The RoleManager component handles the user authentication and access management. RoleManager can integrate with external identity management provider (Idp) for user authentication and user profile synchronisation.
User will be redirected to the RoleManager to log in before the user can access any OneList application. RoleManager issues token for authenticated users to access other OneList functionalities. Claims are granted to authenticated user via respective roles in RoleManager, OneList applications and services implement claims based authorisation.
How to setup user access in RoleManager
Administrator can create two types of account in RoleManager.
- Interactive User account can log on to OneList applications;
- System User account is designed for APIs, a system user cannot log on to OneList applications. API keys are generated and used for accessing OneList API.
The type of account cannot be changed once an account is created. Access permissions are granted to both type of accounts by assigning roles to them.
Create the administrator user account after new installation
- Select the "Register as a new user" link on the RoleManager log in page. If this link is not available then add “RoleManager__EnableSelfRegistration”: "true" to the Kubernetes ConfigMap.
- On the user registration page, enter the user detail and password then click the Register button; This first user will be given the System Administrator access.
- Select the Roles tab to assign the OneList Administrator role to the user.
Create the system user account for OneList APIs
As best practice, it is advised to create a dedicated service account and assign it the OneList Integration role. API keys linking to this account are used for OneList Adapters to authenticate and authorise access to OneList DataSync APIs.
- Navigate to RoleManager and select the Users menu;
- Select the New System User link to create a System User account
- Complete the user detail then click the Save button;
- On the Manage Account page, select the Roles tab on the left;
- Search for the OneList Integration role and assign the role to the user;
Generate API key for OneList integration
- Navigate to RoleManager and select the Users menu;
- Enter the name of the OneList integration system user then click the Search button;
- Select the Edit link to view the account detail;
- Select the Keys tab on the left
- Click the Generate New Access Key button to generate a new key, or click the Show Access Key button to view an existing key;
- The Allowed clients field is optional. If specified, only the requests made from these IP addresses are accepted;
- A unique access key must be generated for each source system which integrates with OneList. The key is required to register a source system in OneList. The OneList adapters for that source system use the same key in the HTTP Request header to connect to OneList APIs.
Maintain access for users
- Navigate to RoleManager and select the Users menu;
- Enter the name or email address of the user then click the Search button;
- Select the Edit button under the Actions column;
- Select the Roles tab on the left;
- Search for the required role and assign the role to the user, or remove the current assigned role. Note the user needs to log off and log on to have the updated access.
How to setup external authentication provider
RoleManager supports integration with the following authentication providers
- Azure AD
- ADFS
- Salsforce
- Other provider supporting Open ID Connect protocol
Navigate to /RoleManager URL then click the Authentication Providers menu.
RoleManager can integration to any external provider that supports:
- OpenID Connect (oidc), or
- ADFS
Prerequisites
- Complete application registration in the respective authentication provider, e.g. configure redirect_URL, rely_party;
- Request credentials for connecting to the authentication provider, e.g. client_id, client_secret;
- Setup claim claims mapping at the authentication provider if requirerequired.
...
Adding an authentication provider
...
- Navigate to RoleManager and select Authentication Providers menu;
- Click the Create New button, enter the name and display name of the provider. The name has to be unique and starts with a letter without space, e.g. AzureAD, then click the Next button;:
- For ADFS, the name must be WsFederation;For Google, the name must be Google;
- For other providers, the name can be any valuegive it a unique name.
- Enter the configuration JSON applicable for the authentication provider. See below list for the applicable provider.
- Select the applicable status:
- Is Active - RoleManager only interact with active providers;
- Is Interactive - RoleManager displays a button for each interactive provider on the log in page so the user can use the external account to log in;
- Is Default - RoleManager automatically redirects the user to the default authentication provider's log on login page, i.e. the user does not need to select which provider to log on.
If a source system is non-oidc compatible but is able to automatically map users, then use the following settings to configure a place-holder provider to support it:
- Configuration JOSN: {"clientid":"na", "callbackpath":"/na", "configuration":{} }
- Status: Is Active = false, Is Interactive = false; Is Default = false;
External authentication provider configuration requirement
| Provider | Application Registration | Information Required for RoleManager Configuration | RoleManager Configuration JSON |
|---|---|---|---|
| Azure AD | Registration steps: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app. Register for single tenant is recommended. Redirect URI: https://<OneList hostname>/rolemananger/signin-azure |
| { "clientid": "<Application id>", "clientsecret": "<Client secret>", "Authority": "https://login.microsoftonline.com/<Azure tenant id>/v2.0", "CallbackPath": "/signin-azure", "SaveTokens": false } |
| ADFS | Registration steps: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-2.2 Rely Party: https://<OneList hostname>/ Map the SAMAccount-Name to the Name ID claim. Hint: use use the Windows event log on the ADFS server to investigate errors, and the rely party above must end with '/'. |
| { "MetadataAddress": "<the meta data address>", "Wtrealm": "https://<OneList host>/" } |
Registration steps: https://developers.google.com/identity/sign-in/web/devconsole-project Redirect URL: https://<OneList hostname>/rolemanager/signin-google |
| { "Authority" = "https://accounts.google.com" "CallbackPath":"/signin-google", "Scope": ["email"] | |
| Salesforce | Create a connected app: https://developer.salesforce.com/docs/atlas.en-us.api_streaming.meta/api_streaming/code_sample_auth_oauth.htm Callback URL: https://<onelist hostname>/rolemanager/signin-salesforce |
| { "Authority": "https://login.salesforce.com", "ClientId": "<consumer key>", "ClientSecret": "<consumer secret>", "CallbackPath": "/signin-salesforce", "Scope": ["offline_access","api"] } |
| SAP | OpenID Connect registration: https://help.sap.com/viewer/6d6d63354d1242d185ab4830fc04feb1/Cloud/en-US/8a0aa2ea5a0744879a7ec2be0bc023cf.html Callback URL: https://<onelist hostname>/rolemanager/signin-sap |
| { "Authority": "<environment/sucscription based URL>", "ClientId": "<Client ID>", "ClientSecret": "<Secret>", "CallbackPath": "/signin-sap" } |