InfoGrab Docs

OneLogin을 SSO 프로바이더로 사용한 Teleport 인증

요약

이 가이드는 특정 사용자 그룹에게 Teleport 자격 증명을 발급하도록 OneLogin을 구성하는 방법을 설명합니다. You can register your Teleport cluster as an application with OneLogin, then create an authentication connector resource that provides Teleport wit...

이 가이드는 특정 사용자 그룹에게 Teleport 자격 증명을 발급하도록 OneLogin을 구성하는 방법을 설명합니다. 역할 기반 접근 제어(RBAC)와 함께 사용하면 SSH 관리자가 다음과 같은 정책을 정의할 수 있습니다:

  • "DBA" 그룹의 구성원만 PostgreSQL 데이터베이스에 연결할 수 있습니다.
  • 개발자는 프로덕션 서버에 절대 SSH 접근을 하면 안 됩니다.
  • ... 그리고 그 외 많은 정책들.

작동 방식#

You can register your Teleport cluster as an application with OneLogin, then create an authentication connector resource that provides Teleport with information about your application. When a user signs in to Teleport, OneLogin executes its own authentication flow, then sends an HTTP request to your Teleport cluster to indicate that authentication has completed.

Teleport authenticates users to your infrastructure by issuing short-lived certificates. After a user completes an SSO authentication flow, Teleport issues short-lived TLS and SSH certificates to the user. Teleport also creates a temporary user on the Auth Service backend.

Teleport roles are encoded in the user's certificates. To assign Teleport roles to the user, the Auth Service inspects the role mapping within the authentication connector, which associates user data on OneLogin with the names of one or more Teleport roles.

사전 요구 사항#

  • 관리자 접근 권한과 최소 두 그룹에 할당된 사용자가 있는 OneLogin 계정.
  • saml 리소스를 유지 관리할 수 있는 접근 권한이 있는 Teleport 역할. 기본 editor 역할에서 사용 가능합니다.

  • A running Teleport Enterprise cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl and tsh clients.

    Installing `tctl` and `tsh` clients

    1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace with the web address of your Teleport Proxy Service:

      $ TELEPORT_DOMAIN=
$ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"

    2. Follow the instructions for your platform to install tctl and tsh clients:

To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials.

For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and to your Teleport username:

$ tsh login --proxy= --user=
$ tctl status
# Cluster  (=teleport.url=)
# Version  (=teleport.version=)
# CA pin   (=presets.ca_pin=)

If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

1/3단계. OneLogin에서 Teleport 애플리케이션 만들기#

  1. OneLogin 제어판 메인 메뉴에서 Applications -> Add App으로 이동합니다. 검색 상자를 사용하여 "SAML Custom Connector (SP Shibboleth)"를 선택합니다:

    SAML Custom Connector (SP Shibboleth)

  2. 새 애플리케이션을 정의합니다:

    SAML 구성

    다음 링크에서 업로드할 Teleport 아이콘을 찾을 수 있습니다:

  3. 애플리케이션의 Configuration 페이지에서 다음 값을 설정합니다. Teleport Proxy Service 주소와 포트로 를 설정합니다(예: company.teleport.sh:443). 여러 공개 주소를 가진 셀프 호스팅 클러스터가 있는 경우 이 주소가 첫 번째로 나열된 것을 가리키도록 합니다.

    • Login URL:
      • https:///web/login
    • ACS (Consumer) URL, SAML Recipient, ACS (Consumer) URL Validator, & Audience:
      • https:///v1/webapi/saml/acs/onelogin

    SAML 구성

  4. Teleport는 사용자에게 그룹을 할당해야 합니다. Parameters 페이지에서 SAML 속성 문으로 노출된 일부 파라미터로 애플리케이션을 구성합니다:

    새 필드

    새 필드 그룹

    중요

Include in SAML assertion 체크박스를 반드시 체크하세요.

