Authentication, Authorization and Auditing (AAA)

The SLT API is secured using the MSA authentication and authorization. This means to use the API, a valid token with the correct role and scopes for the specific API resource must be included in the request.

The SLT UI have ‘SIGN IN’ functionality and will include the tokens in the requests by default when signed in.

For more information on the general AAA architecture, see AAA architecture design

Authentication and Authorization Overview

Authentication Web Services: The Authentication Web Service can be used to authenticate SKAO users. The Authentication process refers to the user identification process that implies a verification and confirmation of the user identity using digital Microsoft Authentication Library (MSAL) identifiers. This process shall involve confirming the identity of a person by validating his/her identity credentials.

Authorization Web Services: It supports the Authorization of a user to access specific services/resources. Authorization is the process of specifying access rights to resources related to information security and to access control in particular.

SLT App SSO SIGN IN

User when land on SLT App they will see SKAO ‘SIGN IN’ page with title ‘Shift Log Tool’.

Signin Screen

User can initiate SSO ‘SIGN IN’ by clicking Signin Button button it will invoke the Microsoft Authentication Library (MSAL) libraries to sign the user in. On header to the right there are Signin Button icon which help user to check the developer document and Signin Button icon which help user to change the theme to Dark or Light.

MS Entra Authentication

The following prerequisites need to be in place for the MS Entra authentication to work:

The application where the user wants to sign in to need to be deployed with the needed prerequisites in place as detailed in this document’s deployment guide.

The users need to have an account on the SKAO MS Entra instance.

Once user has clicking on the sign in button user will be redirect to the Microsoft sign in page, where the user can enter the account name they want to use to sign in with:

MS Entra SignIn

First time user will need to provide permission for the application instance.

MS Entra SignIn Permission

User Menu and SignOut

On successful ‘SIGN IN’ user will reach landing page where in header User Menu Button button is present, if user has set a profile picture in their Microsoft profile it will display user picture or by default it will show user icon.

On click of user menu button, dropdown will open with menu items like Signout Button ‘SIGN OUT’. When user click on ‘SIGN OUT’ option user will be redirect to the ‘SIGN IN’ page through Microsoft.

Authentication (401 error)

In case user do not have valid token and authentication fails user will be ‘SIGN OUT’ and land on ‘SIGN IN’ page with error message.

Authentication Error

Authorisation (403 error)

In case user do not have correct permission to access the resource they will get 403 error from API and user will be shown a modal with the error message.

Authorisation Error