Add end user's IdP information to host vitals

[noahtalerman]

Goal

User story
As an IT admin,
I want to add end user's info (e.g. IdP email, full name, IdP groups, etc.) from the identity provider (IdP) to host vitals
so that I can identify which end user is assigned to each host.

Key result

Fleet users can add host vitals from their IdP as variables in configuration profiles

Original requests

#21028

Context

• Product designer: @marko-lisica

@marko-lisica: LDAP research document

Changes

Product

• UI changes: Figma link
• CLI (fleetctl) usage changes: No changes.
• YAML changes: No changes.
• REST API changes: [API design] Add end user's IdP information to host vitals #26855
• Fleet's agent (fleetd) changes: No changes.
• GitOps mode changes: No changes.
• Activity changes: No changes.
• Permissions changes: Maintainer and up. Permissions guide PR.
• Changes to paid features or tiers: Fleet Premium only. Pricing table PR
• Transparency changes: No changes.
• First draft of test plan added
• Other reference documentation changes: No changes.
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Test plan is finalized
• Feature guide changes: [Feature guide] Add end user's IdP information to host vitals #26989
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Test plan

Make sure to go through the list and consider all events that might be related to this story, so we catch edge cases earlier.

UI

• On /settings/integrations page there should be new sub page /identity-provider.
• Make sure that Okta's SCIM integration can be connected to Fleet by following the user guide provided on /settings/integrations/identity-provider in the integration card (learn how link).
• If users create SCIM integration app in Okta, and something isn't right when they try to test connection, make sure that state of integration card on /settings/integrations/identity-provider isn't changed. It should be changed after the first successful request from Okta SCIM client.
• Make sure that after the first successful request (IdP connected) from Okta, to always show the latest request from Okta on /settings/integrations/identity-provider page with timestamp. In case of error, make sure that Fleet show error message in a tooltip that appears on hover over text in the integration card.
• On macOS host details new "User" card should be always visible.
• On macOS host details in new "User" card, Email (IdP) should be always visible no matter if it has a value.
• On macOS host details in "User" card, make sure that Email (IdP) is email that's today available in GET /api/v1/fleet/hosts/1/device_mapping with source = 'mdm_idp_accounts' (one that gets assigned to a host when user authenticate during ADE)
• On macOS host details in new "User" card Google Chrome profiles and Other email fields should be present only if they have a value.
• On other platforms (except macOS) host details in new "User" card, Email (IdP) shouldn't be present, and only fields that have value should be visible (Google Chrome profiles and other email). If no fields available, hide "User" card.
• On macOS host details page, in "User" card if Email (IdP) has value and IdP is NOT connected (Fleet didn't receive at least one successful request from IdP), show tooltip over Full name (IdP) and Group (IdP) labels to guide user to connect IdP in Fleet settings.
• On macOS host details page, in "User" card if Email (IdP) has value and IdP IS connected (Fleet received at least one successful request from IdP), show tooltip over Full name (IdP) label to tell users that this is combination of givenName and familyName SCIM attributes.
• On macOS host details in "User" card, if Email (IdP) has a value, then Add user button shouldn't be present.
• Make sure that Groups in User card match those assigned to user in Okta (IdP).
• Make sure that the information populated in User card match those that are assigned to user in Okta.
• Make sure that when user information is updated in Okta, that change is reflected on host details. (e.g. if admin changed lastName in Okta, it should be changed in Fleet, and if user changes userName in Okta it should be changed in Fleet as well.)
• Make sure that group assignment changes in Okta are reflected in Fleet (e.g user in Okta got assigned to a new group or user got removed from a group).
• Verify that the human-device mapping (user information - e.g. Chrome Profiles, custom email and IdP email, etc.) is deleted when a host is deleted. That way, when the host re-enrolls after wipe/delete it has a fresh human-device mapping entry
• Make sure that if the user in Okta doesn't have all required SCIM attributes (userName, givenName, and familyName) Fleet shows error message in settings > integrations > IdP, and Fleet sends error to Okta, which is displayed when you open user page in Okta.

API

• Make sure that /api/v1/fleet/scim and /api/v1/fleet/scim/<any_other_route> is available for Premium users only.
• Make sure that /api/v1/fleet/scim and /api/v1/fleet/scim/<any_other_route> is available for Maintainer and Admin roles.

Happy path

1. Create Okta SCIM application and connect it to Fleet, following Fleet's user guide that's linked in Fleet UI
2. Assigns users and push groups from Okta SCIM application to Fleet, following Fleet's user guide.
3. Enroll new host via ADE (with end user authentication enabled)
4. After successful enrollment, go to host details of that host and make sure that Email (IdP), Full name (IdP) and Groups (IdP) are populated based on IdP email that's assigned to user via ADE enrollment flow.
5. Go to Okta, go to that user that's mapped to a host above, change it's last name and make sure that change is reflected in Fleet.

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

Software design (should be moved to its own docs/contributing/MDM-IdP.md file):

---
title: DB schema proposal
---
erDiagram
    HOST_IDP {
        host_id uint PK
        idp_id uint FK
    }
    IDP {
        id string PK "Can this be stored as binary for faster lookup?"
        email string "Unique?"
        full_name string
    }
    IDP_GROUPS_JOIN {
        idp_id string PK "FK"
        group_id uint PK "FK"
    }
    IDP_GROUPS {
        group_id uint PK
        name string "Unique" 
    }
    HOST_IDP }|--|| IDP : "multiple hosts can have the same IDP"
    IDP ||--o{ IDP_GROUPS_JOIN: "Can IDP have no groups?"
    IDP_GROUPS_JOIN }|--|| IDP_GROUPS: "one-to-many"
    COMMENT {
        string _ "created_at and updated_at columns not shown"
    }

Loading

[noahtalerman]

Hey @marko-lisica, left some feedback in a Loom video here.

[nonpunctual]

related: #21028

[noahtalerman]

FYI @marko-lisica I presented wireframes to Mike and got feedback that I think we want to address when we come back this story.

Feedback and Gong recording are in this Google doc: https://docs.google.com/document/d/1CVWjE23RiUIpR7b4orojkxFp4gEzr4qDLmSv-TNxf6M/edit?tab=t.0

[JoStableford]

Linked to Unthread ticket:

Conversation #3476

[noahtalerman]

Hey @marko-lisica, I recorded some UI feedback here: https://drive.google.com/file/d/1amow8wVZrNkZI80Ri9Sb2QSDWgRsEYB8/view?usp=sharing

It's a longer video because I did some wireframing (added proposed tweaks).

[getvictor]

@marko-lisica Is there a new API endpoint for SCIM requests to Fleet? How is authentication handled? We don't want random requests messing with our IdP data.