  1. 애플리케이션에 사용자를 추가합니다:

    사용자 추가

  2. 인증 커넥터의 SAML 메타데이터를 얻습니다. 애플리케이션이 설정되면 More Actions 메뉴로 이동하여 SAML Metadata 옵션을 찾습니다:

    XML 다운로드

    옵션을 왼쪽 클릭하여 XML 문서를 로컬 파일로 다운로드하거나 옵션을 마우스 오른쪽 버튼으로 클릭하고 링크 주소를 복사할 수 있습니다. Teleport Auth Service는 제공된 문서를 읽거나 주소를 쿼리하여 SAML 메타데이터를 얻습니다. Auth Service가 최신 정보를 사용할 수 있도록 주소를 복사하는 것을 권장합니다.

2/3단계. OneLogin을 Teleport에 연결#

이 섹션에서는 Teleport가 OneLogin과 SAML 메시지를 교환하고 사용자에게 인증서를 발급하는 데 필요한 정보를 제공하는 인증 커넥터를 만듭니다.

역할 매핑 할당#

When a user authenticates to Teleport, the Teleport Auth Service issues SSH and TLS certificates to the user that contain the user's Teleport roles.

For SSO authentication connectors, the Auth Service determines which roles to encode in the certificate by reading the authentication connector's role mapping. The role mapping indicates which Teleport roles to assign based on data that your identity provider stores about the user.

When you configure an authentication connector using the tctl CLI, a role mapping takes the following format:

<attribute_name>,<attribute_value>,<teleport_role_1>,<teleport_role_2>,...,<teleport_role_n>

For example, the following role mapping means that any user with the attribute groups with the value admins receives the Teleport roles auditor and editor:

groups,admins,auditor,editor

For the purpose of this guide, assign two separate role mappings:

SAML 커넥터 구성#

tctl을 사용하여 SAML 커넥터를 만듭니다. 를 이전 단계에서 복사한 XML 문서의 URL로 업데이트합니다. XML 문서를 대신 다운로드했다면 XML 메타데이터 파일의 경로를 사용합니다:

$ tctl sso configure saml --preset onelogin \
--entity-descriptor  \
--attributes-to-roles  \
--attributes-to-roles  > onelogin.yaml

이렇게 하면 커넥터 리소스를 설명하는 onelogin.yaml이 만들어집니다:

<div class="admonition note"><div class="admonition-title">Note</div><p>이 섹션의 내용은 원문 문서를 참조하세요. (<code>onelogin-connector.yaml</code>)</p></div>

커넥터 테스트#

새로 만든 구성을 테스트합니다:

$ cat onelogin.yaml | tctl sso test

tctl sso test는 브라우저를 열고 OneLogin으로 인증을 시도합니다. 성공하면 출력에 수신된 SAML 속성과 Teleport 역할에 매핑된 내용이 출력됩니다. 테스트가 실패하면 출력이 구성 문제 해결을 도와줍니다.

커넥터 만들기#

tctl 도구를 사용하여 커넥터를 만듭니다:

$ tctl create -f onelogin.yaml

3/3단계. 인증 기본 설정 구성#

Edit your cluster authentication preferences so you can make the authentication connector you configured in this guide the default authentication method for your Teleport cluster.

Open the Teleport Web UI. From the left sidebar, navigate to Zero Trust Access > Auth Connectors. Find the connector you would like to make the default and, from its three-dot menu, select Set as default.

If you are managing your Teleport resources as configuration files, you can choose a default authentication connector using a dynamic resource. In this case, use tctl to edit the cluster_auth_preference value:

$ tctl edit cluster_auth_preference

Set the value of spec.type to saml:

kind: cluster_auth_preference
metadata:
  ...
  name: cluster-auth-preference
spec:
  ...
  type: saml
  ...
version: v2

After you save and exit the editor, tctl will update the resource:

cluster auth preference has been updated
Additional ways to edit cluster auth preferences

The cluster auth preference is available as a Teleport Terraform provider resource. Find a list of configuration options in the Cluster Auth Preferences Resource Reference.

