ISO ClaimSearch AuthN¶
As part of the federation gateway feature is possible to authenticate users with ISO ClaimSearch session management (ClaimSearch). ClaimSearch AuthN is based on sharing authentication cookies (ISOSESSIONID cookie). Cookies can be only shared across the same domain or subdomain.
The authentication is triggered at the login page when the user clicks on the ISO ClaimSearch icon or automatically if this is the unique provider enabled.
Authentication¶
Basic configuration¶
Configure ISO ClaimSearch AuthN at appsettings.json file in the Authentication service, setting LoginSettings.IdentityProvidersSettings.ClaimSearch property. Some basic configurations are required:
Enabledfor enabling this provider.SessionValidationEndpointis the endpoint to check if user have a valid active session in ISO ClaimSearch (i.e. https://servername/products/1.0/userinfo/)LoginUrlis the home page of ISO ClaimSearch. Users will be redirected to this URL if they are not already authenticated in ISO ClaimSearch.
Light Authentication¶
The simplest and lightest authentication mode offered. This mode accepts all authenticated users by ClaimSearch if they already exists at Sequel's security services. The user matching is done comparing the ClaimSearch userId with the SsoUsername field at Sequel's.
Customer-associated Authentication¶
ClaimSearch, as a multi-tenant application, host multiple tenants or customers. Associate a Security instance with the accepted customer's codes in ClaimSearch is the more secure and recommended configuration to ensure that only users of those customers can access to this instance. When there are no customers configured, the Light Authentication mode is used.
The list of associated customers is configured from the Security's Administration site in AuthN Federation Gateway. This section is protected by Sec.ConfigFedGwy securable.
User sync at authentication¶
Authentication requires that users exist in Sequel's Security; auto on-boarding and synchronization features allow to automatically create and keep in sync ClaimSearch users. Both process are triggered as part of each user authentication; so changes in users at ClaimSearch are not reflected in Sequel's Security until the user will successfully login again in Sequel.
These features reduce the maintenance effort of creating users and keeping them up to date. When this option is enabled, the authentication flow changes slightly:
On-boarding¶
Auto on-boarding process allows to automatically create a user that does not exist in Sequel's security system the first time that is authenticated using ISO ClaimSearch. The on-boarding is enabled by customer with the AllowOnBoarding property. The user can be created using two modes:
- As a member of an entity. Associate an entity key (
EntityKey) to the customer entry and the user will be created as a member of this entity using the default permissions for this user. - As a regular user. Those user can be authenticated in the system, but without permissions. So, they will require manual configuration for granting permissions before the user will be authorized to access any information or perform actions. Keep
EntityKeyempty for using this mode.
Sync¶
User synchronization can be performed on each authentication challenge done between Sequel's AuthN service and ISO ClaimSearch.
Enable synchronization per customer with the setting AllowSync. The sync will update some basic properties with the information retrieved from ISO ClaimSearch: first name, last name and email.
The properties synchronized comes from the response of the UserInfo endpoint in ClaimSearch:
| ClaimSearch property | Sequel property | Description |
|---|---|---|
userId |
Username, SsoUsername |
Unique identifier of the user (name, id). In ClaimSearch is a 5 char string. |
firstName |
FirstName |
First name |
lastName |
LastName |
Last name |
customerCode |
Used to authorize users of the associated Customer. Multi-tenant management. | |
emailId |
EmailAddress |
Email Address. It is mandatory for a ClaimSearch user profile and also in Sequel. |
Settings summary¶
Recommended configuration¶
The recommended configuration of Security for being integrated with ISO Claims search requires some actions:
Infrastructure settings¶
Get and configure during security installation information related to ClaimSearch URLs: Validation Endpoint and Login page URL.
Associate to a customer¶
Get the Customer code associated to this instance and configure it in Configuration section in Administration site.
Configure user sync policy¶
First of all design how users will be configured: if users will be created automatically/manually, and if automatically design and create the entity and configure it. Then at Configuration section in Administration site configure those values for each customer associated.
Authentication application settings¶
| Setting | Description |
|---|---|
| Enabled | Enables ISO ClaimSearch AuthN. Boolean. |
| SessionValidationEndpoint | Endpoint to validate sessions: like https://servername/products/1.0/userinfo/. Required if enabled. |
| LoginUrl | ClaimSearch home page or login page. |
"ClaimSearch":
{
"Enabled": true,
"SessionValidationEndpoint": "https://claimsearch-test.iso.com/products/1.0/userinfo/",
"LoginUrl": "https://claimsearch-test.iso.com/"
}
Configuration settings¶
Settings related to customer and how sync works are stored at database in [configuration].[Setting] table, with the key ClaimSearchAuthN.
| Setting | Description |
|---|---|
| Customers | Collection of customers associated to this security instance. At least, one is required if enabled. |
| Customers[].Code | Customer code. String. Unique. |
| Customers[].DisplayName | Display name. String. Unique. |
| Customers[].AllowOnBoarding | Enable auto on-boarding. Boolean. |
| Customers[].AllowSync | Enable sync of user's basic details. Boolean. |
| Customers[].EntityKey | Determines the user creation mode, based on Entities (if populated, this is the entity key) or regular users. Optional. |
{
"Customers":
[
{
"Code": "CODE_A",
"DisplayName": "Customer A",
"AllowOnBoarding": true,
"AllowSync": true,
"EntityKey" : "EntityKeyA" // Associated to entity EntityKeyA
},
{
"Code": "CODE_B",
"DisplayName": "Customer B",
"AllowOnBoarding": true,
"AllowSync": true,
"EntityKey" : "" // Not associated to an entity
}
]
}