feat: add support for aws azuread federation

[mholttech]

This adds support for using AzureAD to Federate into AWS. Fixes #160.

Changelog

• Adds support for AzureAD Federation of AWS IAM Roles

[lgtm-com]

This pull request introduces 1 alert when merging 0a7ca2a into 00b89d7 - view on LGTM.com

new alerts:

• 1 for Incomplete URL substring sanitization

[mholttech]

This pull request introduces 1 alert when merging 0a7ca2a into 00b89d7 - view on LGTM.com

new alerts:

• 1 for Incomplete URL substring sanitization

The full URL when authenticating is https://login.microsoftonline.com/<azuread-tenant-id>/saml2

I'm not sure if this is something that can be wildcarded for or if this needs to be handled differently.

[ericvilla]

Hi @mholttech, looking at this implementation, it seems the filters you've added fit how the needAuthentication method works. Basically, it is an addition to the current logic and does not interfere with it.
Thank you very much for the effort and we'll add the feature in the next release.

[pethron]

I think the filter works but to further scope down I'd make a try with "https://login.microsoftonline.com/*/saml2"

[mholttech]

I just tried that with my dev build, unfortunately that appears to break the SAML Authentication

[ericvilla]

Hi @mholttech!

I've set up a federation between an AzureAD SAML Application and an AWS IAM Identity Provider.

The solution works with your implementation, but it shows the login window every time you click to activate the session. The reason behind this behavior is that details.url.indexOf('login.microsoftonline.com') !== -1 filter is too open.

The very first call to login.microsoftonline.com host has the following template: https://login.microsoftonline.com/oauth2/authorize

The condition now is
if (details.url.indexOf('login.microsoftonline.com') !== -1 && details.url.indexOf('/oauth2/authorize') !== -1) { ... }

Using this condition, Leapp does not show the login windows if you're already logged in.

[mholttech]

Hey @ericvilla, Thanks for the feedback. I'm updating the filter on my local build to validate on my end and then I'll update the PR

[lgtm-com]

This pull request introduces 1 alert when merging b8e2441 into fbcf00d - view on LGTM.com

new alerts:

• 1 for Incomplete URL substring sanitization

[mholttech]

@ericvilla It looks good to me. Works as expected and no longer seeing the popup during credential refresh

[lgtm-com]

This pull request introduces 3 alerts when merging 47d0401 into fbcf00d - view on LGTM.com

new alerts:

• 3 for Incomplete URL substring sanitization