Vendor USI Decommissioning
Change History
| Date | Modification | Done By |
|---|---|---|
| Draft | Rahul Singh |
Requirement
The existing SMDS Vendor UI application utilizes the Unified Security Infrastructure (USI) for authentication and authorization purposes. When a user logs in, a token-based approach is employed to fetch the user's access privileges and roles. This token serves as a means of evaluating the user's permissions for various operations, such as creating or updating data.
The token, containing pertinent user information, is then propagated to the Master Data Management (MDM) system. This integration allows the MDM system to identify the logged-in user and retrieve additional user details. This information is crucial in evaluating the user's access rights when making decisions to approve or reject a workflow.
By leveraging this authentication and authorization workflow, the SMDS Vendor UI application ensures that users' actions within the system align with their assigned roles and permissions. The integration with USI and MDM creates a seamless flow of user information, enhancing the security and accuracy of the approval process for workflows.
Considering that USI is scheduled for decommissioning, it becomes necessary to establish a new authentication and authorization server while ensuring uninterrupted functionality and maintaining the existing roles and group mapping.
Scope
- USI Decommissioning
High-Level Solution
Login Flow
User Authentication Service
System Migration & Application Updates
Create Service Principal for Vendor Application: To enable secure access and authentication for the vendor application, a service principal needs to be created in Azure Active Directory (Azure AD). This will grant the application the necessary permissions and credentials to interact with Azure AD.
Migrate User and Permissions from USI to Azure AD: It is essential to migrate user accounts and their associated permissions from the existing USI system to Azure AD. In Azure AD, permissions can be managed using the groupId feature, which allows for efficient access control.
Migrate User Roles to PostgreSQL Database: To streamline user role management, user roles should be migrated to a PostgreSQL database. This centralized approach will enhance access control and facilitate easier role assignment.
Update Application's CNAME Record Resolution in Internal DNS: The existing CNAME record resolution in the internal Domain Name System (DNS) must be updated. This update involves redirecting the resolution from the current USI servers to the IP address or Application Load Balancer of the application server. This change will ensure seamless functionality of the application.
SSL Certificate Generation: As part of security enhancements, new SSL certificates need to be generated for the system. These certificates will enable secure communication between the application and its users, ensuring data integrity and privacy.
Change Vendor Portal Application Authentication and Authorization URLs: The vendor portal application should be modified to authenticate and authorize users using the Azure AD URL instead of the previous USI URL. This change will align the authentication and authorization processes with the newly implemented Azure AD system.
Update Existing Vendor Codebase to Reflect User Roles: The existing vendor codebase must be updated to accurately map user roles fetched from the user authentication service. This update will ensure that the application's functionality aligns with the newly migrated user roles.
Update User Context: If the user's roles are updated, ensure that you update the user context in the server-side data store accordingly. This will ensure that the user's current roles are always reflected and used for authorization purposes.