Authentication Service
2024.1+
Update Click to see the history of updates.
- New
- New SSO protocol supported: LDAP
- It is now possible to Archive unused object in the Admin interface
- Each action is tracked and stored in DB to provide a full traceability accessible by Host admin
- New
- Adding a Read Only admin profile
- To prevent confusion, in French the Domain notion has been changed to Hostname
The Authentication Service is a centralized solution for authenticating different users from all EasyVista products.
- It supports the main SSO and IDP protocols used by customers.
- It interfaces with EasyVista products using the OAuth2 protocol that ensures optimal security for interactions.
Advantages of the Authentication Service
- This solution enables you to switch from user authentication performed individually by each EasyVista product to a solution that centralizes customer connections for the different EasyVista products.
- It enables you to create a proxy between EasyVista products and customer authentication solutions.
- It facilitates the configuration of user connections by using the main SSO and IDP protocols.
- It empowers customers who can manage their own user authentication rules.
Operating principle
The Authentication Service is the sole Identity Provider (IDP) interfacing with all EasyVista products in the customer's environment.
- It is used to redirect end users to the appropriate protocol for authentication purposes. The service is the sole Identity Provider interacting with the different EasyVista products via the OAuth2.0 protocol.
- Thanks to this environment and centralized authentication, users can now have a single login that is valid for all EasyVista products. Once authenticated, users can go from one EasyVista product to another and access the different services on the platform seamlessly.
Click to see the diagram illustrating the operating principle
Interactions between the Authentication Service and users/administrators
- For end users: Users access the Home page of any EasyVista product. They are redirected transparently to the Authentication Service and are automatically authenticated by SSO. They can then access the product. If they want to access another product, they can simply go that product's Home page as they are already authenticated.
- For administrators: The administration interface enables administrators to define connection rules and configure the SSO protocols required for implementation in the customer's environment, based on their corporate security policy. It can be accessed by two types of administrators, Host Admin and Config Admin. See Types of user profiles
Notes
- Connection to the Authentication Service administration interface is secure. Users are required to log in via SSO.
- By default, the interface language is identical to the Web browser language. Users can change it once they are logged in.
- The menu items displayed will depend on the user profile.
Caution
- You can only connect to the Authentication Service via an SSO configured using Microsoft Entra ID. You must ensure that this has been configured before you connect.
- You cannot create end users or manage end user access rights in the Authentication Service.
- You cannot manage license usage in the Authentication Service.
- No component can be deleted. As such, you should create only those that are strictly necessary.
Administration screens
See the description of the graphic interface
Access | Functionality | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Host Admin | Users | Used to manage users authorized to access the Authentication Service | |||||||||||||||||||||||||
Host Admin | Contracts | Used to manage information relating to the customer's environment | |||||||||||||||||||||||||
Host Admin | Hostnames | Used to search for a hostname and directly access the contract associated with the customer | |||||||||||||||||||||||||
Host Admin | IDP Configs | Used to configure the server as the Identity Provider for the OAuth2.0 protocol and define the exchange protocol between the Authentication Service and EasyVista products | |||||||||||||||||||||||||
Host Admin | API Keys | Once customers have a configured authentication for a given EasyVista, they will be able to use the Authentication Service for configuring the product. They will not be required to do a general configuration for authentication or define the rule engine and SSO configuration. | |||||||||||||||||||||||||
Host Admin/Config Admin | Rule engine | Used to define rules with the conditions required for user authentication via an associated SSO | |||||||||||||||||||||||||
Host Admin/Config Admin | SSO | Used to define SSO authentication so users can access all EasyVista products seamlessly after they have been authenticated just once by the Identity Provider (IDP) |
Procedures
How to access the Authentication Service
1. Click the link to access the service.
2. Click Sign in.
You will be redirected to the SSO page.
3. Click Sign In.
The Home page will appear.
How to set up the Authentication Service
To implement the Authentication Service for the customer's environment, actions are required from both administrator profiles. You must ensure that all of the actions have been performed before testing the service.
Step 1: Configure customer information
1. Configure the server by defining the Identity Provider used by the customer.
- Select the IDP Configs menu.
2. Create the contract associated with the customer.
- Select the Contracts menu.
- Enter the information on the customer.
- Enter the hostnames assigned to the customer.
3. Create a Config Admin account associated with the contract.
Step 2: Configure the SSO and the rule engine
1. Create and configure the SSO based on the customer's end user authentication method, e.g. SAML2, OAuth2, OpenID, etc.
- Select the SSO menu.
- Check that the SSO is working correctly.
2. Create and configure the connection rule that will isolate the customer's end users.
- Select the Rule engine menu.
- Create a new rule and define its conditions.
- Associate the SSO with the connection rule.
3. Check that the connection to the EasyVista products used by the customer works correctly.