diff --git a/docs/images/Intune-1-App-Registration.png b/docs/images/Intune-1-App-Registration.png new file mode 100644 index 000000000000..6cb7aa225fc9 Binary files /dev/null and b/docs/images/Intune-1-App-Registration.png differ diff --git a/docs/images/Intune-2-Register-Application.png b/docs/images/Intune-2-Register-Application.png new file mode 100644 index 000000000000..77e278d0bf3a Binary files /dev/null and b/docs/images/Intune-2-Register-Application.png differ diff --git a/docs/images/Intune-3-App-Detail.png b/docs/images/Intune-3-App-Detail.png new file mode 100644 index 000000000000..427609f2635a Binary files /dev/null and b/docs/images/Intune-3-App-Detail.png differ diff --git a/docs/images/Intune-4-App-Certificates-Secrets.png b/docs/images/Intune-4-App-Certificates-Secrets.png new file mode 100644 index 000000000000..60dd520a6630 Binary files /dev/null and b/docs/images/Intune-4-App-Certificates-Secrets.png differ diff --git a/docs/images/Intune-5-Add-Client-Secret.png b/docs/images/Intune-5-Add-Client-Secret.png new file mode 100644 index 000000000000..bbbacdd027c2 Binary files /dev/null and b/docs/images/Intune-5-Add-Client-Secret.png differ diff --git a/docs/images/Intune-6-Copy-Client-Secret.png b/docs/images/Intune-6-Copy-Client-Secret.png new file mode 100644 index 000000000000..6b46bffbd284 Binary files /dev/null and b/docs/images/Intune-6-Copy-Client-Secret.png differ diff --git a/docs/images/Intune-7-API-Permissions.png b/docs/images/Intune-7-API-Permissions.png new file mode 100644 index 000000000000..05a611275d7a Binary files /dev/null and b/docs/images/Intune-7-API-Permissions.png differ diff --git a/docs/images/Intune-8-Grant-Admin.png b/docs/images/Intune-8-Grant-Admin.png new file mode 100644 index 000000000000..d5ab8b7e2eba Binary files /dev/null and b/docs/images/Intune-8-Grant-Admin.png differ diff --git a/docs/installation/pki/packetfence.asciidoc b/docs/installation/pki/packetfence.asciidoc index b5fc9031ee76..1d83e0ab2c09 100644 --- a/docs/installation/pki/packetfence.asciidoc +++ b/docs/installation/pki/packetfence.asciidoc @@ -98,3 +98,42 @@ image::packetfence-pki-pki-provider_menu.png[scaledwidth="100%",alt="PKI Provide ===== Create a certificate per user or per device mac address, this example will cover one certificate per device: image::packetfence-pki-pki-provider_creation.png[scaledwidth="100%",alt="PKI Provider"] + + +==== Intune Integration + +===== Azure configuration + +You can hand out certificates when you use intune enrolment. + +First you need to create an application on Azure that allow PacketFence to connect to the Intune API. + +To do that first you have to go in Azure portal and App registration then click "New registration" + +image::Intune-1-App-Registration.png[scaledwidth="100%",alt="App-Registration"] + +Next set a Name and in "Supported account types" select "Accounts in this organizational directory only" then click "Register" + +image::Intune-2-Register-Application.png[scaledwidth="100%",alt="Register-Application"] + +On the next page you have to copy the "Application (Client) ID" and the "Directory (tenant) ID", thoses will be needed to configure PacketFence. + +image::Intune-3-App-Detail.png[scaledwidth="100%",alt="Application-Detail"] + +Then you need to generate a "Client secrets", to do that click on "Add a certificate or secret" + +image::Intune-4-App-Certificates-Secrets.png[scaledwidth="100%",alt="App-Certificates-Secrets"] + +image::Intune-5-Add-Client-Secret.png[scaledwidth="100%",alt="Add-Client-Secret"] + +Copy the "Value" of the secret, this is the only time you should be able to see