Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Overview
Admin App v3.0 supports two methods for authentication: web-forms authentication or single-sign on via Open ID Connect (OIDC). Both utilize ASP.NET Core Identity as the underlying framework. This page will provide details to configure Admin App based on the selected model.
Table of Contents | ||
---|---|---|
|
Admin App Roles
Admin App uses two roles within the application for ODS/API management. The Super-Administrator role is used to register multiple users with separate roles and privileges along with all ODS / API instances and its functions. The Administrator role is allowed to access only specific ODS / API instances and its functions. This user authentication model pairs well with multi-instance support within Admin App.
1. Super-Administrator (default role for the first user)
The Super-Administrator role is intended for an IT Administrator managing a collection of individual ODS instances, such as found within district collaboratives.
Super-Administrator Permissions
- Add a user
- Assign a role to an added user
- Register and delete ODS / API instances
- Change and assign an ODS / API instance to an added user
- Change user settings for other users
- Delete a user
- Plus, all permissions of the Administrator role
2. Administrator
The Administrator role is one that can access one or more ODS instances assigned by the Super-Administrator. This means that users in the Administrator role can only administer ODS / API instances specifically assigned.
Administrator Permissions
- Manage applications
- API key/secret creation
- View descriptors
- Bulk data uploads
- Learning standards synchronization
Securing Admin App
- Existing form authentication (Please refer here for more details)
- Single sign on (SSO)
Web Form Authentication
Click here to open Web Form Authentication setup instructions:
Toggle cloak |
---|
Cloak |
---|
|
Single Sign-On with Open ID Connect
Click here to open Single Sign-On with Open ID Connect setup instructions: Toggle cloak
Cloak | |||||
---|---|---|---|---|---|
Admin App SSO feature supports trusted 3rd party source as the source of identity for the application users. Enabling single sign on: To enable SSO on AdminApp, user needs to provide following appsettings values:
Type: EntityFramework or OpenId Default value is “EntityFramework” which enables form authentication. For enabling SSO, the type value will be set to “OpenId”. Authority: Autherity URL for making openIdConnect calls. ClientId: The client identifier from OP. This identifier is assigned when the client application is registered with OP, via the client registration API, a developer console, or some other method. ClientSecret: Secret value assigned/ generated for the client application on OP. UserProfileUri: User info endpoint. User will be redirected to this endpoint to change password. LoginProvider: OP name (ex: KeyCloak). GetClaimsFromUserInfoEndpoint: Boolean to set whether the handler should go to user info endpoint to retrieve additional claims or not after creating an identity from id_token received from token endpoint. The default value on Admin App is “true”. Scopes: List of permissions to request. Defining roles on third party OP:The users from third party OP should be provided with specific roles for working/ matching with existing Admin App roles. For more information on Admin App roles. Please refer here. The role will be added as user attribute on third party OP. Please refer Steps 4 and 6 on Sign in to KeyCloak and configure the environment below.
Setting up third party OP(KeyCloak):User can use their own/ existing OpenId Connect provider to delegate authentication process. We are using KeyCloak as an example here to explain the setup. Please follow steps below to define client application, users, claims and roles on KeyCloak. Create and run the infrastructure required:
Sign in to KeyCloak and configure the environment:
KeyCloak is now configured! Time to update Admin App config.
To verify: launch Admin App and sign in. You should be taken to KeyCloak and be able to sign in using the username and passwords you created. Singing into Admin App using KeyCloak:Redirecting to KeyCloak for sign in:After providing valid credentials and clicking Sign in, user will be navigated to Admin App Home Page and provided with Global and/or Settings as per their roles. Super Admin user from KeyCloak:Admin user from KeyCloak:No-role user from KeyCloak:Clicking on SETTINGS will redirect to "Unauthorized" error page. |
References:
https://www.keycloak.org/getting-started/getting-started-docker