A few fixes to the OIDC provisioner docs
This commit is contained in:
parent
52f09605f4
commit
f75a52d55b
1 changed files with 25 additions and 19 deletions
|
@ -418,7 +418,7 @@ Please enter a password to encrypt the provisioner private key? password
|
||||||
},
|
},
|
||||||
[...]
|
[...]
|
||||||
|
|
||||||
# launch CA...
|
## launch CA...
|
||||||
$ step-ca $(step path)/config/ca.json
|
$ step-ca $(step path)/config/ca.json
|
||||||
Please enter the password to decrypt ~/.step/secrets/intermediate_ca_key: password
|
Please enter the password to decrypt ~/.step/secrets/intermediate_ca_key: password
|
||||||
2019/02/21 12:09:51 Serving HTTPS on :9443 ...
|
2019/02/21 12:09:51 Serving HTTPS on :9443 ...
|
||||||
|
@ -453,22 +453,23 @@ $ step ca renew site.crt site.key
|
||||||
error renewing certificate: Unauthorized
|
error renewing certificate: Unauthorized
|
||||||
```
|
```
|
||||||
|
|
||||||
## Leverage G-Suite's OAuth OIDC as authenticate personal certificates for users
|
## Use Oauth OIDC to obtain personal certificates
|
||||||
|
|
||||||
To authenticate users with the CA you can leverage services that expose OAuth OpenID
|
To authenticate users with the CA you can leverage services that expose OAuth
|
||||||
Connect identity providers. One of the most common provider and the one we'll use in
|
OpenID Connect identity providers. One of the most common providers, and the
|
||||||
this example is G-Suite.
|
one we'll use in this example, is G-Suite.
|
||||||
|
|
||||||
Navigate to the Google APIs developer console and pick a suitable project from the
|
Navigate to the Google APIs developer console and pick a suitable project from the
|
||||||
top navbar's dropdown.
|
top navbar's dropdown.
|
||||||
|
|
||||||
![Google Dev Console](oidc1.png)
|
![Google Dev Console](oidc1.png)
|
||||||
|
|
||||||
In the masthead navigation click **Credentials** (key symbol) and then "OAuth consent
|
In the masthead navigation click **Credentials** (key symbol) and then "OAuth
|
||||||
screen" from the subnav. Fill out naming details, all mandatory fields, and decide if
|
consent screen" from the subnav. Fill out naming details, all mandatory fields,
|
||||||
your app is of type **Public** or **Internal**. Internal will make sure the access scope
|
and decide if your app is of type **Public** or **Internal**. Internal
|
||||||
is bound to your G-Suite organization. **Public** will let anybody with a Google Account
|
will make sure the access scope is bound to your G-Suite organization.
|
||||||
log in, incl. `gmail.com` accounts.
|
**Public** will let anybody with a Google Account log in, incl.
|
||||||
|
`gmail.com` accounts.
|
||||||
|
|
||||||
Move back to **Credentials** on the subnav and choose "OAuth client ID" from the
|
Move back to **Credentials** on the subnav and choose "OAuth client ID" from the
|
||||||
**Create credentials** dropdown. Since OIDC will be used from the `step CLI` pick **Other**
|
**Create credentials** dropdown. Since OIDC will be used from the `step CLI` pick **Other**
|
||||||
|
@ -476,15 +477,18 @@ from the available options and pick a name (e.g. **Step CLI**).
|
||||||
|
|
||||||
![Create credential](oidc2.png)
|
![Create credential](oidc2.png)
|
||||||
|
|
||||||
On successful completion, a confirmation modal with both `clientID` and `clientSecret` will
|
On successful completion, a confirmation modal with both `clientID` and
|
||||||
be presented. Please note that the `clientSecret` will allow applications access to the configured
|
`clientSecret` will be presented. Please note that the `clientSecret` will
|
||||||
OAuth consent screen. However, it will not allow direct authentication of users without their own
|
allow applications access to the configured OAuth consent screen. However, it
|
||||||
MfA credentials per account.
|
will not allow direct authentication of users without their own MfA credentials
|
||||||
|
per account.
|
||||||
|
|
||||||
![OIDC credentials](oidc3.png)
|
![OIDC credentials](oidc3.png)
|
||||||
|
|
||||||
Now using `clientID` and `clientSecret` run following command to add G-Suite as a provisioner to
|
Now using `clientID` and `clientSecret` run the following command to add
|
||||||
`step certificates`. Please see [`step ca provisioner add`](https://smallstep.com/docs/cli/ca/provisioner/add/)'s docs for all available configuration options and descriptions.
|
G-Suite as a provisioner to `step certificates`. Please see [`step ca
|
||||||
|
provisioner add`](https://smallstep.com/docs/cli/ca/provisioner/add/)'s docs
|
||||||
|
for all available configuration options and descriptions.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ step ca provisioner add Google --type oidc --ca-config $(step path)/config/ca.json \
|
$ step ca provisioner add Google --type oidc --ca-config $(step path)/config/ca.json \
|
||||||
|
@ -494,8 +498,9 @@ $ step ca provisioner add Google --type oidc --ca-config $(step path)/config/ca.
|
||||||
--domain yourdomain.com --domain gmail.com
|
--domain yourdomain.com --domain gmail.com
|
||||||
```
|
```
|
||||||
|
|
||||||
Start up the online CA or send a HUP signal if it's already running to pick up the new provisioner.
|
Start up the online CA or send a HUP signal if it's already running to reload
|
||||||
Now users should be able to fetch certificates using the familiar `step ca certificate` flow:
|
the configuration and pick up the new provisioner. Now users should be able to
|
||||||
|
obtain certificates using the familiar `step ca certificate` flow:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
$ step ca certificate sebastian@smallstep.com personal.crt personal.key
|
$ step ca certificate sebastian@smallstep.com personal.crt personal.key
|
||||||
|
@ -517,7 +522,8 @@ X.509v3 TLS Certificate (ECDSA P-256) [Serial: 2295...5799]
|
||||||
to: 2019-03-27T19:02:58Z
|
to: 2019-03-27T19:02:58Z
|
||||||
```
|
```
|
||||||
|
|
||||||
Now it's easy for anybody in the G-Suite organization to self-serve fetching valid certificates.
|
Now it's easy for anybody in the G-Suite organization to obtain valid personal
|
||||||
|
certificates!
|
||||||
|
|
||||||
## Notes on Securing the Step CA and your PKI.
|
## Notes on Securing the Step CA and your PKI.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue