Authentication, Authorization and Auditing (AAA)

The OET API is secured using the MSA authentication and authorization. This means to use the API, a valid token with the correct role and scopes for the specific API resource must be included in the request.

The OET UI have ‘SIGN IN’ functionality and will include the tokens in the requests by default when signed in.

For more information on the general AAA architecture, see AAA architecture design

Authentication and Authorization Overview

Authentication Web Services: The Authentication Web Service can be used to authenticate SKAO users. The Authentication process refers to the user identification process that implies a verification and confirmation of the user identity using digital Microsoft Authentication Library (MSAL) identifiers. This process shall involve confirming the identity of a person by validating his/her identity credentials.

Authorization Web Services: It supports the Authorization of a user to access specific services/resources. Authorization is the process of specifying access rights to resources related to information security and to access control in particular.

OET App SSO SIGN IN

User when land on OET App they will see SKAO ‘SIGN IN’ page with title ‘Observation Execution Tool’. From the header user can click on Signin Button icon to refer OET UI documentation and Signin Button icon to change the UI theme.

Signin Screen

User can initiate SSO ‘SIGN IN’ by clicking Signin Button button it will invoke the Microsoft Authentication Library (MSAL) libraries to sign the user in.

MS Entra Authentication

The following prerequisites need to be in place for the MS Entra authentication to work:

The application where the user wants to sign in to need to be deployed with the needed prerequisites in place as detailed in this document’s deployment guide.

The users need to have an account on the SKAO MS Entra instance.

Once user has clicking on the sign in button user will be redirect to the Microsoft sign in page, where the user can enter the account name they want to use to sign in with:

MS Entra SignIn

User Menu and SignOut

On successful ‘SIGN IN’ user will reach landing page where in header User Menu Button button is present, if user has set a profile picture in their Microsoft profile it will display user picture or by default it will show user icon.

On click of user menu button, dropdown will open with menu items like Signout Button ‘SIGN OUT’. When user click on ‘SIGN OUT’ option user will be redirect to the ‘SIGN IN’ page through Microsoft.

Authentication (401 error)

In case user do not have valid token and authentication fails user will be ‘SIGN OUT’ and redirect user to logout from the application.

Authentication Error

Authorisation (403 error)

In case user do not have correct permission to access the resource they will get 403 error from API and user will be shown a modal with the error message.

Authorisation Error