If you self-host Teleport, you can edit your Teleport Auth Service configuration file to include the following:

# Snippet from /etc/teleport.yaml
auth_service:
  authentication:
    type: saml

If you need to log in again before configuring your identity provider, use the flag --auth=local.

다음 단계#

Now that you have connected Teleport to your identity provider, you can customize the way Teleport includes IdP data in Teleport roles.

With role templates, you can include user data from your IdP directly in Teleport roles. If you use the external template variable in the value of a role field, Teleport passes that value from your IdP. In this example, all of the role options you can use for allowing users to assume certain principals on remote systems come from your IdP:

kind: role
version: v7
metadata:
  name: sso-users
spec:
  allow:
    logins: ['{{external.logins}}']
    aws_role_arns: ['{{external.aws_role_arns}}']
    azure_identities: ['{{external.azure_identities}}']
    db_names: ['{{external.db_names}}']
    db_roles: ['{{external.db_roles}}']
    db_users: ['{{external.db_users}}']
    desktop_groups: ['{{external.desktop_groups}}']
    gcp_service_accounts: ['{{external.gcp_service_accounts}}']
    host_groups: ['{{external.host_groups}}']
    host_sudoers: ['{{external.host_sudoers}}']
    kubernetes_groups: ['{{external.kubernetes_groups}}']
    kubernetes_users: ['{{external.kubernetes_users}}']
    windows_desktop_logins: ['{{external.windows_desktop_logins}}']

For more information on using the external template variable, see Role Templates.

For an explanation of the fields listed above, see the Role Reference.

If you need to transform your IdP user data before you include it in Teleport roles, you can do so using Login Rules. Login Rules allow you to include external traits within Teleport roles even if your IdP provides user data in a different format than the one expected by Teleport. Read more about Login Rules.

문제 해결#

Troubleshooting SSO configuration can be challenging. Usually a Teleport administrator must be able to:

If something is not working, we recommend to:

Using the Web UI#

If you get "access denied" or other login errors, the number one place to check is the Audit Log. To view the recording, select Audit in the Teleport Web UI, then click Session Recordings in the menu.

Audit Log Entry for SSO Login error

Example of a user being denied because the role clusteradmin wasn't set up:

{
  "code": "T1001W",
  "error": "role clusteradmin is not found",
  "event": "user.login",
  "message": "Failed to calculate user attributes.\n\trole clusteradmin is not found",
  "method": "oidc",
  "success": false,
  "time": "2024-11-07T15:41:25.584Z",
  "uid": "71e46f17-d611-48bb-bf5e-effd90016c13"
}

Teleport does not show the expected Nodes#

(!docs/pages/includes/node-logins.mdx!)

When configuring SSO, ensure that the identity provider is populating each user's traits correctly. For a user to see a Node in Teleport, the result of populating a template variable in a role's allow.logins must match at least one of a user's traits.logins.

In this example a user will have usernames ubuntu, debian and usernames from the SSO trait logins for Nodes that have a env: dev label. If the SSO trait username is bob then the usernames would include ubuntu, debian, and bob.

kind: role
metadata:
  name: example-role
spec:
  allow:
    logins: ['{{external.logins}}', ubuntu, debian]
    node_labels:
      'env': 'dev'
version: v5

Single sign-on fails with OIDC#

When encountering the error message "Failed to verify JWT: oidc: unable to verify JWT signature: no matching keys", it typically indicates a discrepancy between the algorithm used to sign the JWT token and the algorithm(s) supported by the JSON Web Key Set (JWKS). Specifically, the token might be signed with one algorithm, e.g., HS256, while the JWKS only lists keys for a different algorithm. e.g., RS256. This issue predominantly arises when using identity providers that offer extremely low-level functionality.

Here are some things to check:

To resolve the issue, align the JWT algorithm header with a supported algorithm in the JWKS. Rotate keys if necessary. Verify the JWKS only publishes the active public keys. With proper configuration, the signature should validate successfully.

