diff --git a/.github/workflows/keyfactor-bootstrap-workflow.yml b/.github/workflows/keyfactor-bootstrap-workflow.yml index 6d8de53..64919a4 100644 --- a/.github/workflows/keyfactor-bootstrap-workflow.yml +++ b/.github/workflows/keyfactor-bootstrap-workflow.yml @@ -11,9 +11,10 @@ on: jobs: call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@v2 + uses: keyfactor/actions/.github/workflows/starter.yml@v3 secrets: token: ${{ secrets.V2BUILDTOKEN}} APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} + scan_token: ${{ secrets.SAST_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 58d70ab..101cd68 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,3 +13,6 @@ - 3.1.1 - fix(deps): Revert main Azure App Registration and Enterprise Application Orchestrator extension .NET project to .NET 6 from .NET 8. + +- 3.2.0 + - chore(docs): Upgrade GitHub Actions to use Bootstrap Workflow v3 to support Doctool diff --git a/README.md b/README.md index fdb22b2..7f950ea 100644 --- a/README.md +++ b/README.md @@ -1,53 +1,3 @@ - -# Azure App Registration and Enterprise Application Orchestrator - -The Azure App Registration and Enterprise Application Orchestrator extension remotely manages both Azure App Registration/Application certificates and Enterprise Application/Service Principal certificates. - -#### Integration status: Production - Ready for use in production environments. - -## About the Keyfactor Universal Orchestrator Extension - -This repository contains a Universal Orchestrator Extension which is a plugin to the Keyfactor Universal Orchestrator. Within the Keyfactor Platform, Orchestrators are used to manage “certificate stores” — collections of certificates and roots of trust that are found within and used by various applications. - -The Universal Orchestrator is part of the Keyfactor software distribution and is available via the Keyfactor customer portal. For general instructions on installing Extensions, see the “Keyfactor Command Orchestrator Installation and Configuration Guide” section of the Keyfactor documentation. For configuration details of this specific Extension see below in this readme. - -The Universal Orchestrator is the successor to the Windows Orchestrator. This Orchestrator Extension plugin only works with the Universal Orchestrator and does not work with the Windows Orchestrator. - -## Support for Azure App Registration and Enterprise Application Orchestrator - -Azure App Registration and Enterprise Application Orchestrator is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com - -###### To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. - ---- - - ---- - - - -## Keyfactor Version Supported - -The minimum version of the Keyfactor Universal Orchestrator Framework needed to run this version of the extension is 10.4 -## Platform Specific Notes - -The Keyfactor Universal Orchestrator may be installed on either Windows or Linux based platforms. The certificate operations supported by a capability may vary based what platform the capability is installed on. The table below indicates what capabilities are supported based on which platform the encompassing Universal Orchestrator is running. -| Operation | Win | Linux | -|-----|-----|------| -|Supports Management Add|✓ |✓ | -|Supports Management Remove|✓ |✓ | -|Supports Create Store| | | -|Supports Discovery|✓ |✓ | -|Supports Reenrollment| | | -|Supports Inventory|✓ |✓ | - - - - - ---- - -

Azure App Registration and Enterprise Application Universal Orchestrator Extension

@@ -86,6 +36,15 @@ The Azure App Registration and Enterprise Application Orchestrator extension rem Certificates used for client authentication by Applications (configured in App Registrations) are represented by the [`AzureApp` store type](docs/azureapp.md), and certificates used for SSO/SAML assertion signing are represented by the [`AzureSP` store type](docs/azuresp.md). Both store types are managed by the same extension. The extension is configured with a single Azure Service Principal that is used to authenticate to the [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/use-the-api). The Azure App Registration and Enterprise Application Orchestrator extension manages certificates for Azure App Registrations (Applications) and Enterprise Applications (Service Principals) differently. +## Compatibility + +This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later. + +## Support +The Azure App Registration and Enterprise Application Universal Orchestrator extension is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. + +> To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. + ## Installation Before installing the Azure App Registration and Enterprise Application Universal Orchestrator extension, it's recommended to install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command. @@ -100,7 +59,7 @@ The Azure App Registration and Enterprise Application Universal Orchestrator ext
Requirements - ### Azure Service Principal (Graph API Authentication) + #### Azure Service Principal (Graph API Authentication) The Azure App Registration and Enterprise Application Orchestrator extension uses an [Azure Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) for authentication. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) to create a service principal. Currently, Client Secret authentication is supported. The Service Principal must have the following API Permission: - **_Microsoft Graph Application Permissions_**: @@ -110,7 +69,7 @@ The Azure App Registration and Enterprise Application Universal Orchestrator ext Alternatively, the Service Principal can be granted the `Application.ReadWrite.OwnedBy` permission if the Service Principal is only intended to manage its own App Registration/Application. - #### Client Certificate or Client Secret + ##### Client Certificate or Client Secret Beginning in version 3.0.0, the Azure App Registration and Enterprise Application Orchestrator extension supports both [client certificate authentication](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) and [client secret](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret) authentication. @@ -159,14 +118,12 @@ The Azure App Registration and Enterprise Application Universal Orchestrator ext > > You will use `clientcert.[pem|pfx].base64` as the **ClientCertificate** field in the [Certificate Store Configuration](#certificate-store-configuration) section. - ### Azure App Registration (Application) + #### Azure App Registration (Application) - #### Application Certificates + ##### Application Certificates Application certificates are used for client authentication and are typically public key only. No additional configuration in Azure is necessary to manage Application certificates since all App Registrations can contain any number of [Certificates and Secrets](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-credentials). Unless the Discovery job is used, you should collect the Application IDs for each App Registration that contains certificates to be managed. - -
2. Create Certificate Store Types for the Azure App Registration and Enterprise Application Orchestrator extension. @@ -196,7 +153,10 @@ The Azure App Registration and Enterprise Application Universal Orchestrator ext * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Azure App Registration and Enterprise Application Universal Orchestrator extension](https://github.com/Keyfactor/azure-application-orchestrator/releases/latest). 4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. + * [Azure App Registration (Application)](docs/azureapp.md#certificate-store-configuration) + +
Azure Enterprise Application (Service Principal) @@ -206,7 +166,7 @@ The Azure App Registration and Enterprise Application Universal Orchestrator ext
Requirements - ### Azure Service Principal (Graph API Authentication) + #### Azure Service Principal (Graph API Authentication) The Azure App Registration and Enterprise Application Orchestrator extension uses an [Azure Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) for authentication. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) to create a service principal. Currently, Client Secret authentication is supported. The Service Principal must have the following API Permission: - **_Microsoft Graph Application Permissions_**: @@ -216,7 +176,7 @@ The Azure App Registration and Enterprise Application Universal Orchestrator ext Alternatively, the Service Principal can be granted the `Application.ReadWrite.OwnedBy` permission if the Service Principal is only intended to manage its own App Registration/Application. - #### Client Certificate or Client Secret + ##### Client Certificate or Client Secret Beginning in version 3.0.0, the Azure App Registration and Enterprise Application Orchestrator extension supports both [client certificate authentication](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) and [client secret](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret) authentication. @@ -265,14 +225,12 @@ The Azure App Registration and Enterprise Application Universal Orchestrator ext > > You will use `clientcert.[pem|pfx].base64` as the **ClientCertificate** field in the [Certificate Store Configuration](#certificate-store-configuration) section. - ### Enterprise Application (Service Principal) + #### Enterprise Application (Service Principal) - #### Service Principal Certificates + ##### Service Principal Certificates Service Principal certificates are typically used for SAML Token signing. Service Principals are created from Enterprise Applications, and will mostly be configured with a variation of Microsoft's [SAML-based single sign-on](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal) documentation. For more information on the mechanics of the Service Principal certificate management capabilities of this extension, please see the [mechanics](#extension-mechanics) section. - -
2. Create Certificate Store Types for the Azure App Registration and Enterprise Application Orchestrator extension. @@ -302,7 +260,10 @@ The Azure App Registration and Enterprise Application Universal Orchestrator ext * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Azure App Registration and Enterprise Application Universal Orchestrator extension](https://github.com/Keyfactor/azure-application-orchestrator/releases/latest). 4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. + * [Azure Enterprise Application (Service Principal)](docs/azuresp.md#certificate-store-configuration) + +
@@ -312,8 +273,4 @@ Apache License 2.0, see [LICENSE](LICENSE). ## Related Integrations -See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator). - -When creating cert store type manually, that store property names and entry parameter names are case sensitive - - +See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator). \ No newline at end of file diff --git a/docs/azureapp.md b/docs/azureapp.md index 9380654..8b578ed 100644 --- a/docs/azureapp.md +++ b/docs/azureapp.md @@ -17,7 +17,7 @@ Azure [App Registration/Application certificates](https://learn.microsoft.com/en ## Requirements -### Azure Service Principal (Graph API Authentication) +#### Azure Service Principal (Graph API Authentication) The Azure App Registration and Enterprise Application Orchestrator extension uses an [Azure Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) for authentication. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) to create a service principal. Currently, Client Secret authentication is supported. The Service Principal must have the following API Permission: - **_Microsoft Graph Application Permissions_**: @@ -27,7 +27,7 @@ The Azure App Registration and Enterprise Application Orchestrator extension use Alternatively, the Service Principal can be granted the `Application.ReadWrite.OwnedBy` permission if the Service Principal is only intended to manage its own App Registration/Application. -#### Client Certificate or Client Secret +##### Client Certificate or Client Secret Beginning in version 3.0.0, the Azure App Registration and Enterprise Application Orchestrator extension supports both [client certificate authentication](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) and [client secret](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret) authentication. @@ -76,37 +76,16 @@ Beginning in version 3.0.0, the Azure App Registration and Enterprise Applicatio > > You will use `clientcert.