Access control to in house databases
To create accounts users have two options
- Using single sign-on.
- Using form based registration.
The first user to register will be set as the admin, there is no limit on the number of admin accounts. To be able to see in-house databases as an admin you will need to add the databases to the admin role. By default all users including admin start with no access to any in-house databases.
The admin accounts will have access to the user admin section in the account dropdown in the top right of On-Site WebCSD, or the Lattice platform.
Administrators can do a bulk user creation or update.
From the user admin sections, you can manage users, roles and view the databases in On-Site WebCSD.
Below are instructions for setting up single sign-on using various providers, how to use single sign-on in On-Site Lattice and WebCSD, and how to create and link accounts using single sign-on.
Users who are not logged in cannot access any databases.
Logged in users including admin users can only access the CSD by default.
Whether SSO or form-based registration is in use, the first user to register will automatically be assigned the Admin role. This allows them to configure and assign roles via a GUI. Each role can have access to different databases.
- Navigate to the User Admin section via WebCSD or the New Lattice Platform.
- Go to Databases tab. Here you can see an index assigned to each database which is taken from the container configuration.
- Go to Roles tab. Here you can see the name of available roles and indices of the databases accessible for the users with this role.
- You can add a new role by entering its name into the relevant field and clicking Add New Role.
- You can click on the Edit button to the right of each role and tick those databases which you want to make available for the users with this role. Click on Submit when all the relevant databases are selected.
- You can assign roles separately for each user or in a bulk manner (described in the next section). To assign role(s) to one user, go to Users and click Manage roles to the right of their email.
- Navigate to the User Admin section via WebCSD or the New Lattice Platform.
- Select Bulk Change Users.
- Create a CSV file with user data in the following format.
FirstName,LastName,EmailAddress,Roles
Joe,Bloggs,joe@joe.com,"Basic"
You should then have a file that looks something like this:
-
Select Bulk Change CSV File to upload the populated CSV file and hit the Upload Bulk Change CSV File button to upload and validate the provided user details.
-
Validation results will be displayed. If any errors are found, you'll be alerted to make the necessary corrections and re-upload the file.
File with failed validation:
File with successful validation:
-
After carefully reviewing the user data, click Submit User Changes to finalize the bulk registration/change process.
-
Download the generated report by clicking on the Export User List to Excel button. This contains the initial passwords for the created accounts. You will not be able to access this later.
What fields are required on the CSV template file? Only the Email address and Roles are required.
What happens when a user already exists? The User’s role(s) would be updated (see below)
I forgot to download the final report containing the user passwords, what do I do? Admin would have to reset/change each user's password manually.
Can I update existing users' roles in bulk as well? Yes, populate the CSV file with the users Email address and their respective updated Roles, upload and the system will automatically update their roles.
To Enable SSO for On-Site users, site admin must first register an application with a preferred OpenID Connect identity provider, and obtain these open id access credentials: Client id, Client secret, Authority and CallbackPath. The following sub-sections provide guidelines on how to register an application with major identity providers such as Microsoft - Azure Active Directory (AAD), Google and LDAP providers such as Windows server Active Directory.
To use OpenID Connect (SSO), SSL must be enabled please see information herefor how to set that up.
-
Sign in to the Azure portal.
-
If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
-
Search for and select Azure Active Directory.
-
Under Manage, select App registrations > New registration.
-
Enter a Name for your application, for example CCDC-WebCSD. Users of your app might see this name, and you can change it later.
-
Add the URL https://{webcsd-url}/signin-oidc in Redirect URI as a single page application (SPA).
-
Copy /signin-oidc to be used as the CallbackPath in section 3 (Enabling SSO).
-
Select Register.
-
Under Manage, select Authentication
-
In the implicit grant and hybrid flows section, select ID tokens, and then select save.
-
Under Manager, select Certificates & Secrets
-
Select +New client secret, enter a description, select secret expiry date and select Add to generate a client secret. Copy the generate Client secret value
-
On the Overview page, copy the client id and tenant id.
-
Replace in this endpoint https://login.microsoftonline.com//v2.0 to form the Authority credential.
A sample LDAP yml configuration file which should allow for use of LDAP for user authentication can be found in the top level of the github repository. However as there are various types of LDAP service available this may require some modification based on the type in use. For additional help with configuration, please contact support@ccdc.cam.ac.uk for assistance but please note that due to the breadth of potential systems that could be used, the help we can offer for setup may be limited.
Sign in as a Google developer.
-
From the Credentials tab, select Create Project, provide a project name (could be name of your organization), select a parent organization, and click Create.
-
Select Configure Consent Screen to configure the OAuth consent screen with information about the application to be registered.
-
On the OAuth Consent Screen, select the Internal user type and click Create.
-
Complete the customization options as desired and select Back to Dashboard on the summary page.
-
Return to the Credentials tab and select +Create Credentials. Choose OAuth client ID.
-
Select Web Application for the Application Type.
-
Enter WebCSD as the client name and select Create.
-
Copy the generated Credentials and/or download the generated JSON file which includes all the necessary credentials.
-
Use https://accounts.google.com/ as the Authority and /signin-google as CallbackPath
Before proceeding with this section, you must have obtained the required credentials: Authority, ClientId, ClientSecret and CallbackPath.
Update the environment section of the docker-compose.enable-sso.yml file with the credentials.
services:
ccdc-identity:
environment:
services:
ccdc-identity:
environment:
- OnSiteLoginSetup__EnableSingleSignOn=true
- ThirdPartyCredentials__Authority=<Authority>
- ThirdPartyCredentials__ClientId=<Client Id>
- ThirdPartyCredentials__ClientSecret=<Client Secret>
- ThirdPartyCredentials__CallbackPath=<CallbackPath>
- ThirdPartyCredentials__DisplayName=<Name of SSO provider. Eg. Microsoft>
Note: Admin can disable local authentication and require users to strictly sign in with only SSO by setting the OnSiteLoginSetup__EnableFormBasedLogin variable to false
Finally, include the docker-compose.enable-sso.yml in the start-up command:
docker-compose -f docker-compose.yml -f docker-compose.enable-sso.yml up -d
Users who already have a local account would need to first link their local account to their third party account (Microsoft, Google, etc.) in their profile before using the sign-in button on the login page. This is necessary to avoid changes in user roles and permissions or loss of user’s data.
First, sign in with your local account.
-
Navigate to the My Profile area
-
Select External Logins
-
Select the configured SSO provider (Microsoft, Google, etc.) to link your local account. You’ll be redirected to the provider’s page for sign in and authorisation.
-
If login succeeds, you’ll be redirected back to the application and be notified that the accounts have been linked successfully.
Info: This process is only required on first login with SSO. Subsequent logins can be done straight away from the login page by clicking on the Continue with
From the Log in page, click Continue with you’ll be redirected to the SSO provider to sign in (if you’re not already signed in).
On successful authentication, The Identity Gateway will initiate an account registration process which will create a local profile and link it with the third party account you just signed into.
You will be presented with the Register page as shown below. Enter your email in the space provided if it was not pre-populated, and click Register.
You can now proceed to login.
Your site admin, based on company policy, may decide to restrict users to sign in to the application using only SSO, and hence can disable the option to sign in locally with a username and password.
Administrators can setup user accounts in bulk so that users do not have to do this individually.
To create accounts, users need to register for an account if an admin has not created it using the bulk creation process.
Users can then log in and access databases based on their roles.
If you want to turn off the User Access Control and don't want users to register and sign in then include the docker-compose.disable-user-access.yml file in the startup command:
docker-compose -f docker-compose.yml -f docker-compose.disable-user-access.yml up -d