Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-2213

RFE: Entra Saml Authentication for Entra Service Principals.

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Goals

      Allow external auth service accounts to authenticate to Ansible Automation Platform.

      Background and strategic fit

      Right now all service accounts must either be created to act like actual users or be local accounts inside of the Ansible Automation Platform, We should support third party service accounts.

      Summary

      Over a year ago Micrsoft Entra introduced service principals which are essentially Service accounts that act on an apps behalf. Customers would like to be able to use these accounts to access the AAP API. Currently Microsoft does not allow these to be authenticated through the GUI, to create an AAP token. Microsoft Entra does work with SAML authnication for users on AAP. 

      Problem Description

      Third party service accounts are unable to authenticate to Ansible Automation platform using Microsoft entra. Currently once authorized to entra, cannot get cookie or a token back to access the AAP API. 

      Assumptions

      Complete during New status and then remove this text.

      <include any assumptions that inform the design or requirements>

      User Story Requirements

      Complete during New status and then remove this text.

      <add 1 user story per row, including persona details>

      as a <user> I want <functionality> so that I can <value prop>

      # Title User Story Persona Importance Notes
      1          
      2          
      3          
      4          
      5          

      Questions

      Initial completion during Refinement status and then remove this text. 

      Below is a list of questions to be addressed as a result of this requirements document:

      Question Outcome
         

      Links

      Initial completion during Refinement status and then remove this text. 

      Microsoft Service Principals. 

      https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser

      Out of Scope

      <replace this with anything explicitly out of scope here, to reduce the risk of scope creep>

      Technical Scope

      Feature Flag

      (If not utilizing a FF during development of Feature please indicate why?)

      • add the Feature Flag name that will be used for this feature here 
      • add any “conditions” that will be required to enable this feature
      • add details specified in this decision record in the Acceptance Criteria field (Criteria 1, Criteria 2)

      Architecture Definition

      Please review below guidance before creating the SDP and any proposals:

      System Design Plan

      (leave blank if not completed yet)

      SDP
      • SDP: Link to SDP PR in handbook repo
      • Proposal Review Call: Link to Staff Engineering Proposal Review call video recording of SDP presentation
      Proposal(s)
      • Proposal: Link to Proposal PR in handbook repo that solves one or more of the problem statements from your SDP
      • Proposal Review Call: Link to Staff Engineering Proposal Review call video recording of Proposal presentation.
      • Update SDP with link to accepted(merged) proposal in handbook
      • If your proposal updates/adds-to existing guidance, changes to existing architecture, or defines requirements on internal development teams be sure to open a Jira Issue to document these updates/additions in the handbook and that the Jira Issue is linked to this Feature.

      API Dependencies

      add link to existing API definition (OpenAPI spec) in git repo. Be sure to link to the specific version of the OpenAPI spec document you depend on. If the API you depend on does not yet exist... add an Issue Link (depends on) to the Jira Issue that defines the dependent API and be sure to update this list with the link to the OpenAPI Spec document when available.  See spec-file maintenance for details on OpenAPI spec file generation and storage location.

      UX

      Have you talked with the UX team about any additional requirements or expectations that will be needed from them for this feature either during development or for release? If additional work will be required of UX, add Issue Links (depends on) to the Jira Issues that define the work for UX to perform

      Obtain UI sign-off via confirmation of sign-off in comments and link to comment here

      Docs

      Have you collaborated with the Docs team, prior to development, about requirements or expectations for this feature so they can properly scope the documentation impact? If doc work is required, collaborate with the doc team to define the work in JIRA, and then add Issue Links (depends on) to those doc Issues.

      Obtain Docs sign-off via confirmation of sign-off in comments and link to comment here

      Security

      Have you assessed the increased/decreased security risks/vectors that this Feature will present?
      Have you ensured that any new code added for this Feature will be properly scanned and results reported and saved for future reference?

      Obtain sign-off from Architect of Feature via confirmation of sign-off in comments and link to comment here

      Test Plan

      Have you developed a plan for how you will test this feature in all phases of development? Will you have unit tests? Will you have Component ATF tests? Does your ATF tests require new feature/capabilities on the framework? Will you have Green Thread tests? Will you have perf/scale tests? Add Issue Links (depends on) to the Jira Issues that define the work required to execute the Test Plan

      Obtain sign-off from Architect of Feature via confirmation of sign-off in comments and link to comment here

      Build/Release

      Have you talked with the PDE team about any additional requirements or expectations that will be needed from them for this feature either during development or for release? If additional work will be required of PDE, add Issue Links to the Jira Issues that define the work for PDE to perform

      Obtain PDE sign-off via confirmation of sign-off in comments and link to comment here

      Installer

      Have you talked with the Installer team about any additional requirements or expectations that will be needed from them for this feature either during development or for release? Does this feature need parameters exposed in inventory/CRD? Does this feature deploy a new operator/container? If additional work will be required of Installer, add Issue Links to the Jira Issues that define the work for Installer to perform

      Obtain Installer sign-off via confirmation of sign-off in comments and link to comment here

      Perf/Scale

      Have you talked with the Perf/Scale team about any additional requirements or expectations that will be needed from them for this feature either during development or for release? If additional work will be required of Perf/Scale, add Issue Links (depends on) to the Jira Issues that define the work for Perf/Scale to perform

      Obtain Perf/Scale sign-off via confirmation of sign-off in comments and link to comment here

      SaaS

      Have you talked with the SaaS team about any additional requirements or expectations that will be needed from them for this feature either during development or for release? If additional work will be required of SaaS, add Issue Links (depends on) to the Jira Issues that define the work for SaaS to perform

      Obtain SaaS sign-off via confirmation of sign-off in comments and link to comment here

              Unassigned Unassigned
              rhn-gps-ssulliva Sean Sullivan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: