/azure-application-orchestrator

Keyfactor orchestrator extension to inventory and manage Azure App Registration/Application, and Azure Enterprise Application/Service Principal certificates

Primary LanguageC#

Azure App Registration and Enterprise Application Universal Orchestrator Extension

Integration Status: production Release Issues GitHub Downloads (all assets, all releases)

Support · Installation · License · Related Integrations

Overview

The Azure App Registration and Enterprise Application Orchestrator extension remotely manages both Azure App Registration/Application certificates and Enterprise Application/Service Principal certificates. Application certificates are typically public key only and used for client certificate authentication, while Service Principal certificates are commonly used for SAML Assertion signing. The extension implements the Inventory, Management Add, Management Remove, and Discovery job types.

Certificates used for client authentication by Applications (configured in App Registrations) are represented by the AzureApp store type, and certificates used for SSO/SAML assertion signing are represented by the AzureSP store type. Both store types are managed by the same extension. The extension is configured with a single Azure Service Principal that is used to authenticate to the Microsoft Graph API. The Azure App Registration and Enterprise Application Orchestrator extension manages certificates for Azure App Registrations (Applications) and Enterprise Applications (Service Principals) differently.

Compatibility

This integration is compatible with Keyfactor Universal Orchestrator version 10.4 and later.

Support

The Azure App Registration and Enterprise Application Universal Orchestrator extension is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com.

To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.

Installation

Before installing the Azure App Registration and Enterprise Application Universal Orchestrator extension, it's recommended to install kfutil. Kfutil is a command-line tool that simplifies the process of creating store types, installing extensions, and instantiating certificate stores in Keyfactor Command.

The Azure App Registration and Enterprise Application Universal Orchestrator extension implements 2 Certificate Store Types. Depending on your use case, you may elect to install one, or all of these Certificate Store Types. An overview for each type is linked below:

Azure App Registration (Application)

  1. Follow the requirements section to configure a Service Account and grant necessary API permissions.

    Requirements

    Azure Service Principal (Graph API Authentication)

    The Azure App Registration and Enterprise Application Orchestrator extension uses an Azure Service Principal for authentication. Follow Microsoft's documentation to create a service principal. Currently, Client Secret authentication is supported. The Service Principal must have the following API Permission:

    • Microsoft Graph Application Permissions:
      • Application.ReadWrite.All (not Delegated; Admin Consent) - Allows the app to create, read, update and delete applications and service principals without a signed-in user.

    For more information on Admin Consent for App-only access (also called "Application Permissions"), see the primer on application-only access.

    Alternatively, the Service Principal can be granted the Application.ReadWrite.OwnedBy permission if the Service Principal is only intended to manage its own App Registration/Application.

    Client Certificate or Client Secret

    Beginning in version 3.0.0, the Azure App Registration and Enterprise Application Orchestrator extension supports both client certificate authentication and client secret authentication.

    • Client Secret - Follow Microsoft's documentation to create a Client Secret. This secret will be used as the Server Password field in the Certificate Store Configuration section.

    • Client Certificate - Create a client certificate key pair with the Client Authentication extended key usage. The client certificate will be used in the ClientCertificate field in the Certificate Store Configuration section. If you have access to Keyfactor Command, the instructions in this section walk you through enrolling a certificate and ensuring that it's in the correct format. Once enrolled, follow Microsoft's documentation to add the public key certificate (no private key) to the service principal used for authentication.

      The certificate can be in either of the following formats:

      • Base64-encoded PKCS#12 (PFX) with a matching private key.
      • Base64-encoded PEM-encoded certificate and PEM-encoded PKCS8 private key. Make sure that the certificate and private key are separated with a newline. The order doesn't matter - the extension will determine which is which.

      If the private key is encrypted, the encryption password will replace the Server Password field in the Certificate Store Configuration section.

    Creating and Formatting a Client Certificate using Keyfactor Command

    To get started quickly, you can follow the instructions below to create and properly format a client certificate to authenticate to the Microsoft Graph API.

    1. In Keyfactor Command, hover over Enrollment and select PFX Enrollment.
    2. Select a Template that supports Client Authentication as an extended key usage.
    3. Populate the certificate subject as appropriate for the Template. It may be sufficient to only populate the Common Name, but consult your IT policy to ensure that this certificate is compliant.
    4. At the bottom of the page, uncheck the box for Include Chain, and select either PFX or PEM as the certificate Format.
    5. Make a note of the password on the next page - it won't be shown again.
    6. Prepare the certificate and private key for Azure and the Orchestrator extension:

      • If you downloaded the certificate in PEM format, use the commands below:

        # Verify that the certificate downloaded from Command contains the certificate and private key. They should be in the same file
cat <your_certificate.pem>

# Separate the certificate from the private key
openssl x509 -in <your_certificate.pem> -out pubkeycert.pem

# Base64 encode the certificate and private key
cat <your_certificate.pem> | base64 > clientcertkeypair.pem.base64

      • If you downloaded the certificate in PFX format, use the commands below:

        # Export the certificate from the PFX file
openssl pkcs12 -in <your_certificate.pfx> -clcerts -nokeys -out pubkeycert.pem

# Base64 encode the PFX file
cat <your_certificate.pfx> | base64 > clientcert.pfx.base64
    7. Follow Microsoft's documentation to add the public key certificate to the service principal used for authentication.