OneLogin을 SSO 프로바이더로 사용한 Teleport 인증

원문 보기
요약

이 가이드는 특정 사용자 그룹에게 Teleport 자격 증명을 발급하도록 OneLogin을 구성하는 방법을 설명합니다. You can register your Teleport cluster as an application with OneLogin, then create an authentication connector resource that provides Teleport wit...

이 가이드는 특정 사용자 그룹에게 Teleport 자격 증명을 발급하도록 OneLogin을 구성하는 방법을 설명합니다. 역할 기반 접근 제어(RBAC)와 함께 사용하면 SSH 관리자가 다음과 같은 정책을 정의할 수 있습니다:

  • "DBA" 그룹의 구성원만 PostgreSQL 데이터베이스에 연결할 수 있습니다.
  • 개발자는 프로덕션 서버에 절대 SSH 접근을 하면 안 됩니다.
  • ... 그리고 그 외 많은 정책들.

작동 방식#

You can register your Teleport cluster as an application with OneLogin, then create an authentication connector resource that provides Teleport with information about your application. When a user signs in to Teleport, OneLogin executes its own authentication flow, then sends an HTTP request to your Teleport cluster to indicate that authentication has completed.

Teleport authenticates users to your infrastructure by issuing short-lived certificates. After a user completes an SSO authentication flow, Teleport issues short-lived TLS and SSH certificates to the user. Teleport also creates a temporary user on the Auth Service backend.

Teleport roles are encoded in the user's certificates. To assign Teleport roles to the user, the Auth Service inspects the role mapping within the authentication connector, which associates user data on OneLogin with the names of one or more Teleport roles.

사전 요구 사항#

  • 관리자 접근 권한과 최소 두 그룹에 할당된 사용자가 있는 OneLogin 계정.
  • saml 리소스를 유지 관리할 수 있는 접근 권한이 있는 Teleport 역할. 기본 editor 역할에서 사용 가능합니다.

  • A running Teleport Enterprise cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl and tsh clients.

    Installing `tctl` and `tsh` clients

    1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace with the web address of your Teleport Proxy Service:

      $ TELEPORT_DOMAIN=
$ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"

    2. Follow the instructions for your platform to install tctl and tsh clients:

To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials.

For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and to your Teleport username:

$ tsh login --proxy= --user=
$ tctl status
# Cluster  (=teleport.url=)
# Version  (=teleport.version=)
# CA pin   (=presets.ca_pin=)

If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

1/3단계. OneLogin에서 Teleport 애플리케이션 만들기#

  1. OneLogin 제어판 메인 메뉴에서 Applications -> Add App으로 이동합니다. 검색 상자를 사용하여 "SAML Custom Connector (SP Shibboleth)"를 선택합니다:

    SAML Custom Connector (SP Shibboleth)

  2. 새 애플리케이션을 정의합니다:

    SAML 구성

    다음 링크에서 업로드할 Teleport 아이콘을 찾을 수 있습니다:

  3. 애플리케이션의 Configuration 페이지에서 다음 값을 설정합니다. Teleport Proxy Service 주소와 포트로 를 설정합니다(예: company.teleport.sh:443). 여러 공개 주소를 가진 셀프 호스팅 클러스터가 있는 경우 이 주소가 첫 번째로 나열된 것을 가리키도록 합니다.

    • Login URL:
      • https:///web/login
    • ACS (Consumer) URL, SAML Recipient, ACS (Consumer) URL Validator, & Audience:
      • https:///v1/webapi/saml/acs/onelogin

    SAML 구성

  4. Teleport는 사용자에게 그룹을 할당해야 합니다. Parameters 페이지에서 SAML 속성 문으로 노출된 일부 파라미터로 애플리케이션을 구성합니다:

    새 필드

    새 필드 그룹

    중요

Include in SAML assertion 체크박스를 반드시 체크하세요.

