differentiate between standard apps and integrated SSO apps.

az ad app create -n "My SSO App" --integrated-sso

Describe alternatives you've considered
The only alternative is to create this manually which breaks automated deployments and management. This also does not appear to be possible in Powershell CLI.

Additional context
Once the app has been created manually, it can be managed using the current az CLI to perform az ad app update and change it's properties, however configuring it to be a SAML app does not appear to be possible.

@tjprescott

This comment has been minimized.

Copy link
Member

@tjprescott tjprescott commented Nov 12, 2018

@yugangw-msft

This comment has been minimized.

Copy link
Contributor

@yugangw-msft yugangw-msft commented Nov 12, 2018

We will need more swagger rest-api authoring.
@mattdot, are you able to do it through AzureAD's powershell?

@b-b3rn4rd

This comment has been minimized.

Copy link

@b-b3rn4rd b-b3rn4rd commented Feb 5, 2019

It's really disappointing that Azure does not believe in automation and expects engineers to provision resources manually. Especially, when you already have the functionality to do it using UI why wouldn't you put a little bit of extra effort and provide CLI support...

@yugangw-msft

This comment has been minimized.

Copy link
Contributor

@yugangw-msft yugangw-msft commented Feb 6, 2019

@b-b3rn4rd, Azure CLI's graph commands have never meant to be used for general graph object management; rather they are just enough for RBAC where SAML-based SSO applications don't play any specific role there. Hence we usually don't prioritize such asks till we have enough users votes.

@b-b3rn4rd

This comment has been minimized.

Copy link

@b-b3rn4rd b-b3rn4rd commented Feb 6, 2019

@yugangw-msft Apologies for potentially passive/aggressive comment, after doing a more extensive research I believe its not CLI limitation but a general lack of functionality to automate the provisioning of Gallery Applications. I do understand that in theory thats not something that should be done frequently but in our scenario we potentially need to integrate AAD with 100s AWS accounts and based on the latest recommendations that would require a separate app per account. https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/amazon-web-service-tutorial

@m4r10k

This comment has been minimized.

Copy link

@m4r10k m4r10k commented Feb 11, 2019

@b-b3rn4rd you are fully correct on this topic. @yugangw-msft -> We need to integrate 100s of AWS accounts with AAD too and everything which isn't automatable today, will not be taken into account as enterprise ready tomorrow. In addition, the Go docs are really hard to read as things like the following are not really useful, because there is no information about what URI strings are needed or if they are created automatically and even if, what happens if I add an uri (append, overwrite, ...)?

    // IdentifierUris - A collection of URIs for the application.
    IdentifierUris *[]string `json:"identifierUris,omitempty"`

But the really bad thing is, that there is no interface for the claims, not even a read only interface. I cannot show the claims which I've provided, nor can I configure them via the SDK. 😷

According to https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/amazon-web-service-tutorial one has to specify the claim providers manually every time you create an app, even if you choose "AWS" from the gallery app. Jesus, this claims are always the same ones! 🙈

That's stupid and error prone work, that's the key why mankind has invented automation - computers are better at it, if we would have some API interfaces. 😏

CC @rauschbit

@tjprescott tjprescott added Feature Request and removed Question labels Feb 11, 2019
@yugangw-msft

This comment has been minimized.

Copy link
Contributor

@yugangw-msft yugangw-msft commented Feb 11, 2019

Folks, I will take a look and get back to you.

@yugangw-msft

This comment has been minimized.

Copy link
Contributor

@yugangw-msft yugangw-msft commented Feb 25, 2019

Folks, I ended up updating the Rest spec to open up the support for this. With that, the command to address this issue would be like below. Please let me know if I missed anything.
It is different from what was proposed by @mattdot, but let us focus on the API readiness before polish further. BTW, I have a private installer (windows msi, and docker image) for initial test. If you like to try out, I can be reached at yugangw at microsoft dot com

   az ad sp create-for-rbac -n sp-reload --skip-assignment
   {
     "appId": "b8f8f0ab-2885-4bb2-9b03-1a514a2bbdc1",
     "displayName": "my-sp",
     "name": "http://my-sp",
     "password": "28999ddb-5ebb-47dd-99ac-a9084215f707",
     "tenant": "54826b22-38d6-4fb2-bad9-123456788888"
   } 

   az ad sp update --id b8f8f0ab-2885-4bb2-9b03-1a514a2bbdc1 --add tags WindowsAzureActiveDirectoryIntegratedApp

   az ad app update --id b8f8f0ab-2885-4bb2-9b03-1a514a2bbdc1 --set samlMetadataUrl=https://mysaml
@m4r10k

This comment has been minimized.