[pem|pfx].base64` as the **ClientCertificate** field in the [Certificate Store Configuration](#certificate-store-configuration) section. -### Azure App Registration (Application) +#### Azure App Registration (Application) -#### Application Certificates +##### Application Certificates Application certificates are used for client authentication and are typically public key only. No additional configuration in Azure is necessary to manage Application certificates since all App Registrations can contain any number of [Certificates and Secrets](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-credentials). Unless the Discovery job is used, you should collect the Application IDs for each App Registration that contains certificates to be managed. - -## Extension Mechanics - -The Azure App Registration and Enterprise Application Orchestrator extension uses the [Microsoft Dotnet Graph SDK](https://learn.microsoft.com/en-us/graph/sdks/sdks-overview) to interact with the Microsoft Graph API. The extension uses the following Graph API endpoints to manage Application certificates: - -* [Get Application](https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http) - Used to obtain the Object ID of the App Registration, and to download the certificates owned by the App Registration. -* [Update Application](https://learn.microsoft.com/en-us/graph/api/application-update?view=graph-rest-1.0&tabs=http) - Used to modify the App Registration to add or remove certificates. - * Specifically, the extension manipulates the [`keyCredentials` resource](https://learn.microsoft.com/en-us/graph/api/resources/keycredential?view=graph-rest-1.0) of the Application object. - -### Discovery Job - -The Discovery operation discovers all Azure App Registrations that the Service Principal has access to. The discovered App Registrations (specifically, their Application IDs) are reported back to Command and can be easily added as certificate stores from the Locations tab. - -The Discovery operation uses the "Directories to search" field, and accepts input in one of the following formats: -- `*` - If the asterisk symbol `*` is used, the extension will search for all Azure App Registrations that the Service Principal has access to, but only in the tenant that the discovery job was configured for as specified by the "Client Machine" field in the certificate store configuration. -- `,,...` - If a comma-separated list of tenant IDs is used, the extension will search for all Azure App Registrations available in each tenant specified in the list. The tenant IDs should be the GUIDs associated with each tenant, and it's the user's responsibility to ensure that the service principal has access to the specified tenants. - -> The Discovery Job only supports Client Secret authentication. - - - ## Certificate Store Type Configuration -The recommended method for creating the `AzureApp` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `` Certificate Store Type: +The recommended method for creating the `AzureApp` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `AzureApp` Certificate Store Type: ```shell kfutil store-types create AzureApp @@ -169,24 +148,47 @@ The Custom Fields tab should look like this: + +## Extension Mechanics + +The Azure App Registration and Enterprise Application Orchestrator extension uses the [Microsoft Dotnet Graph SDK](https://learn.microsoft.com/en-us/graph/sdks/sdks-overview) to interact with the Microsoft Graph API. The extension uses the following Graph API endpoints to manage Application certificates: + +* [Get Application](https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http) - Used to obtain the Object ID of the App Registration, and to download the certificates owned by the App Registration. +* [Update Application](https://learn.microsoft.com/en-us/graph/api/application-update?view=graph-rest-1.0&tabs=http) - Used to modify the App Registration to add or remove certificates. + * Specifically, the extension manipulates the [`keyCredentials` resource](https://learn.microsoft.com/en-us/graph/api/resources/keycredential?view=graph-rest-1.0) of the Application object. + +#### Discovery Job + +The Discovery operation discovers all Azure App Registrations that the Service Principal has access to. The discovered App Registrations (specifically, their Application IDs) are reported back to Command and can be easily added as certificate stores from the Locations tab. + +The Discovery operation uses the "Directories to search" field, and accepts input in one of the following formats: +- `*` - If the asterisk symbol `*` is used, the extension will search for all Azure App Registrations that the Service Principal has access to, but only in the tenant that the discovery job was configured for as specified by the "Client Machine" field in the certificate store configuration. +- `,,...` - If a comma-separated list of tenant IDs is used, the extension will search for all Azure App Registrations available in each tenant specified in the list. The tenant IDs should be the GUIDs associated with each tenant, and it's the user's responsibility to ensure that the service principal has access to the specified tenants. + +> The Discovery Job only supports Client Secret authentication. + + + + + ## Certificate Store Configuration After creating the `AzureApp` Certificate Store Type and installing the Azure App Registration and Enterprise Application Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform. The following table describes the required and optional fields for the `AzureApp` certificate store type. -| Attribute | Description | -| --------- | ----------- | -| Category | Select "Azure App Registration (Application)" or the customized certificate store name from the previous step. | -| Container | Optional container to associate certificate store with. | -| Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. | -| Store Path | The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. | -| Orchestrator | Select an approved orchestrator capable of managing `AzureApp` certificates. Specifically, one with the `AzureApp` capability. | -| ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. | -| ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate | -| ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | -| AzureCloud | Specifies the Azure Cloud instance used by the organization. | -| ServerUseSsl | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | +| Attribute | Description | Attribute is PAM Eligible | +| --------- | ----------- | ------------------------- | +| Category | Select "Azure App Registration (Application)" or the customized certificate store name from the previous step. | | +| Container | Optional container to associate certificate store with. | | +| Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. | | +| Store Path | The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. | | +| Orchestrator | Select an approved orchestrator capable of managing `AzureApp` certificates. Specifically, one with the `AzureApp` capability. | | +| ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. | | +| ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate | | +| ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | | +| AzureCloud | Specifies the Azure Cloud instance used by the organization. | | +| ServerUseSsl | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | | * **Using kfutil** @@ -200,4 +202,5 @@ The following table describes the required and optional fields for the `AzureApp kfutil stores import csv --store-type-name AzureApp --file AzureApp.csv ``` -* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. \ No newline at end of file +* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. + diff --git a/docs/azuresp.md b/docs/azuresp.md index 5335d60..1029f86 100644 --- a/docs/azuresp.md +++ b/docs/azuresp.md @@ -17,7 +17,7 @@ The Azure Enterprise Application/Service Principal certificate operations are im ## Requirements -### Azure Service Principal (Graph API Authentication) +#### Azure Service Principal (Graph API Authentication) The Azure App Registration and Enterprise Application Orchestrator extension uses an [Azure Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) for authentication. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) to create a service principal. Currently, Client Secret authentication is supported. The Service Principal must have the following API Permission: - **_Microsoft Graph Application Permissions_**: @@ -27,7 +27,7 @@ The Azure App Registration and Enterprise Application Orchestrator extension use Alternatively, the Service Principal can be granted the `Application.ReadWrite.OwnedBy` permission if the Service Principal is only intended to manage its own App Registration/Application. -#### Client Certificate or Client Secret +##### Client Certificate or Client Secret Beginning in version 3.0.0, the Azure App Registration and Enterprise Application Orchestrator extension supports both [client certificate authentication](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) and [client secret](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret) authentication. @@ -76,37 +76,16 @@ Beginning in version 3.0.0, the Azure App Registration and Enterprise Applicatio > > You will use `clientcert.[pem|pfx].base64` as the **ClientCertificate** field in the [Certificate Store Configuration](#certificate-store-configuration) section. -### Enterprise Application (Service Principal) +#### Enterprise Application (Service Principal) -#### Service Principal Certificates +##### Service Principal Certificates Service Principal certificates are typically used for SAML Token signing. Service Principals are created from Enterprise Applications, and will mostly be configured with a variation of Microsoft's [SAML-based single sign-on](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal) documentation. For more information on the mechanics of the Service Principal certificate management capabilities of this extension, please see the [mechanics](#extension-mechanics) section. - -## Extension Mechanics - -The Azure App Registration and Enterprise Application Orchestrator extension uses the [Microsoft Dotnet Graph SDK](https://learn.microsoft.com/en-us/graph/sdks/sdks-overview) to interact with the Microsoft Graph API. The extension uses the following Graph API endpoints to manage Service Principal certificates: - -* [Get Service Principal](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http) - Used to obtain the Object ID of the Enterprise Application, and to download the certificates owned by the Service Principal. -* [Update Service Principal](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-update?view=graph-rest-1.0&tabs=http) - Used to modify the Enterprise Application to add or remove certificates. - * Specifically, the extension manipulates the [`keyCredentials` resource](https://learn.microsoft.com/en-us/graph/api/resources/keycredential?view=graph-rest-1.0) of the Service Principal object. - -### Discovery Job - -The Discovery operation discovers all Azure Enterprise Applications that the Service Principal has access to. The discovered Enterprise Applications (specifically, their Application IDs) are reported back to Command and can be easily added as certificate stores from the Locations tab. - -The Discovery operation uses the "Directories to search" field, and accepts input in one of the following formats: -- `*` - If the asterisk symbol `*` is used, the extension will search for all Azure Enterprise Applications that the Service Principal has access to, but only in the tenant that the discovery job was configured for as specified by the "Client Machine" field in the certificate store configuration. -- `,,...