Authentication, Authorization and Auditing (AAA) ---------------------------------------------------- The PTT API is secured using the MSA authentication and authorization. This means to use the API, a valid token with the correct role and scopes for the specific API resource must be included in the request. The PTT UI have 'SIGN IN' functionality and will include the tokens in the requests by default when signed in. For more information on the general AAA architecture, see `AAA architecture design `_ Authentication and Authorization Overview ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ **Authentication Web Services:** The Authentication Web Service can be used to authenticate SKAO users. The Authentication process refers to the user identification process that implies a verification and confirmation of the user identity using digital Microsoft Authentication Library (MSAL) identifiers. This process shall involve confirming the identity of a person by validating his/her identity credentials. **Authorization Web Services:** It supports the Authorization of a user to access specific services/resources. Authorization is the process of specifying access rights to resources related to information security and to access control in particular. PTT App Single Sign-On ~~~~~~~~~~~~~~~~~~~~~~~~~ User when land on PTT App they will see SKAO 'SIGN IN' page. .. figure:: /images/login_screen.png :width: 100% :align: center :alt: Signin Screen | User can initiate SSO 'SIGN IN' by clicking |loginBtn| button it will invoke the Microsoft Authentication Library (MSAL) libraries to sign the user in. On header to the right there are |docBtn| icon which help user to check the developer document and |gearBtn| icon which help user to change the theme to Dark or Light. .. |loginBtn| image:: /images/login_btn.png :width: 15% :alt: Signin Button .. |docBtn| image:: /images/doc_btn.png :width: 5% :alt: Signin Button .. |gearBtn| image:: /images/gear_btn.png :width: 5% :alt: Signin Button MS Entra Authentication ~~~~~~~~~~~~~~~~~~~~~~~ The following `prerequisites `_ need to be in place for the MS Entra authentication to work: The application where the user wants to sign in to need to be deployed with the needed prerequisites in place as detailed in this document’s deployment guide. The users need to have an account on the SKAO MS Entra instance. Once user has clicking on the sign in button user will be redirect to the Microsoft sign in page, where the user can enter the account name they want to use to sign in with: .. figure:: /images/msEntraSignIn.png :width: 50% :align: center :alt: MS Entra SignIn | First time user will need to provide permission for the application instance. .. figure:: /images/msEntraSignIn_permission.png :width: 50% :align: center :alt: MS Entra SignIn Permission | User Menu and SignOut ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On successful 'SIGN IN' user will reach landing page where in header |usermenuBtn| button is present, if user has set a profile picture in their Microsoft profile it will display user picture or by default it will show user icon. .. |usermenuBtn| image:: /images/usermenu_btn.png :width: 20% :alt: User Menu Button On click of user menu button, dropdown will open with menu items like |logoutBtn| 'SIGN OUT'. When user click on 'SIGN OUT' option user will be redirect to the 'SIGN IN' page through Microsoft. .. |logoutBtn| image:: /images/logout_btn.png :width: 20% :alt: Signout Button Authentication (401 error) ~~~~~~~~~~~~~~~~~~~~~~~~~~ In case user do not have valid token and authentication fails user will be 'SIGN OUT' and land on 'SIGN IN' page with error message. .. figure:: /images/401_error.png :width: 50% :align: center :alt: Authentication Error | Authorisation (403 error) ~~~~~~~~~~~~~~~~~~~~~~~~~ In case user do not have correct permission to access the resource they will get 403 error from API and user will be shown a modal with the error message. .. figure:: /images/403_error.png :width: 100% :align: center :alt: Authorisation Error |