Comments (2)
Thanks for your question.
How Our Single Sign-On Works
Our tooling uses a single sign-on layer.
HTTP Headers
There are three important HTTP request headers in use:
X-AUTH-token
X-AUTH-roles
X-AUTH-username
The username header identifies the user making the request. The token is the SSO authentication token and the roles confusingly are not roles at all but are the user groups that the user is a member of.
Nginx Auth Proxy
In our infrastructure each API call goes through Nginx that first makes an authentication call to an identity service. The identity service is responsible for checking that the token is a valid token for this username and that it has not yet expired. It must then lookup the user's user groups and set these in the roles header as a comma separated list. The job of the identity service within our infrastructure is done by the Identity Management Service that integrates with Atlassian Confluence and Jira users via Atlassian Crowd, but this role could be performed by any other authentication service, it's a great integration point.
Snowstorm Admin
Snowstorm is responsible for storing which user groups have specific roles. Either globally, across all CodeSystems, or on specific CodeSystems or branches.
How Roles are Applied
Once a Snowstorm API request has been auth-proxied to the identity service and picked up the correct user groups the request is proxied to the Snowstorm application. The security filters in Snowstorm use the user groups to lookup which global roles the current user should have. These are listed at the bottom of the response when loading a branch, as you have shown.
Your Choices
To make API requests have the correct roles you have two options:
-
Deploy a service that plays the part of the Identity Service. This would provide a way for different users to have different roles within the authoring platform. The service could be the IMS service that we use or a small custom service that integrates with your existing LDAP or other user management service. I can provide more information on the requirements if you like this option.
-
If you are hosting your own authoring platform it is possible to implement a workaround. As long as the correct HTTP headers are set when the request gets to the Snowstorm application it will give the correct role to that request. This will not work in our environments because all API requests go via IMS and that rewrites the headers.
You just need to get Nginx or some other web proxy to set theX-AUTH-roles
header to the correct user group.
In Nginx this might look something like:
proxy_set_header X-AUTH-roles "snowstorm-admin";
I hope that helps!
Kai Kewley
from snowstorm.
Thanks @kaicode for your response. It helped us to understand the issue further.
Regarding solutions you have suggested, we have already implemented setup similar to yours.
But we want to replace Authentication mechanism (i.e., replacing SSO solution, Integrating Own LDAP, etc.) and few other services in future.
Can You share the details regarding, how to integrate any SSO solution with IMS.
Thank You,
Someshwar M.
from snowstorm.
Related Issues (20)
- Add attributes to the custom code system HOT 3
- Error creating bean with name 'snowstormApplication' when run with jar file version 8.2.2 HOT 1
- Does Snowstorm implement all get resource api from hapi-fhir HOT 1
- Getting error -Importing a new International Edition HOT 13
- Snowstorm release 8.2.2 - Swagger page does not load HOT 2
- Access Denied to SNOMED CT HOT 2
- Incorrect support of TerminologyCapabilities (FHIR API) HOT 2
- Timeout connecting to Elasticsearch HOT 1
- 8.3.0 install on Ubuntu has startup warning HOT 5
- Loading an edition and extension via Postman HOT 9
- FHIR API - Expanding ECL ValueSet is excluding active refset members when the referenced concept is inactive HOT 1
- Updating the FHIR CodeSystem URI for the default Edition on the MAIN branch (UK Monolith) HOT 3
- National Extension branch management - accessing multiple releases HOT 3
- ecl Description Filter is scanning Text Definitions HOT 2
- ECL Bug - excluding any concept from a refset removes all inactive concepts from the results
- Getting started: Not obvious where `jvm.options` is located HOT 1
- Releases MD5 file not properly formatted for `md5sum` to work: Missing `.jar` file name HOT 2
- Getting started -> Start Snowstorm: Missing and conflicting info HOT 1
- Do you all use the Terminology server to search Concepts as in the SnomedSearchDemo ? (Quick answer: Yes) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snowstorm.