  1. 애플리케이션에 사용자를 추가합니다:

    사용자 추가

  2. 인증 커넥터의 SAML 메타데이터를 얻습니다. 애플리케이션이 설정되면 More Actions 메뉴로 이동하여 SAML Metadata 옵션을 찾습니다:

    XML 다운로드

    옵션을 왼쪽 클릭하여 XML 문서를 로컬 파일로 다운로드하거나 옵션을 마우스 오른쪽 버튼으로 클릭하고 링크 주소를 복사할 수 있습니다. Teleport Auth Service는 제공된 문서를 읽거나 주소를 쿼리하여 SAML 메타데이터를 얻습니다. Auth Service가 최신 정보를 사용할 수 있도록 주소를 복사하는 것을 권장합니다.

2/3단계. OneLogin을 Teleport에 연결#

이 섹션에서는 Teleport가 OneLogin과 SAML 메시지를 교환하고 사용자에게 인증서를 발급하는 데 필요한 정보를 제공하는 인증 커넥터를 만듭니다.

역할 매핑 할당#

When a user authenticates to Teleport, the Teleport Auth Service issues SSH and TLS certificates to the user that contain the user's Teleport roles.

For SSO authentication connectors, the Auth Service determines which roles to encode in the certificate by reading the authentication connector's role mapping. The role mapping indicates which Teleport roles to assign based on data that your identity provider stores about the user.

When you configure an authentication connector using the tctl CLI, a role mapping takes the following format:

<attribute_name>,<attribute_value>,<teleport_role_1>,<teleport_role_2>,...,<teleport_role_n>

For example, the following role mapping means that any user with the attribute groups with the value admins receives the Teleport roles auditor and editor:

groups,admins,auditor,editor

For the purpose of this guide, assign two separate role mappings:

SAML 커넥터 구성#

tctl을 사용하여 SAML 커넥터를 만듭니다. 를 이전 단계에서 복사한 XML 문서의 URL로 업데이트합니다. XML 문서를 대신 다운로드했다면 XML 메타데이터 파일의 경로를 사용합니다:

$ tctl sso configure saml --preset onelogin \
--entity-descriptor  \
--attributes-to-roles  \
--attributes-to-roles  > onelogin.yaml

이렇게 하면 커넥터 리소스를 설명하는 onelogin.yaml이 만들어집니다:

<div class="admonition note"><div class="admonition-title">Note</div><p>이 섹션의 내용은 원문 문서를 참조하세요. (<code>onelogin-connector.yaml</code>)</p></div>

커넥터 테스트#

새로 만든 구성을 테스트합니다:

$ cat onelogin.yaml | tctl sso test

tctl sso test는 브라우저를 열고 OneLogin으로 인증을 시도합니다. 성공하면 출력에 수신된 SAML 속성과 Teleport 역할에 매핑된 내용이 출력됩니다. 테스트가 실패하면 출력이 구성 문제 해결을 도와줍니다.

커넥터 만들기#

tctl 도구를 사용하여 커넥터를 만듭니다:

$ tctl create -f onelogin.yaml

3/3단계. 인증 기본 설정 구성#

Edit your cluster authentication preferences so you can make the authentication connector you configured in this guide the default authentication method for your Teleport cluster.

Open the Teleport Web UI. From the left sidebar, navigate to Zero Trust Access > Auth Connectors. Find the connector you would like to make the default and, from its three-dot menu, select Set as default.

If you are managing your Teleport resources as configuration files, you can choose a default authentication connector using a dynamic resource. In this case, use tctl to edit the cluster_auth_preference value:

$ tctl edit cluster_auth_preference

Set the value of spec.type to saml:

kind: cluster_auth_preference
metadata:
  ...
  name: cluster-auth-preference
spec:
  ...
  type: saml
  ...
version: v2

After you save and exit the editor, tctl will update the resource:

cluster auth preference has been updated
Additional ways to edit cluster auth preferences

The cluster auth preference is available as a Teleport Terraform provider resource. Find a list of configuration options in the Cluster Auth Preferences Resource Reference.