    You will use clientcert.[pem|pfx].base64 as the ClientCertificate field in the Certificate Store Configuration section.

    Azure App Registration (Application)

    Application Certificates

    Application certificates are used for client authentication and are typically public key only. No additional configuration in Azure is necessary to manage Application certificates since all App Registrations can contain any number of Certificates and Secrets. Unless the Discovery job is used, you should collect the Application IDs for each App Registration that contains certificates to be managed.

  2. Create Certificate Store Types for the Azure App Registration and Enterprise Application Orchestrator extension.

  3. Install the Azure App Registration and Enterprise Application Universal Orchestrator extension.

  4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension.

Azure Enterprise Application (Service Principal)

  1. Follow the requirements section to configure a Service Account and grant necessary API permissions.

    Requirements

    Azure Service Principal (Graph API Authentication)

    The Azure App Registration and Enterprise Application Orchestrator extension uses an Azure Service Principal for authentication. Follow Microsoft's documentation to create a service principal. Currently, Client Secret authentication is supported. The Service Principal must have the following API Permission:

    • Microsoft Graph Application Permissions:
      • Application.ReadWrite.All (not Delegated; Admin Consent) - Allows the app to create, read, update and delete applications and service principals without a signed-in user.

    For more information on Admin Consent for App-only access (also called "Application Permissions"), see the primer on application-only access.

    Alternatively, the Service Principal can be granted the Application.ReadWrite.OwnedBy permission if the Service Principal is only intended to manage its own App Registration/Application.

    Client Certificate or Client Secret

    Beginning in version 3.0.0, the Azure App Registration and Enterprise Application Orchestrator extension supports both client certificate authentication and client secret authentication.

    • Client Secret - Follow Microsoft's documentation to create a Client Secret. This secret will be used as the Server Password field in the Certificate Store Configuration section.

    • Client Certificate - Create a client certificate key pair with the Client Authentication extended key usage. The client certificate will be used in the ClientCertificate field in the Certificate Store Configuration section. If you have access to Keyfactor Command, the instructions in this section walk you through enrolling a certificate and ensuring that it's in the correct format. Once enrolled, follow Microsoft's documentation to add the public key certificate (no private key) to the service principal used for authentication.

      The certificate can be in either of the following formats:

      • Base64-encoded PKCS#12 (PFX) with a matching private key.
      • Base64-encoded PEM-encoded certificate and PEM-encoded PKCS8 private key. Make sure that the certificate and private key are separated with a newline. The order doesn't matter - the extension will determine which is which.

      If the private key is encrypted, the encryption password will replace the Server Password field in the Certificate Store Configuration section.

    Creating and Formatting a Client Certificate using Keyfactor Command

    To get started quickly, you can follow the instructions below to create and properly format a client certificate to authenticate to the Microsoft Graph API.

    1. In Keyfactor Command, hover over Enrollment and select PFX Enrollment.
    2. Select a Template that supports Client Authentication as an extended key usage.
    3. Populate the certificate subject as appropriate for the Template. It may be sufficient to only populate the Common Name, but consult your IT policy to ensure that this certificate is compliant.
    4. At the bottom of the page, uncheck the box for Include Chain, and select either PFX or PEM as the certificate Format.
    5. Make a note of the password on the next page - it won't be shown again.
    6. Prepare the certificate and private key for Azure and the Orchestrator extension:

      • If you downloaded the certificate in PEM format, use the commands below:

        # Verify that the certificate downloaded from Command contains the certificate and private key. They should be in the same file
cat <your_certificate.pem>

# Separate the certificate from the private key
openssl x509 -in <your_certificate.pem> -out pubkeycert.pem

# Base64 encode the certificate and private key
cat <your_certificate.pem> | base64 > clientcertkeypair.pem.base64

      • If you downloaded the certificate in PFX format, use the commands below:

        # Export the certificate from the PFX file
openssl pkcs12 -in <your_certificate.pfx> -clcerts -nokeys -out pubkeycert.pem

# Base64 encode the PFX file
cat <your_certificate.pfx> | base64 > clientcert.pfx.base64
    7. Follow Microsoft's documentation to add the public key certificate to the service principal used for authentication.

    You will use clientcert.[pem|pfx].base64 as the ClientCertificate field in the Certificate Store Configuration section.

    Enterprise Application (Service Principal)

    Service Principal Certificates

    Service Principal certificates are typically used for SAML Token signing. Service Principals are created from Enterprise Applications, and will mostly be configured with a variation of Microsoft's SAML-based single sign-on documentation. For more information on the mechanics of the Service Principal certificate management capabilities of this extension, please see the mechanics section.

  2. Create Certificate Store Types for the Azure App Registration and Enterprise Application Orchestrator extension.

  3. Install the Azure App Registration and Enterprise Application Universal Orchestrator extension.

  4. Create new certificate stores in Keyfactor Command for the Sample Universal Orchestrator extension.

License

Apache License 2.0, see LICENSE.

Related Integrations

See all Keyfactor Universal Orchestrator extensions.