visualization-tool icon indicating copy to clipboard operation
visualization-tool copied to clipboard
verified publisher icon visualize-admin

eIAM Integration on TEST

Open sosiology opened this issue 1 year ago • 13 comments

From 10.04 eIAM will be available on the TEST environment of BIT.

DoD: eIAM is available on TEST. A user can log in with his eIAM credentials and create visualisations

sosiology avatar Mar 19 '24 13:03 sosiology

OIDC metadata for the connection to eIAM REF environment -> Info received Rene Kreidemacher

sosiology avatar Apr 10 '24 08:04 sosiology

Followed up on PKCE settings with BIT today – awaiting answer.

adintegra avatar Apr 23 '24 08:04 adintegra

Feedback BIT: Reduce request of the scope down to Open ID

sosiology avatar Apr 24 '24 08:04 sosiology

Might be solved by #1471

bprusinowski avatar Apr 24 '24 08:04 bprusinowski

can i support with testing anything?

sosiology avatar Apr 24 '24 15:04 sosiology

@sosiology not yet, we need to merge #1471 first (cc @ptbrowne)

bprusinowski avatar Apr 24 '24 15:04 bprusinowski

After merging #1471, looks like the Sign In currently takes the user to the Keycloak Login screen. IIRC we had this once before. Maybe a configuration issue somewhere @bprusinowski?

image

adintegra avatar Apr 25 '24 11:04 adintegra

@adintegra I am taking a look 👍

bprusinowski avatar Apr 25 '24 14:04 bprusinowski

I think that we get the correct information from Keycloak back, but have some problem with dealing with it afterwards. After a quick investigation it turns out it might be related to Prisma, and e.g. a different type of id we get from Keycloak now.

It's hard for me to debug this without having access to logs – I pushed a commit with a debug KeycloakProvider flag set to true – once it deploys on TEST, we can do several attempts to log in, and then ask Abraxas for server logs to check what's the exact problem.

bprusinowski avatar Apr 25 '24 15:04 bprusinowski

Maybe it'd be good to try and connect to abraxas servers ? It's been a long time since I have tried and it is quite painful since we have to login through a windows jump point, but it might be helpful.

ptbrowne avatar Apr 25 '24 15:04 ptbrowne

@ptbrowne it's a good idea, I can try to do it tomorrow 👍

bprusinowski avatar Apr 25 '24 15:04 bprusinowski

Quick update: After trying out various configurations (primarily around using Keycloak as an Authentication Bridge), I believe we may not need a Keycloak instance at all, but could connect directly to the BIT OIDC trust broker. This would simplify our architecture substantially. BIT has provided the information that their trust broker/IdP is a custom implementation of Microsoft ADFS (Active Directory FS). While there is no built-in provider for this in next-auth, there is a discussion here on how to go about implementing this. Thus, the next step would be to adjust our current implementation in line with this and test it. /cc @bprusinowski

adintegra avatar May 07 '24 08:05 adintegra

I will try to change the implementation @adintegra and deploy to TEST to see if it works 👍 Thanks for the investigation 🙇‍♂️

bprusinowski avatar May 07 '24 10:05 bprusinowski

I could login in test.visualize.admin.ch with eIAM credentials, save a chart to draft then publish it 🎉 . @sosiology

ptbrowne avatar May 29 '24 11:05 ptbrowne

Closing this issue as the login is available on PROD now, please re-open if i missed something @adintegra

sosiology avatar Aug 15 '24 08:08 sosiology