If you self-host Teleport, you can edit your Teleport Auth Service configuration file to include the following:

# Snippet from /etc/teleport.yaml
auth_service:
  authentication:
    type: saml

If you need to log in again before configuring your identity provider, use the flag --auth=local.

다음 단계#

Now that you have connected Teleport to your identity provider, you can customize the way Teleport includes IdP data in Teleport roles.

With role templates, you can include user data from your IdP directly in Teleport roles. If you use the external template variable in the value of a role field, Teleport passes that value from your IdP. In this example, all of the role options you can use for allowing users to assume certain principals on remote systems come from your IdP:

kind: role
version: v7
metadata:
  name: sso-users
spec:
  allow:
    logins: ['{{external.logins}}']
    aws_role_arns: ['{{external.aws_role_arns}}']
    azure_identities: ['{{external.azure_identities}}']
    db_names: ['{{external.db_names}}']
    db_roles: ['{{external.db_roles}}']
    db_users: ['{{external.db_users}}']
    desktop_groups: ['{{external.desktop_groups}}']
    gcp_service_accounts: ['{{external.gcp_service_accounts}}']
    host_groups: ['{{external.host_groups}}']
    host_sudoers: ['{{external.host_sudoers}}']
    kubernetes_groups: ['{{external.kubernetes_groups}}']
    kubernetes_users: ['{{external.kubernetes_users}}']
    windows_desktop_logins: ['{{external.windows_desktop_logins}}']

For more information on using the external template variable, see Role Templates.

For an explanation of the fields listed above, see the Role Reference.

If you need to transform your IdP user data before you include it in Teleport roles, you can do so using Login Rules. Login Rules allow you to include external traits within Teleport roles even if your IdP provides user data in a different format than the one expected by Teleport. Read more about Login Rules.

문제 해결#

Troubleshooting SSO configuration can be challenging. Usually a Teleport administrator must be able to:

If something is not working, we recommend to:

Using the Web UI#

If you get "access denied" or other login errors, the number one place to check is the Audit Log. To view the recording, select Audit in the Teleport Web UI, then click Session Recordings in the menu.

Audit Log Entry for SSO Login error

Example of a user being denied because the role clusteradmin wasn't set up:

{
  "code": "T1001W",
  "error": "role clusteradmin is not found",
  "event": "user.login",
  "message": "Failed to calculate user attributes.\n\trole clusteradmin is not found",
  "method": "oidc",
  "success": false,
  "time": "2024-11-07T15:41:25.584Z",
  "uid": "71e46f17-d611-48bb-bf5e-effd90016c13"
}

Teleport does not show the expected Nodes#

(!docs/pages/includes/node-logins.mdx!)

When configuring SSO, ensure that the identity provider is populating each user's traits correctly. For a user to see a Node in Teleport, the result of populating a template variable in a role's allow.logins must match at least one of a user's traits.logins.

In this example a user will have usernames ubuntu, debian and usernames from the SSO trait logins for Nodes that have a env: dev label. If the SSO trait username is bob then the usernames would include ubuntu, debian, and bob.

kind: role
metadata:
  name: example-role
spec:
  allow:
    logins: ['{{external.logins}}', ubuntu, debian]
    node_labels:
      'env': 'dev'
version: v5

Single sign-on fails with OIDC#

When encountering the error message "Failed to verify JWT: oidc: unable to verify JWT signature: no matching keys", it typically indicates a discrepancy between the algorithm used to sign the JWT token and the algorithm(s) supported by the JSON Web Key Set (JWKS). Specifically, the token might be signed with one algorithm, e.g., HS256, while the JWKS only lists keys for a different algorithm. e.g., RS256. This issue predominantly arises when using identity providers that offer extremely low-level functionality.

Here are some things to check:

To resolve the issue, align the JWT algorithm header with a supported algorithm in the JWKS. Rotate keys if necessary. Verify the JWKS only publishes the active public keys. With proper configuration, the signature should validate successfully.