` - If a comma-separated list of tenant IDs is used, the extension will search for all Azure Enterprise Applications available in each tenant specified in the list. The tenant IDs should be the GUIDs associated with each tenant, and it's the user's responsibility to ensure that the service principal has access to the specified tenants. - -> The Discovery Job only supports Client Secret authentication. - - - ## Certificate Store Type Configuration -The recommended method for creating the `AzureSP` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `` Certificate Store Type: +The recommended method for creating the `AzureSP` Certificate Store Type is to use [kfutil](https://github.com/Keyfactor/kfutil). After installing, use the following command to create the `AzureSP` Certificate Store Type: ```shell kfutil store-types create AzureSP @@ -169,24 +148,47 @@ The Custom Fields tab should look like this: + +## Extension Mechanics + +The Azure App Registration and Enterprise Application Orchestrator extension uses the [Microsoft Dotnet Graph SDK](https://learn.microsoft.com/en-us/graph/sdks/sdks-overview) to interact with the Microsoft Graph API. The extension uses the following Graph API endpoints to manage Service Principal certificates: + +* [Get Service Principal](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http) - Used to obtain the Object ID of the Enterprise Application, and to download the certificates owned by the Service Principal. +* [Update Service Principal](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-update?view=graph-rest-1.0&tabs=http) - Used to modify the Enterprise Application to add or remove certificates. + * Specifically, the extension manipulates the [`keyCredentials` resource](https://learn.microsoft.com/en-us/graph/api/resources/keycredential?view=graph-rest-1.0) of the Service Principal object. + +#### Discovery Job + +The Discovery operation discovers all Azure Enterprise Applications that the Service Principal has access to. The discovered Enterprise Applications (specifically, their Application IDs) are reported back to Command and can be easily added as certificate stores from the Locations tab. + +The Discovery operation uses the "Directories to search" field, and accepts input in one of the following formats: +- `*` - If the asterisk symbol `*` is used, the extension will search for all Azure Enterprise Applications that the Service Principal has access to, but only in the tenant that the discovery job was configured for as specified by the "Client Machine" field in the certificate store configuration. +- `,,...` - If a comma-separated list of tenant IDs is used, the extension will search for all Azure Enterprise Applications available in each tenant specified in the list. The tenant IDs should be the GUIDs associated with each tenant, and it's the user's responsibility to ensure that the service principal has access to the specified tenants. + +> The Discovery Job only supports Client Secret authentication. + + + + + ## Certificate Store Configuration After creating the `AzureSP` Certificate Store Type and installing the Azure App Registration and Enterprise Application Universal Orchestrator extension, you can create new [Certificate Stores](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store) to manage certificates in the remote platform. The following table describes the required and optional fields for the `AzureSP` certificate store type. -| Attribute | Description | -| --------- | ----------- | -| Category | Select "Azure Enterprise Application (Service Principal)" or the customized certificate store name from the previous step. | -| Container | Optional container to associate certificate store with. | -| Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. | -| Store Path | The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. | -| Orchestrator | Select an approved orchestrator capable of managing `AzureSP` certificates. Specifically, one with the `AzureSP` capability. | -| ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. | -| ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate | -| ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | -| AzureCloud | Specifies the Azure Cloud instance used by the organization. | -| ServerUseSsl | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | +| Attribute | Description | Attribute is PAM Eligible | +| --------- | ----------- | ------------------------- | +| Category | Select "Azure Enterprise Application (Service Principal)" or the customized certificate store name from the previous step. | | +| Container | Optional container to associate certificate store with. | | +| Client Machine | The Azure Tenant (directory) ID that owns the Service Principal. | | +| Store Path | The Application ID of the target Application/Service Principal that will be managed by the Azure App Registration and Enterprise Application Orchestrator extension. | | +| Orchestrator | Select an approved orchestrator capable of managing `AzureSP` certificates. Specifically, one with the `AzureSP` capability. | | +| ServerUsername | The Application ID of the Service Principal used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. | | +| ServerPassword | A Client Secret that the extension will use to authenticate with Microsoft Graph for managing Application/Service Principal certificates, OR the password that encrypts the private key in ClientCertificate | | +| ClientCertificate | The client certificate used to authenticate with Microsoft Graph for managing Application/Service Principal certificates. See the [requirements](#client-certificate-or-client-secret) for more information. | | +| AzureCloud | Specifies the Azure Cloud instance used by the organization. | | +| ServerUseSsl | Specifies whether SSL should be used for communication with the server. Set to 'true' to enable SSL, and 'false' to disable it. | | * **Using kfutil** @@ -200,4 +202,5 @@ The following table describes the required and optional fields for the `AzureSP` kfutil stores import csv --store-type-name AzureSP --file AzureSP.csv ``` -* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. \ No newline at end of file +* **Manually with the Command UI**: In Keyfactor Command, navigate to Certificate Stores from the Locations Menu. Click the Add button to create a new Certificate Store using the attributes in the table above. + diff --git a/docsource/images/AzureApp-advanced-store-type-dialog.png b/docsource/images/AzureApp-advanced-store-type-dialog.png index 2b71e8c..534ecb2 100644 Binary files a/docsource/images/AzureApp-advanced-store-type-dialog.png and b/docsource/images/AzureApp-advanced-store-type-dialog.png differ diff --git a/docsource/images/AzureApp-basic-store-type-dialog.png b/docsource/images/AzureApp-basic-store-type-dialog.png