it. + +image::Intune-6-Copy-Client-Secret.png[scaledwidth="100%",alt="Copy-Client-Secret"] + +Next you have to add API permissions, click on "API permissions" -> "Add a Permissions" and search for Intune and select "scep_challenge_provider". + +image::Intune-7-API-Permissions.png[scaledwidth="100%",alt="API-Permissions"] + +Last step is to "Grant admin", just click on "Grant admin consent for ..." and click "Yes" + +image::Intune-8-Grant-Admin.png[scaledwidth="100%",alt="Grant-Admin"] \ No newline at end of file diff --git a/go/caddy/pfpki/cloud/intune.go b/go/caddy/pfpki/cloud/intune.go index 0b3380cf4e39..e0ec05bfd991 100644 --- a/go/caddy/pfpki/cloud/intune.go +++ b/go/caddy/pfpki/cloud/intune.go @@ -13,7 +13,6 @@ import ( "os" "github.com/Azure/go-autorest/autorest/adal" - "github.com/davecgh/go-spew/spew" "github.com/google/uuid" "github.com/inverse-inc/packetfence/go/caddy/pfpki/certutils" "github.com/inverse-inc/packetfence/go/pfconfigdriver" @@ -78,7 +77,7 @@ const VALIDATION_URL = "ScepActions/validateRequest" const NOTIFY_SUCCESS_URL = "ScepActions/successNotification" const NOTIFY_FAILURE_URL = "ScepActions/failureNotification" const SERVICE_VERSION_PROP_NAME = VALIDATION_SERVICE_NAME + "Version" -const PROVIDER_NAME_AND_VERSION_NAME = "PacketFence 10.3" +const PROVIDER_NAME_AND_VERSION_NAME = "PacketFence" const intuneAppId = "0000000a-0000-0000-c000-000000000000" const intuneResourceUrl = "https://api.manage.microsoft.com/" @@ -125,8 +124,6 @@ func (cl *Intune) NewCloud(ctx context.Context, name string) { id, err := uuid.NewUUID() cl.TransactionID = id.String() - spew.Dump(cl) - spt, err = adal.NewServicePrincipalToken(*oauthConfig, cl.ClientID, cl.ClientSecret, graphResourceUrl) err = spt.Refresh() @@ -185,7 +182,6 @@ func (cl *Intune) NewCloud(ctx context.Context, name string) { apiEndpoint.ObjectId = n.(map[string]interface{})["objectId"].(string) apiEndpoint.ResourceId = n.(map[string]interface{})["resourceId"].(string) apiEndpoint.ObjectType = n.(map[string]interface{})["objectType"].(string) - // apiEndpoint.DeletionTimestamp = n.(map[string]interface{})["deletionTimestamp"].(interface{}) apiEndpoint.Capability = n.(map[string]interface{})["capability"].(string) apiEndpoint.ServiceId = n.(map[string]interface{})["serviceId"].(string) apiEndpoint.ServiceName = n.(map[string]interface{})["serviceName"].(string) @@ -265,8 +261,8 @@ func (cl *Intune) SuccessReply(ctx context.Context, cert *x509.Certificate, data } defer resp.Body.Close() - body, err := ioutil.ReadAll(resp.Body) - spew.Dump(body) + _, err = ioutil.ReadAll(resp.Body) + if resp.StatusCode != 200 { return errors.New("Unable to verify the scep request on intune") } @@ -302,8 +298,7 @@ func (cl *Intune) FailureReply(ctx context.Context, cert *x509.Certificate, data return err } defer resp.Body.Close() - body, err := ioutil.ReadAll(resp.Body) - spew.Dump(body) + _, err = ioutil.ReadAll(resp.Body) if resp.StatusCode != 200 { return errors.New("Unable to verify the scep request on intune") diff --git a/go/caddy/pfpki/models/models.go b/go/caddy/pfpki/models/models.go index 41afaa87fdc5..af84fce79301 100644 --- a/go/caddy/pfpki/models/models.go +++ b/go/caddy/pfpki/models/models.go @@ -20,7 +20,6 @@ import ( "strconv" "strings" - "github.com/davecgh/go-spew/spew" "github.com/fdurand/scep/scep" "github.com/knq/pemutil" @@ -577,7 +576,7 @@ func (c CA) HasCN(cn string, allowTime int, cert *x509.Certificate, revokeOldCer cert := pemUtil.(*x509.Certificate) if cert.NotAfter.Unix()-int64((14*24*time.Hour).Seconds()) < time.Now().Unix() { - spew.Dump("Need to revoke") + params := make(map[string]string) params["id"] = strconv.Itoa(int(certif.ID))