Copy link

@m4r10k m4r10k commented Feb 25, 2019

@yugangw-msft Wow! Thank you for your fast response and improvements 💪 👏! I will contact you via email later for the docker image etc. to try it out!

@m4r10k

This comment has been minimized.

Copy link

@m4r10k m4r10k commented Feb 26, 2019

@yugangw-msft we have tried it now, but there seams to be still a gap. If I am issuing the provided commands, I got an enterprise application but the SSO option(s) are still missing there.

grafik

The commands itself are clear but how should we proceed from here? I think there are two steps to take into account:

  • First: Someone is starting by choosing a gallery app, for example Amazon Web Services (AWS), which is then configured in detail

grafik

  • Second: Someone is starting by creating a "own app" and is configurating it after the creation

grafik

From my point of view it would make sense to have an API or to open up the API for the CLI/SDK which is controlling the screenshots above, "own app" and "gallery app" on the az ad app create command for example.

And then I think there would be the need to get in touch with the API's that are behind this stuff:
grafik

This would be, probably some kind of az ad app update.... and yes I am at your side, there is the need, that the REST API's for this must be opened for the CLI/SDK's.

I hope this is helpful...

@b-b3rn4rd

This comment has been minimized.

Copy link

@b-b3rn4rd b-b3rn4rd commented Feb 26, 2019

Until this is fully supported, I came up with a simple automation process of pushing IAM roles back to Azure from across all AWS accounts in an organization. In case anyone is interested https://github.com/b-b3rn4rd/aws-saml-azuread

@yugangw-msft

This comment has been minimized.

Copy link
Contributor

@yugangw-msft yugangw-msft commented Feb 27, 2019

Folks, I would appreciate if someone can send me the application/service principal details using "az ad app show" and "az ap sp show". Through the diff with the regular object, I can update the Rest API to get this supported. I can try all things out myself, but that would take longer time to get to the solution.
Again, I can be reached at yugangw at microsoft dot com

@m4r10k

This comment has been minimized.

Copy link

@m4r10k m4r10k commented Feb 27, 2019

Sure! I will send it to you later. -> done 😄

@annbrady

This comment has been minimized.

Copy link

@annbrady annbrady commented Mar 23, 2019

any recent updates? I'm looking to do the same things for the same reasons. thanks!

@m4r10k

This comment has been minimized.

Copy link

@m4r10k m4r10k commented Mar 23, 2019

@annbrady I am still in contact with @yugangw-msft via e-mail - offline to this issue. He told me, that it will take until the end of April approximately until the backend rest interfaces will be opened and the SDK's will be able to access it. We have to wait a little bit, at this point, but I am happy that @yugangw-msft is working on it together with the other Azure teams. 😄

@yugangw-msft

This comment has been minimized.

Copy link
Contributor

@yugangw-msft yugangw-msft commented Apr 11, 2019

Hi folks, we understand this great need from community, but at this moment we are not able to offer any ETAs you should align/plan your work with. One thing for sure is once the Service API goes public, CLI team will prioritize the work to expose the support as early as possible.

@avanbecelaere

This comment has been minimized.

Copy link

@avanbecelaere avanbecelaere commented May 7, 2019

I'm currently waiting on this as well. Is there an updated status?

@hemant6488

This comment has been minimized.

Copy link

@hemant6488 hemant6488 commented Sep 17, 2019

Any ETA on this yet?

@m4r10k

This comment has been minimized.

Copy link

@m4r10k m4r10k commented Sep 17, 2019

I have no new information on this, but I can ask back.

@viresh-contino

This comment has been minimized.

Copy link

@viresh-contino viresh-contino commented Oct 9, 2019

Hi, i am very keen to see this bit of automation! Has anybody found a workaround ?

@m4r10k

This comment has been minimized.

Copy link

@m4r10k m4r10k commented Oct 12, 2019

There's currently a work in progress going on behind the scenes. I've asked back and currently there is some kine of alpha work in progress -> https://docs.microsoft.com/en-us/graph/api/resources/applicationtemplate?view=graph-rest-beta to get application templates accessible via the API. But this will still take some time.

There is no workaround available beside doing it manually because the API for automation is simply missing. 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.