Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't create SAML-based AAD apps using az ad app create #7579

Open
mattdot opened this issue Oct 16, 2018 · 32 comments
Open

Can't create SAML-based AAD apps using az ad app create #7579

mattdot opened this issue Oct 16, 2018 · 32 comments

Comments

@mattdot
Copy link

@mattdot mattdot commented Oct 16, 2018

Is your feature request related to a problem? Please describe.
I can't create a SAML-based SSO AAD app registration using the az CLI.

It's possible to create it manually in the Azure portal by going to "Enterprise Applications" > "New Application". The by choosing "Non-gallery application". Apps created this way show a "Manage > Single sign-on" configuration blade which is not available in apps created using the az CLI.

From my research this seems to be caused because the CLI does not have an option to set the proper Portal UI tag. Showing it as an enterprise application in portal requires the Portal UI tag of WindowsAzureActiveDirectoryIntegratedApp.

Describe the solution you'd like
I'd like a way to create SAML-based SSO applications with the az CLI, perhaps using a flag to differentiate between standard apps and integrated SSO apps.

az ad app create -n "My SSO App" --integrated-sso

Describe alternatives you've considered
The only alternative is to create this manually which breaks automated deployments and management. This also does not appear to be possible in Powershell CLI.

Additional context
Once the app has been created manually, it can be managed using the current az CLI to perform az ad app update and change it's properties, however configuring it to be a SAML app does not appear to be possible.

@tjprescott
Copy link
Member

@tjprescott tjprescott commented Nov 12, 2018

@yugangw-msft
Copy link
Contributor

@yugangw-msft yugangw-msft commented Nov 12, 2018

We will need more swagger rest-api authoring.
@mattdot, are you able to do it through AzureAD's powershell?

@b-b3rn4rd
Copy link

@b-b3rn4rd b-b3rn4rd commented Feb 5, 2019

It's really disappointing that Azure does not believe in automation and expects engineers to provision resources manually. Especially, when you already have the functionality to do it using UI why wouldn't you put a little bit of extra effort and provide CLI support...

@yugangw-msft
Copy link
Contributor

@yugangw-msft yugangw-msft commented Feb 6, 2019

@b-b3rn4rd, Azure CLI's graph commands have never meant to be used for general graph object management; rather they are just enough for RBAC where SAML-based SSO applications don't play any specific role there. Hence we usually don't prioritize such asks till we have enough users votes.

@b-b3rn4rd
Copy link

@b-b3rn4rd b-b3rn4rd commented Feb 6, 2019

@yugangw-msft Apologies for potentially passive/aggressive comment, after doing a more extensive research I believe its not CLI limitation but a general lack of functionality to automate the provisioning of Gallery Applications. I do understand that in theory thats not something that should be done frequently but in our scenario we potentially need to integrate AAD with 100s AWS accounts and based on the latest recommendations that would require a separate app per account. https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/amazon-web-service-tutorial

@m4r10k
Copy link

@m4r10k m4r10k commented Feb 11, 2019

@b-b3rn4rd you are fully correct on this topic. @yugangw-msft -> We need to integrate 100s of AWS accounts with AAD too and everything which isn't automatable today, will not be taken into account as enterprise ready tomorrow. In addition, the Go docs are really hard to read as things like the following are not really useful, because there is no information about what URI strings are needed or if they are created automatically and even if, what happens if I add an uri (append, overwrite, ...)?

    // IdentifierUris - A collection of URIs for the application.
    IdentifierUris *[]string `json:"identifierUris,omitempty"`

But the really bad thing is, that there is no interface for the claims, not even a read only interface. I cannot show the claims which I've provided, nor can I configure them via the SDK. 😷

According to https://docs.microsoft.com/en-gb/azure/active-directory/saas-apps/amazon-web-service-tutorial one has to specify the claim providers manually every time you create an app, even if you choose "AWS" from the gallery app. Jesus, this claims are always the same ones! 🙈

That's stupid and error prone work, that's the key why mankind has invented automation - computers are better at it, if we would have some API interfaces. 😏

CC @rauschbit

@yugangw-msft
Copy link
Contributor

@yugangw-msft yugangw-msft commented Feb 11, 2019

Folks, I will take a look and get back to you.

