Enterprise Single Sign-On (SSO)

OpenID Connect

GovReady-Q can be configured to use OpenID for authentication and authorization.

{
     "authorization_endpoint": "https://issuer.domain.name",
     "userinfo_signing_alg": "RS256",
     "jwks_uri": "https://issuer.domain.name/token",
     "token_endpoint": "https://issuer.domain.name/token",
     "userinfo_endpoint": "https://issuer.domain.name/userinfo",
     "scopes_supported": "openid profile",
     "client_id": "MyClientId",
     "client_secret": "MyClientSecret",
     "roles_map": {
         "admin": "GroupNameThatMapsToAdminUser",
         "normal": "GroupNameThatMapsToRegularUser"
     },
     "claims_map": {
         "email": "email",
         "groups": "groups",
         "first_name": "given_name",
         "last_name": "family_name",
         "username": "preferred_username"
     }
 }

Key

Description

authorization_endpoint

Issuer domain for your application

jwks_uri

JWKS Endpoint

token_endpoint

Token Endpoint

userinfo_endpoint

User Info endpoint

scopes_supported

Supported Scopes; should be a space delimited string ex: “openid profile”

userinfo_signing_alg

User Info signing Algorithm

client_id

OIDC app’s client id

client_secret

OIDC app’s client secret

roles_map

This map is meant to map OIDC User Groups to the application groups.

claims_map

This map is meant to map OIDC Claims to the application’s User model columns.

This object should be set under the oidc section of the environments.json.

Note: Deployment will slightly differ by setting this under OIDC.

Okta OpenID Connect

GovReady-Q can be configured to use Okta OpenID for authentication and authorization.

{
     "domain": "https://XXX.okta.com",
     "client_id": "MyClientId",
     "client_secret": "MyClientSecret",
     "roles_map": {
         "admin": "GroupNameThatMapsToAdminUser",
         "normal": "GroupNameThatMapsToRegularUser"
     },
     "claims_map": {
         "email": "email",
         "groups": "groups",
         "first_name": "given_name",
         "last_name": "family_name",
         "username": "preferred_username"
     }
 }

Key

Description

domain

Okta domain for your application

client_id

Okta app’s client id

client_secret

Okta app’s client secret

roles_map

This map is meant to map Okta User Groups to the application groups.

claims_map

This map is meant to map Okta Claims to the application’s User model columns.

This object should be set under the okta section of the environments.json.

Note: Deployment will slightly differ by setting this under OKTA.

Proxy Authentication Server

GovReady-Q can be deployed behind a reverse proxy that authenticates users and passes the authenticated user’s username and email address in HTTP headers. In this configuration:

  • The user points their browser to the reverse proxy authentication server.

  • The proxy authenticates users and proxies the request to GovReady-Q if and only if the user is authenticated and authorized to access GovReady-Q. The proxy passes the user’s username and email address in HTTP headers of the proxy’s choosing.

  • GovReady-Q will create a user account for a new user or treat the user as logged in as soon as the user requests a page. Therefore, there is no sign-up or log-in process within GovReady-Q when a proxy authentication server is used.

  • All other authentication methods to GovReady-Q are disabled when proxy authentication is enabled. Therefore you should ensure that the Django admin’s username matches the admin’s username as provided by the proxy server. Otherwise, you will lose access to the admin page. However, if there is a mismatch, you may disable proxy authentication, log in to the Django admin with your admin username and password, and change your admin username to match the username sent by the proxy server.

  • GovReady-Q must be run at a private address that cannot be accessed except through the proxy server.

To activate reverse proxy authentication, add the header names used by the proxy e.g.:

In Development set the trust-user-authentication-headers key following Developer Environment

{
  "trust-user-authentication-headers": {
    "username": "X-Authenticated-User-Username",
    "email": "X-Authenticated-User-Email"
  },
}

In Production see: Production Deployment

The proxy server must be configured to proxy to GovReady-Q’s private address. But the address settings in GovReady-Q must reflect the host and protocol used in the URL the end user uses to access GovReady-Q. They do not need to match the address that the proxy server uses to reach the GovReady-Q server.

Per the Django Documentation on authentication using REMOTE_USER, you must be sure that your proxy server always sets or strips the special username and email headers, including headers that normalize to the same Django key (in particular headers with underscores), from the client request and does not permit an end-user to submit a fake (or “spoofed”) header value.

We have an example reverse proxy authentication server, simple_iam_proxy_server, which can be used for debugging purposes. Some users have also reported success in using mitmproxy for setting HTTP headers.