JumpServer is the world's first fully open source bastion machine, using the GNU GPL v3.0 open source license agreement, is an operation and maintenance security audit system that complies with the 4A (including Authentication, Authorization, Account Accounting and Auditing) specifications.
JumpServer is mainly developed in Python/Django language, follows the Web 2.0 specification, and is equipped with the industry-leading Web Terminal solution, with a beautiful interactive interface and excellent user experience. In addition, JumpServer also adopts a distributed architecture, which can support multi-machine room and cross-region deployment, supports horizontal expansion, and has no restrictions on the number of assets and concurrency.
The JumpServer bastion machine provides a variety of methods for users to choose from in terms of authentication. Currently, the user login authentication methods already supported by JumpServer include but are not limited to LDAP/AD authentication, RADIUS authentication, OpenID authentication, SAML 2.0, CAS authentication, SSO connection, enterprise WeChat authentication, DingTalk authentication and Feishu authentication.
The following will introduce the specific steps for JumpServer bastion machine to use OpenID authentication to connect to Azure Active Directory (that is, Azure AD), in order to provide guidance for the actual operation of the majority of users.
What is Azure AD?
Azure Active Directory, or Azure AD, is a multi-tenant, cloud-based directory and identity management service provided by Microsoft. Azure AD combines core directory services, application access management, and identity protection into one solution, providing a standards-based platform that helps developers provide access control to their applications based on centralized policies and rules.
Azure AD Enterprise Identity Service provides single sign-on and multi-factor authentication, and users protected by this service are protected from 99.9% of cybersecurity attacks.
Who is using Azure AD?
Azure AD is suitable for these groups of people:
■ IT administrator
Depending on their business requirements, IT administrators can use Azure AD to control user access to their applications and application resources. For example, multi-factor authentication can be required for users to access important organizational resources through Azure AD.
In addition, you can also use Azure AD to automatically complete user provisioning between existing Windows Server AD and cloud applications (including Microsoft 365), and finally use the powerful tools provided by Azure AD to automatically protect user identities and credentials to meet access management needs;
■ Application developers
App developers can use Azure AD as a standards-based method to add single sign-on (SSO) to an app, allowing it to use the user's pre-existing credentials. In addition, you can build a personalized application experience through the API provided by Azure AD, making full use of existing organizational data;
■ Subscribers to Microsoft 365, Office 365, Azure or Dynamics CRM Online
Subscribers to these cloud services are already using Azure AD, and every Microsoft 365, Office 365, Azure and Dynamics CRM Online tenant is automatically a tenant of Azure AD.
JumpServer uses OpenID to connect to Azure AD authentication steps
1. Initialize JumpServer application through Azure AD
① New registered application
▲Figure 1 New registered application
② Register JumpServer application
Supported account types: which users can access the JumpServer application, please choose according to your needs;
Redirect URI: https://{xxxx}/core/auth/openid/callback/ (Note: https protocol must be selected, and the last "/" must be added, otherwise access will report an error).
▲Figure 2 Fill in the options such as "Name", "Supported Account Types", "Redirect URI" of the application, and click the "Register" button to submit
▲Figure 3 Generate an application using the Microsoft Identity Platform
③ Add client key
▲Figure 4 Add a certificate or machine, create a client key
▲Figure 5 Add the client password to confirm the key expiration time
▲Figure 6 Copy the client key
④ Get endpoint information
▲Figure 7 Get endpoint information
The endpoint addresses of Azure China and Azure International will be different. Select the corresponding information and fill in JumpServer OpenID for configuration.
▲Figure 8 Select the corresponding endpoint information
2. Fill in the OpenID (OIDC) information in JumpServer
① Enter JumpServer and fill in the OIDC information
▲Figure 9 Fill in the basic information and related parameters of OIDC
② Pay attention to modify the valid time of the token
Note: It is recommended to change the token validity time to a larger value, here it is modified to 600 to take effect (maybe due to time zone issues, the default is 60, and an exception will be reported).
▲Figure 10 Modify the valid time of the token
③ Successful login
▲Figure 11 The first login is successful