index dc2fa78..4d1c0f6 100644 Binary files a/docsource/images/AzureApp-basic-store-type-dialog.png and b/docsource/images/AzureApp-basic-store-type-dialog.png differ diff --git a/docsource/images/AzureApp-custom-fields-store-type-dialog.png b/docsource/images/AzureApp-custom-fields-store-type-dialog.png index 296cd70..c6bbf79 100644 Binary files a/docsource/images/AzureApp-custom-fields-store-type-dialog.png and b/docsource/images/AzureApp-custom-fields-store-type-dialog.png differ diff --git a/docsource/images/AzureSP-advanced-store-type-dialog.png b/docsource/images/AzureSP-advanced-store-type-dialog.png index 2b71e8c..534ecb2 100644 Binary files a/docsource/images/AzureSP-advanced-store-type-dialog.png and b/docsource/images/AzureSP-advanced-store-type-dialog.png differ diff --git a/docsource/images/AzureSP-basic-store-type-dialog.png b/docsource/images/AzureSP-basic-store-type-dialog.png index ea8bd33..1c404cb 100644 Binary files a/docsource/images/AzureSP-basic-store-type-dialog.png and b/docsource/images/AzureSP-basic-store-type-dialog.png differ diff --git a/docsource/images/AzureSP-custom-fields-store-type-dialog.png b/docsource/images/AzureSP-custom-fields-store-type-dialog.png index 296cd70..c6bbf79 100644 Binary files a/docsource/images/AzureSP-custom-fields-store-type-dialog.png and b/docsource/images/AzureSP-custom-fields-store-type-dialog.png differ diff --git a/integration-manifest.json b/integration-manifest.json index 7c7f817..a9dec1a 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -1,5 +1,5 @@ { - "$schema": "https://keyfactor.github.io/integration-manifest-schema.json", + "$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json", "name": "Azure App Registration and Enterprise Application Orchestrator", "integration_type": "orchestrator", "status": "production", @@ -158,7 +158,6 @@ "CustomAliasAllowed": "Required" } ] - }, - "pam": {} + } } -} +} \ No newline at end of file diff --git a/readme_source.md b/readme_source.md deleted file mode 100644 index 36ccab5..0000000 --- a/readme_source.md +++ /dev/null @@ -1,265 +0,0 @@ -

- Azure App Registration and Enterprise Application Universal Orchestrator Extension -

- -

- -Integration Status: production -Release -Issues -GitHub Downloads (all assets, all releases) -

- -

- - - Support - - · - - Installation - - · - - License - - · - - Related Integrations - -

- - -## Overview - -The Azure App Registration and Enterprise Application Orchestrator extension remotely manages both Azure [App Registration/Application](https://learn.microsoft.com/en-us/entra/identity-platform/certificate-credentials) certificates and [Enterprise Application/Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/enterprise-apps-certificate-credentials) certificates. Application certificates are typically public key only and used for client certificate authentication, while Service Principal certificates are commonly used for [SAML Assertion signing](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on). The extension implements the Inventory, Management Add, Management Remove, and Discovery job types. - -Certificates used for client authentication by Applications (configured in App Registrations) are represented by the [`AzureApp` store type](docs/azureapp.md), and certificates used for SSO/SAML assertion signing are represented by the [`AzureSP` store type](docs/azuresp.md). Both store types are managed by the same extension. The extension is configured with a single Azure Service Principal that is used to authenticate to the [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/use-the-api). The Azure App Registration and Enterprise Application Orchestrator extension manages certificates for Azure App Registrations (Applications) and Enterprise Applications (Service Principals) differently. - -## Installation -Before installing the Azure App Registration and Enterprise Application Universal Orchestrator extension, it's recommended to install [kfutil](https://github.com/Keyfactor/kfutil). Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command. - -The Azure App Registration and Enterprise Application Universal Orchestrator extension implements 2 Certificate Store Types. Depending on your use case, you may elect to install one, or all of these Certificate Store Types. An overview for each type is linked below: -* [Azure App Registration (Application)](docs/azureapp.md) -* [Azure Enterprise Application (Service Principal)](docs/azuresp.md) - -
Azure App Registration (Application) - - -1. Follow the [requirements section](docs/azureapp.md#requirements) to configure a Service Account and grant necessary API permissions. - -
Requirements - - ### Azure Service Principal (Graph API Authentication) - - The Azure App Registration and Enterprise Application Orchestrator extension uses an [Azure Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) for authentication. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) to create a service principal. Currently, Client Secret authentication is supported. The Service Principal must have the following API Permission: - - **_Microsoft Graph Application Permissions_**: - - `Application.ReadWrite.All` (_not_ Delegated; Admin Consent) - Allows the app to create, read, update and delete applications and service principals without a signed-in user. - - > For more information on Admin Consent for App-only access (also called "Application Permissions"), see the [primer on application-only access](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-only-access-primer). - - Alternatively, the Service Principal can be granted the `Application.ReadWrite.OwnedBy` permission if the Service Principal is only intended to manage its own App Registration/Application. - - #### Client Certificate or Client Secret - - Beginning in version 3.0.0, the Azure App Registration and Enterprise Application Orchestrator extension supports both [client certificate authentication](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) and [client secret](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret) authentication. - - * **Client Secret** - Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret) to create a Client Secret. This secret will be used as the **Server Password** field in the [Certificate Store Configuration](#certificate-store-configuration) section. - * **Client Certificate** - Create a client certificate key pair with the Client Authentication extended key usage. The client certificate will be used in the ClientCertificate field in the [Certificate Store Configuration](#certificate-store-configuration) section. If you have access to Keyfactor Command, the instructions in this section walk you through enrolling a certificate and ensuring that it's in the correct format. Once enrolled, follow [Microsoft's documentation](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) to add the _public key_ certificate (no private key) to the service principal used for authentication. - - The certificate can be in either of the following formats: - * Base64-encoded PKCS#12 (PFX) with a matching private key. - * Base64-encoded PEM-encoded certificate _and_ PEM-encoded PKCS8 private key. Make sure that the certificate and private key are separated with a newline. The order doesn't matter - the extension will determine which is which. - - If the private key is encrypted, the encryption password will replace the **Server Password** field in the [Certificate Store Configuration](#certificate-store-configuration) section. - - > **Creating and Formatting a Client Certificate using Keyfactor Command** - > - > To get started quickly, you can follow the instructions below to create and properly format a client certificate to authenticate to the Microsoft Graph API. - > - > 1. In Keyfactor Command, hover over **Enrollment** and select **PFX Enrollment**. - > 2. Select a **Template** that supports Client Authentication as an extended key usage. - > 3. Populate the certificate subject as appropriate for the Template. It may be sufficient to only populate the Common Name, but consult your IT policy to ensure that this certificate is compliant. - > 4. At the bottom of the page, uncheck the box for **Include Chain**, and select either **PFX** or **PEM** as the certificate Format. - > 5. Make a note of the password on the next page - it won't be shown again. - > 6. Prepare the certificate and private key for Azure and the Orchestrator extension: - > * If you downloaded the certificate in PEM format, use the commands below: - > - > ```shell - > # Verify that the certificate downloaded from Command contains the certificate and private key. They should be in the same file - > cat - > - > # Separate the certificate from the private key - > openssl x509 -in -out pubkeycert.pem - > - > # Base64 encode the certificate and private key - > cat | base64 > clientcertkeypair.pem.base64 - > ``` - > - > * If you downloaded the certificate in PFX format, use the commands below: - > - > ```shell - > # Export the certificate from the PFX file - > openssl pkcs12 -in -clcerts -nokeys -out pubkeycert.pem - > - > # Base64 encode the PFX file - > cat | base64 > clientcert.pfx.base64 - > ``` - > 7. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) to add the public key certificate to the service principal used for authentication. - > - > You will use `clientcert.[pem|pfx].base64` as the **ClientCertificate** field in the [Certificate Store Configuration](#certificate-store-configuration) section. - - ### Azure App Registration (Application) - - #### Application Certificates - - Application certificates are used for client authentication and are typically public key only. No additional configuration in Azure is necessary to manage Application certificates since all App Registrations can contain any number of [Certificates and Secrets](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app#add-credentials). Unless the Discovery job is used, you should collect the Application IDs for each App Registration that contains certificates to be managed. - - - -
- -2. Create Certificate Store Types for the Azure App Registration and Enterprise Application Orchestrator extension. - - * **Using kfutil**: - - ```shell - # Azure App Registration (Application) - kfutil store-types create AzureApp - ``` - - * **Manually**: - * [Azure App Registration (Application)](docs/azureapp.md#certificate-store-type-configuration) - -3. Install the Azure App Registration and Enterprise Application Universal Orchestrator extension. - - * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command: - - ```shell - # Windows Server - kfutil orchestrator extension -e azure-application-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" - - # Linux - kfutil orchestrator extension -e azure-application-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions" - ``` - - * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Azure App Registration and Enterprise Application Universal Orchestrator extension](https://github.com/Keyfactor/azure-application-orchestrator/releases/latest). - -4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. - * [Azure App Registration (Application)](docs/azureapp.md#certificate-store-configuration) -
- -
Azure Enterprise Application (Service Principal) - - -1. Follow the [requirements section](docs/azuresp.md#requirements) to configure a Service Account and grant necessary API permissions. - -
Requirements - - ### Azure Service Principal (Graph API Authentication) - - The Azure App Registration and Enterprise Application Orchestrator extension uses an [Azure Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) for authentication. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) to create a service principal. Currently, Client Secret authentication is supported. The Service Principal must have the following API Permission: - - **_Microsoft Graph Application Permissions_**: - - `Application.ReadWrite.All` (_not_ Delegated; Admin Consent) - Allows the app to create, read, update and delete applications and service principals without a signed-in user. - - > For more information on Admin Consent for App-only access (also called "Application Permissions"), see the [primer on application-only access](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-only-access-primer). - - Alternatively, the Service Principal can be granted the `Application.ReadWrite.OwnedBy` permission if the Service Principal is only intended to manage its own App Registration/Application. - - #### Client Certificate or Client Secret - - Beginning in version 3.0.0, the Azure App Registration and Enterprise Application Orchestrator extension supports both [client certificate authentication](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) and [client secret](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret) authentication. - - * **Client Secret** - Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-2-add-a-client-secret) to create a Client Secret. This secret will be used as the **Server Password** field in the [Certificate Store Configuration](#certificate-store-configuration) section. - * **Client Certificate** - Create a client certificate key pair with the Client Authentication extended key usage. The client certificate will be used in the ClientCertificate field in the [Certificate Store Configuration](#certificate-store-configuration) section. If you have access to Keyfactor Command, the instructions in this section walk you through enrolling a certificate and ensuring that it's in the correct format. Once enrolled, follow [Microsoft's documentation](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) to add the _public key_ certificate (no private key) to the service principal used for authentication. - - The certificate can be in either of the following formats: - * Base64-encoded PKCS#12 (PFX) with a matching private key. - * Base64-encoded PEM-encoded certificate _and_ PEM-encoded PKCS8 private key. Make sure that the certificate and private key are separated with a newline. The order doesn't matter - the extension will determine which is which. - - If the private key is encrypted, the encryption password will replace the **Server Password** field in the [Certificate Store Configuration](#certificate-store-configuration) section. - - > **Creating and Formatting a Client Certificate using Keyfactor Command** - > - > To get started quickly, you can follow the instructions below to create and properly format a client certificate to authenticate to the Microsoft Graph API. - > - > 1. In Keyfactor Command, hover over **Enrollment** and select **PFX Enrollment**. - > 2. Select a **Template** that supports Client Authentication as an extended key usage. - > 3. Populate the certificate subject as appropriate for the Template. It may be sufficient to only populate the Common Name, but consult your IT policy to ensure that this certificate is compliant. - > 4. At the bottom of the page, uncheck the box for **Include Chain**, and select either **PFX** or **PEM** as the certificate Format. - > 5. Make a note of the password on the next page - it won't be shown again. - > 6. Prepare the certificate and private key for Azure and the Orchestrator extension: - > * If you downloaded the certificate in PEM format, use the commands below: - > - > ```shell - > # Verify that the certificate downloaded from Command contains the certificate and private key. They should be in the same file - > cat - > - > # Separate the certificate from the private key - > openssl x509 -in -out pubkeycert.pem - > - > # Base64 encode the certificate and private key - > cat | base64 > clientcertkeypair.pem.base64 - > ``` - > - > * If you downloaded the certificate in PFX format, use the commands below: - > - > ```shell - > # Export the certificate from the PFX file - > openssl pkcs12 -in -clcerts -nokeys -out pubkeycert.pem - > - > # Base64 encode the PFX file - > cat | base64 > clientcert.pfx.base64 - > ``` - > 7. Follow [Microsoft's documentation](https://learn.microsoft.com/en-us/graph/auth-register-app-v2#option-1-add-a-certificate) to add the public key certificate to the service principal used for authentication. - > - > You will use `clientcert.[pem|pfx].base64` as the **ClientCertificate** field in the [Certificate Store Configuration](#certificate-store-configuration) section. - - ### Enterprise Application (Service Principal) - - #### Service Principal Certificates - - Service Principal certificates are typically used for SAML Token signing. Service Principals are created from Enterprise Applications, and will mostly be configured with a variation of Microsoft's [SAML-based single sign-on](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal) documentation. For more information on the mechanics of the Service Principal certificate management capabilities of this extension, please see the [mechanics](#extension-mechanics) section. - - - -
- -2. Create Certificate Store Types for the Azure App Registration and Enterprise Application Orchestrator extension. - - * **Using kfutil**: - - ```shell - # Azure Enterprise Application (Service Principal) - kfutil store-types create AzureSP - ``` - - * **Manually**: - * [Azure Enterprise Application (Service Principal)](docs/azuresp.md#certificate-store-type-configuration) - -3. Install the Azure App Registration and Enterprise Application Universal Orchestrator extension. - - * **Using kfutil**: On the server that that hosts the Universal Orchestrator, run the following command: - - ```shell - # Windows Server - kfutil orchestrator extension -e azure-application-orchestrator@latest --out "C:\Program Files\Keyfactor\Keyfactor Orchestrator\extensions" - - # Linux - kfutil orchestrator extension -e azure-application-orchestrator@latest --out "/opt/keyfactor/orchestrator/extensions" - ``` - - * **Manually**: Follow the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/InstallingAgents/NetCoreOrchestrator/CustomExtensions.htm?Highlight=extensions) to install the latest [Azure App Registration and Enterprise Application Universal Orchestrator extension](https://github.com/Keyfactor/azure-application-orchestrator/releases/latest). - -4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension. - * [Azure Enterprise Application (Service Principal)](docs/azuresp.md#certificate-store-configuration) -
- - -## License - -Apache License 2.0, see [LICENSE](LICENSE). - -## Related Integrations - -See all [Keyfactor Universal Orchestrator extensions](https://github.com/orgs/Keyfactor/repositories?q=orchestrator).