Access control to in house databases
To create accounts users have two options
- Using single sign-on which is available in release version 2.0.0.
- Using form based registration.
To Enable SSO for onsite users, site admin must first register an application with a preferred OpenID Connect identity provider, and obtain these open id access credentials: Client id, Client secret, Authority and CallbackPath. The following sub-sections provide guidelines on how to register an application with major identity providers such as Microsoft - Azure Active Directory (AAD), Google and LDAP providers such as Windows server Active Directory.
To use OpenID Connect (SSO), SSL must be enabled please see information here for how to set that up.
Sign in to the Azure portal.
If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
Search for and select Azure Active Directory.
Under Manage, select App registrations > New registration.
Enter a Name for your application, for example CCDC-WebCSD. Users of your app might see this name, and you can change it later.
Add the URL https://{webcsd-url}/signin-oidc in Redirect URI as a single page application (SPA). Copy /signin-oidc to be used as the CallbackPath in section 3 (Enabling SSO).
Select Register.
Under Manage, select Authentication
In the implicit grant and hybrid flows section, select ID tokens, and then select save.
Under Manager, select Certificates & Secrets
Select +New client secret, enter a description, select secret expiry date and select Add to generate a client secret. Copy the generate Client secret value
On the Overview page, copy the client id and tenant id.
Replace in this endpoint https://login.microsoftonline.com//v2.0 to form the Authority credential.
Instructions for setting up LDAP for user access control in On-Site WebCSD can be requested through support@ccdc.cam.ac.uk
Sign in as a Google developer.
From the Credentials tab, select Create Project, provide a project name (could be name of your organization), select a parent organization, and click Create.
Select Configure Consent Screen to configure the OAuth consent screen with information about the application to be registered.
On the OAuth Consent Screen, select the Internal user type and click Create.
Complete the customization options as desired and select Back to Dashboard on the summary page.
Return to the Credentials tab and select +Create Credentials. Choose OAuth client ID.
Select Web Application for the Application Type.
Enter WebCSD as the client name and select Create.
Copy the generated Credentials and/or download the generated JSON file which includes all the necessary credentials.
Use https://accounts.google.com/ as the Authority and /signin-google as CallbackPath
Before proceeding with this section, you must have obtained the required credentials: Authority, ClientId, ClientSecret and CallbackPath.
Update the environment section of the docker-compose.enable-sso.yml file with the credentials.
...
services:
webcsd:
environment:
- LoginPageSetup__EnableSSO=true
- LoginPageSetup__EnableFormBasedLogin=true
- ThirdPartyCredentials__Authority=<Authority>
- ThirdPartyCredentials__ClientId=<Client Id>
- ThirdPartyCredentials__ClientSecret=<Client Secret>
- ThirdPartyCredentials__CallbackPath=<CallbackPath>
- ThirdPartyCredentials__DisplayName=<Name of SSO provider. Eg. Microsoft>
Note: Admin can disable local authentication and require users to strictly sign in with only SSO by setting the LoginPageSetup__EnableFormBasedLogin variable to false
- Finally, include the docker-compose.enable-sso.yml in the start-up command docker-compose -f docker-compose.yml -f docker-compose.enable-sso.yml up -d
Users who already have a local account would need to first link their local account to their third party account (Microsoft, Google, etc.) in their profile before using the sign-in button on the login page. This is necessary to avoid changes in user roles and permissions or loss of user’s data.
First, sign in with your local account.
Navigate to the Profile page
Select External Logins
Select the configured SSO provider (Microsoft, Google, etc.) to link your local account. You’ll be redirected to the provider’s page for sign in and authorisation.
If login succeeds, you’ll be redirected back to the application and be notified that the accounts have been linked successfully.
Info: This process is only required on first login with SSO. Subsequent logins can be done straight away from the login page by clicking on the Continue with
From the Log in page, click Continue with You’ll be redirected to the SSO provider to sign in (if you’re not already signed in).
On successful authentication, WebCSD will initiate an account registration process which will create a local profile on WebCSD and link it with the third party account you just signed into.
You will be presented with the Register page as shown below. Enter your email in the space provided if it was not pre-populated, and click Register.
You can now proceed to login.
Your site admin, based on company policy, may decide to restrict users to sign in to the application using only SSO, and hence can disable the option to sign in locally with a username and password.