Allow signing in to Active Directory with smart card
What does this MR do and why?
Allow signing in to Active Directory with smart card
Currently smart card / certificate-based sign-in can authenticate against an LDAP server, unless that server is Active Directory based. This change allows using certificates such as those hosted on smart cards to authenticate against Active Directory servers in a basic way.
Markdown preview of new documentation
TODO:
-
Determine if we can / need to support additional formats for altSecurityIdentities
attribute - see list of available formats here -
Make altSecurityIdentities
field name configurable via adapter settings: on Entra ID this may be an extended field synced from an on-prem AD controller, depending on what attributes are synchronized from the on-prem controller -
Add feature flag? -
Add documentation of new config values -
Robust tests for parts of the system -
controller test
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
![]() |
![]() |
How to set up and validate locally
Very long guide link - here is a long guide about how to set up an Azure VM with Active Directory, upload certificate data, and use a certificate on your local GDK to log in. I plan to refine this and add it to the GDK howto
docs down the line, but for now it's pretty targeted at this MR. The extremely-abbreviated version:
- Provision an Active Directory server either in your network or via Azure VM - guide coming shortly based on this tutorial
- Set the user's
altSecurityIdentities
field in the directory to the certificate you plan to use. - When signing in, select your Active Directory LDAP server tab on the sign-in screen, and press "Sign in with smart card"
- Use your smart card or browser certificate store to submit the appropriate certificate
- You should be signed in. If your account is not provisioned, but signup is enabled, a new account will be created for you
Related to #328074 (closed)