...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Overview
Today, Admin App supports only forms-based authentication for using the application. This design proposes adding another method of delegating user-authentication to trusted 3rd party-sources via OpenID Connect, to provide single-sign on like experiences to users of Ed-Fi tools. If this design, implemented code and pattern is successful in Admin App, it will be considered for reuse in applications such as Data Import.
...
This feature is targeted towards the IT administrator of an Ed-Fi Tech Suite and responsible for its secure operation. The IT administrator would like to use a trusted, 3rd party source as the source of identity for their users, instead of the built-in forms authentication available today.
Technical Details
Below are technical details related to the design of delegating authority to trusted 3rd parties within the Ed-Fi tools ecosystem.
Registering client application with external authentication providers
...
Client application needs to be registered to an external authentication provider, in order to delegate the user authentication process.
...
Note: Similarly, Admin App should be registered with custom OIDC authentication provider for availing client_key and client_secret.
Store external authentication provider details
...
For enabling OIDC authentication Admin App needs provider details, which includes OIDC server authentication Url, Client_Id, Client_Secret, ResponseType, and required scopes.
On development environment all these details can be stored on Authentication section on appsettings.json file or can be set as user-secrets.
ex: dotnetuser-secrets set "Authentication:Google:Client_Id""sampleapp"
For production environment, it is recommended to store Client_Id and Client_Secret on environment variables.
OIDC authentication flow on Admin App
...
Login flow
...
If OIDC/ external authentication enabled on Admin App! on Login page user will find form authentication controls as well as link/ button to OIDC authentication.
...
Upon successful sign in, session cookie will be set, and user will be navigated/ redirected to Admin App page.
Registering external user on Admin App
...
Registering external user on Admin App will make sure that user info, claims from external provider and
Admin App specific role details are getting added to Admin App authentication tables for future reference.
Log out
...
On Admin App, the cookie is used as default sign-in and sign-out schema. So, logout operation will clear the cookie.
Open Questions
1.) Does this design cover the majority of SSO/3rd party authentication needs?