Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: MSDN reference


Info
titleNotice

This Delegating Authority to Trusted Third-Party Sources Single-Sign On design document is in draft status and evolving as informed by the Ed-Fi community.  Please use the Comments section below for any feedback into the design of single-sign on support for Ed-Fi Tools.  If this design appears to fit the majority of Ed-Fi community need, the design will first be implemented in Admin App, then look to implement in Data Import as sharing similar needs and technology sets. 

Overview

The Ed-Fi Alliance provides Admin App as a user interface to manage the ODS / API Platform.   Today, Admin App supports only forms-based authentication for using the application.  The Ed-Fi community has signaled the strong need for providing a simple single-on (SSO) experience for numerous Ed-Fi Tools (such as Admin App and Data Import).  The community has also identified Open ID Connect 1.0 as an common interface available in education environments, which then connects to existing identity stores, both open-source and from major provides such as Microsoft, Google and others

This design proposes adding another a method of delegating user-authentication to trusted 3rd party-sources via OpenID Connect 1.0, to provide single-sign on like experiences to users of Ed-Fi tools.  If this design, implemented code and pattern is successful in Admin App, it will be considered for reuse in applications such as Data Import.  Implementation of this method builds upon the Ed-Fi Alliance's investment in .NET Core migration, which guidance is provided on implementing SSO patterns in this MSDN article: "Facebook, Google, and external provider authentication in ASP.NET Core".

Below is a table of contents for topics into the Delegating Authority to Trusted Third-Party Sources Single-Sign On design:

Table of Contents
minLevel2

...

On development environment all these details can be stored on Authentication section on appsettings.json file or can be set as user-secrets.

ex: dotnetuser-secrets set "Authentication:Google:Client_Id""sampleapp"

For production environment, it is recommended to store Client_Id and Client_Secret on environment variables. 

...

1.) Does this design cover the majority of SSO/3rd party authentication needs?

2.) Is authentication one or the other?  Or do we keep forms-based for first admin, then delegate the rest?

3.) Is configuration in UI or appSettings.json?

4.) Does Open ID Connect 1.0 provide for roles?  We have two roles in Admin App - admin and super-admin.  Can OIDC map to this?