Related user story
#40787
Task
Update the existing STSAuthToken claims in server/mdm/microsoft/wstep.go to include a new custom device_id claim which represents the MDM Windows Device ID of the enrolling device
Add code to generate an STS Auth Token(see NewSTSAuthToken for example), signed with our public key, and including device_id and the email/UPN that the Autopilot/Settings App enroll request contained. This should have a 1 hour validity just to account for network slowness on the enroll
Modify server/service/microsoft_mdm.go enqueueInstallFleetdCommand() to pass a generated STS Auth Token as EUA_TOKEN to the orbit installer
Update the orbit enrollment endpoint to accept the new eua_token value being passed from orbit(see #41379) as part of the request if it exists
If a Windows host enrolls and passes an eua_token and it would otherwise have its enrollment fail with the END_USER_AUTH_REQUIRED error:
- Validate that the passed token is valid(see GetSTSAuthTokenUPNClaim for example)
- Fetch the mdm_windows_enrollment referred to by device_id in the token
- If the mdm_windows_enrollment has no host UUID linked, create an mdm_idp_accounts row(or fetch the existing one) matching the email in the UPN(do not clear the first/last names if the row already exists)
- link the mdm_idp_accounts row to the host_uuid via host_mdm_idp_accounts
- After the orbit enroll, link the mdm_windows_enrollment row to the orbit host entry via host_uuid(on the mwe row)
- Update the SCIM mapping of the enrolled host, if applicable. See directIngestMDMDeviceIDWindows() in server/service/osquery_utils/queries.go for how we update the SCIM mapping for autopilot enrollments today
Condition of satisfaction
EUA token is passed via Windows MDM MsiInstallJob command and if orbit uses it during enrollment, user is not prompted for end user authentication twice since they already authenticated to Azure
Related user story
#40787
Task
Update the existing STSAuthToken claims in server/mdm/microsoft/wstep.go to include a new custom device_id claim which represents the MDM Windows Device ID of the enrolling device
Add code to generate an STS Auth Token(see NewSTSAuthToken for example), signed with our public key, and including device_id and the email/UPN that the Autopilot/Settings App enroll request contained. This should have a 1 hour validity just to account for network slowness on the enroll
Modify server/service/microsoft_mdm.go enqueueInstallFleetdCommand() to pass a generated STS Auth Token as EUA_TOKEN to the orbit installer
Update the orbit enrollment endpoint to accept the new eua_token value being passed from orbit(see #41379) as part of the request if it exists
If a Windows host enrolls and passes an eua_token and it would otherwise have its enrollment fail with the END_USER_AUTH_REQUIRED error:
Condition of satisfaction
EUA token is passed via Windows MDM MsiInstallJob command and if orbit uses it during enrollment, user is not prompted for end user authentication twice since they already authenticated to Azure