@yugangw-msft
Copy link
Contributor

@yugangw-msft yugangw-msft commented Feb 25, 2019

Folks, I ended up updating the Rest spec to open up the support for this. With that, the command to address this issue would be like below. Please let me know if I missed anything.
It is different from what was proposed by @mattdot, but let us focus on the API readiness before polish further. BTW, I have a private installer (windows msi, and docker image) for initial test. If you like to try out, I can be reached at yugangw at microsoft dot com

   az ad sp create-for-rbac -n sp-reload --skip-assignment
   {
     "appId": "b8f8f0ab-2885-4bb2-9b03-1a514a2bbdc1",
     "displayName": "my-sp",
     "name": "http://my-sp",
     "password": "28999ddb-5ebb-47dd-99ac-a9084215f707",
     "tenant": "54826b22-38d6-4fb2-bad9-123456788888"
   } 

   az ad sp update --id b8f8f0ab-2885-4bb2-9b03-1a514a2bbdc1 --add tags WindowsAzureActiveDirectoryIntegratedApp

   az ad app update --id b8f8f0ab-2885-4bb2-9b03-1a514a2bbdc1 --set samlMetadataUrl=https://mysaml

@m4r10k
Copy link

@m4r10k m4r10k commented Feb 25, 2019

@yugangw-msft Wow! Thank you for your fast response and improvements 💪 👏! I will contact you via email later for the docker image etc. to try it out!

@m4r10k
Copy link

@m4r10k m4r10k commented Feb 26, 2019

@yugangw-msft we have tried it now, but there seams to be still a gap. If I am issuing the provided commands, I got an enterprise application but the SSO option(s) are still missing there.

grafik

The commands itself are clear but how should we proceed from here? I think there are two steps to take into account:

  • First: Someone is starting by choosing a gallery app, for example Amazon Web Services (AWS), which is then configured in detail

grafik

  • Second: Someone is starting by creating a "own app" and is configurating it after the creation

grafik

From my point of view it would make sense to have an API or to open up the API for the CLI/SDK which is controlling the screenshots above, "own app" and "gallery app" on the az ad app create command for example.

And then I think there would be the need to get in touch with the API's that are behind this stuff:
grafik

This would be, probably some kind of az ad app update.... and yes I am at your side, there is the need, that the REST API's for this must be opened for the CLI/SDK's.

I hope this is helpful...

@b-b3rn4rd
Copy link

@b-b3rn4rd b-b3rn4rd commented Feb 26, 2019

Until this is fully supported, I came up with a simple automation process of pushing IAM roles back to Azure from across all AWS accounts in an organization. In case anyone is interested https://github.com/b-b3rn4rd/aws-saml-azuread

@yugangw-msft
Copy link
Contributor

@yugangw-msft yugangw-msft commented Feb 27, 2019

Folks, I would appreciate if someone can send me the application/service principal details using "az ad app show" and "az ap sp show". Through the diff with the regular object, I can update the Rest API to get this supported. I can try all things out myself, but that would take longer time to get to the solution.
Again, I can be reached at yugangw at microsoft dot com

@m4r10k
Copy link

@m4r10k m4r10k commented Feb 27, 2019

Sure! I will send it to you later. -> done 😄

@annbrady
Copy link

@annbrady annbrady commented Mar 23, 2019

any recent updates? I'm looking to do the same things for the same reasons. thanks!

@m4r10k
Copy link

@m4r10k m4r10k commented Mar 23, 2019

@annbrady I am still in contact with @yugangw-msft via e-mail - offline to this issue. He told me, that it will take until the end of April approximately until the backend rest interfaces will be opened and the SDK's will be able to access it. We have to wait a little bit, at this point, but I am happy that @yugangw-msft is working on it together with the other Azure teams. 😄

@yugangw-msft
Copy link
Contributor

@yugangw-msft yugangw-msft commented Apr 11, 2019

Hi folks, we understand this great need from community, but at this moment we are not able to offer any ETAs you should align/plan your work with. One thing for sure is once the Service API goes public, CLI team will prioritize the work to expose the support as early as possible.

@avanbecelaere
Copy link

@avanbecelaere avanbecelaere commented May 7, 2019

I'm currently waiting on this as well. Is there an updated status?

@hemant6488
Copy link

@hemant6488 hemant6488 commented Sep 17, 2019

Any ETA on this yet?

@m4r10k
Copy link

@m4r10k m4r10k commented Sep 17, 2019

I have no new information on this, but I can ask back.

@viresh-contino
Copy link

@viresh-contino viresh-contino commented Oct 9, 2019

Hi, i am very keen to see this bit of automation! Has anybody found a workaround ?

