Skip to content

Allow signing in to Active Directory with smart card

Andrew Evans requested to merge 328074-active-directory-smartcards into master

What does this MR do and why?

Allow signing in to Active Directory with smart card

Currently smart card / certificate-based sign-in can authenticate against an LDAP server, unless that server is Active Directory based. This change allows using certificates such as those hosted on smart cards to authenticate against Active Directory servers in a basic way.

Markdown preview of new documentation

TODO:

  • Determine if we can / need to support additional formats for altSecurityIdentities attribute - see list of available formats here
  • Make altSecurityIdentities field name configurable via adapter settings: on Entra ID this may be an extended field synced from an on-prem AD controller, depending on what attributes are synchronized from the on-prem controller
  • Add feature flag?
  • Add documentation of new config values
  • Robust tests for parts of the system
  • controller test

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
without_feature with_feature

How to set up and validate locally

Very long guide link - here is a long guide about how to set up an Azure VM with Active Directory, upload certificate data, and use a certificate on your local GDK to log in. I plan to refine this and add it to the GDK howto docs down the line, but for now it's pretty targeted at this MR. The extremely-abbreviated version:

  1. Provision an Active Directory server either in your network or via Azure VM - guide coming shortly based on this tutorial
  2. Set the user's altSecurityIdentities field in the directory to the certificate you plan to use.
  3. When signing in, select your Active Directory LDAP server tab on the sign-in screen, and press "Sign in with smart card"
  4. Use your smart card or browser certificate store to submit the appropriate certificate
  5. You should be signed in. If your account is not provisioned, but signup is enabled, a new account will be created for you

Related to #328074 (closed)

Edited by Andrew Evans

Merge request reports