@m4r10k
Copy link

@m4r10k m4r10k commented Oct 12, 2019

There's currently a work in progress going on behind the scenes. I've asked back and currently there is some kine of alpha work in progress -> https://docs.microsoft.com/en-us/graph/api/resources/applicationtemplate?view=graph-rest-beta to get application templates accessible via the API. But this will still take some time.

There is no workaround available beside doing it manually because the API for automation is simply missing. 😄

@StarkCaptain
Copy link

@StarkCaptain StarkCaptain commented Dec 10, 2019

As a workaround you can use the graph api beta endpoint to create a SAML application based on the standard SAML application template ID. This will create a base SAML application in Azure AD that you can then update the SAML metadata from.

https://docs.microsoft.com/en-us/graph/api/applicationtemplate-instantiate?view=graph-rest-beta&tabs=http

The ID of the basic SAML application template from Microsoft is: 8adf8e6e-67b2-4cf2-a259-e3dc5476c621

The endpoint URI would be the below then for creating the application with a request body json object of displayName, like below

Request Type: Post

Request Body:
{"displayName":"My App Test"}

URI Endpoint:
https://graph.microsoft.com/beta/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate

You could also specify the AWS template ID, which is 8b1025e4-1dd2-430b-a150-2ef79cd700f5

You can search for other template IDs from the graph API endpoint such as below, using displayName as a filter

https://graph.microsoft.com/beta/applicationTemplates?$filter=contains(displayName, 'AWS')

or list all of them

https://graph.microsoft.com/beta/applicationTemplates

@jsntcy jsntcy removed the Feature label Dec 30, 2019
@yonzhan yonzhan assigned jiasli and unassigned achandmsft Mar 10, 2020
@yonzhan yonzhan added this to the S167 milestone Mar 10, 2020
@jiasli jiasli removed this from the S167 milestone Mar 23, 2020
@jiasli jiasli added this to the Backlog milestone Mar 23, 2020
@duduz
Copy link

@duduz duduz commented Apr 2, 2020

Is there any progress on this?

same as @m4r10k , i have like 200 AWS accounts i need to integrate with AAD.

@jiasli
Copy link
Member

@jiasli jiasli commented Apr 3, 2020

@duduz, as AAD is deprecating AD Graph and migrating to MS Graph, Azure CLI is also planning on moving to MS Graph (#12946). Temporarily, could you try the solution provided by @StarkCaptain and see if it works for you?

@duduz
Copy link

@duduz duduz commented Apr 5, 2020

@jiasli, i will check it, thank you

@duduz
Copy link

@duduz duduz commented Apr 17, 2020

@jiasli, it does provision the app but a part of the the icon for the app, nothing really being inherited to the new provisioned application
when provisioning from applicationTemplates, ending up with servicePrincipal and an application objects
application doesn't inherit a randomly generated identifierUri value
servicePrincipal doesn't inherit the additional claims required, in addition, there's no KeyCredential being generated

all of this, is being provided when provisioning through the UI
something with the API functionality is missing and there's no API to compensate for it

@jiasli
Copy link
Member

@jiasli jiasli commented Apr 19, 2020

Hi @duduz, as for the API issue, since it is not under Azure CLI's coverage yet, do you mind creating a support ticket and contact AAD team directly? Thanks for understanding.

@duduz
Copy link

@duduz duduz commented Apr 19, 2020

Hi @jiasli, will do. in addition, i've raised a issue in azure-rest-api-specs repo.

@Mina69
Copy link

@Mina69 Mina69 commented Jun 30, 2020

@yugangw-msft Any update on this case?

@dazinator
Copy link

@dazinator dazinator commented Sep 21, 2020

Any update on this? We currently automate the provisioning of QA environments to azure, however as part of that automation we want the QA engineer to be able to log into the app with their azure ad account via saml. This means we have to automate the creation of a SAML app in azure AD for that QA environment (our qa environments have different URLs). Very disappointing to see this is apparently not yet possible even after all this time?

@AliKhyar
Copy link

@AliKhyar AliKhyar commented May 18, 2021

@yugangw-msft any update on this please?

@jiasli
Copy link
Member

@jiasli jiasli commented May 19, 2021

We currently don't have plan to implement SAML-related features in the existing az ad module which still uses AD Graph. Please see #12946 for calling Microsoft Graph API directly with az rest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet