Add External Authentication to a portal

TABLE OF CONTENTS

• Feature Summary
• Authentication Provider Add-on
• Authentication provider configuration
• Microsoft OpenId configuration
• Google Authentication
• Active Directory Federated Services

Feature Summary

The external authentication provider allows the Student Portal, Trainer Portal (18.3.x or higher) and Progress Portal (19.1.x or higher) to authenticate users with an external authentication provider.

As of 20.1 in addition to the existing Primary email address match, you may also match on an External System code or Client Code.  This will require the claim name from the external provider to be entered on the Authentication Provider wizard.  Default claim name for primary email address is pre-populated.

The existing VETtrak username/password will continue to work alongside the external authentication option.  As from 19.1.1.x you may optionally switch off the use of the VETtrak credential through the VETtrak Security manager, toggling the relevant portal's authentication provider "Login with VETtrak credentials" to the "disabled" option:


Supported providers are:

• Microsoft OpenId
• Google
• Active Directory Federated Services (ADFS)

The relevant portal will now display additional buttons above the username/password credentials section.  The user will click on the relevant provider (Google, ADFS or OpenId) to authenitcate on the providers external site.

There are many third party authentication providers.  If you are interested in one not presently listed above, express your interest with VETtrak support.

The email address has been selected for matching between the external authentication provider claim information and the VETtrak client record.  It is important to note that this matching needs to return a single client record.  If the same email address is recorded against two different client records the match will not be unique and the external authentication will not work for those client's. Those client's may continue to use the existing VETtrak client username and password.

It should also be noted that the portal will need to be served from IIS over a secure connection using HTTPS.  The third party providers will not authenticate to web sites operating on HTTP only.

NOTE: Logging out of the portal will NOT log out the user's device from the external provider.  It is the user's responsibility to log out external authentication providers which may make this feature unsuitable for multi-user devices such as a shared computer lab. 

Authentication Provider Add-on

Your VETtrak registration will need to be updated with this Add-on feature.  Contact support for enabling it. The Add-on will be shown in the Security Manager under your VETtrak application node.

When enabled and your VETtrak software has the updated registration key, you will see a new Authentication providers node in the respective portal in the Security Manager.  The external provider configuration information will be recorded in the relevant portal node.

Authentication provider configuration

Each of the providers need to have the relevant portal application registered with their respective provider vendor.  This process will be unique to each provider, but generally involve visiting the relevant authentication provider's application registration portal. Details from the registration process will need to be placed into the relevant VETtrak Authentication providers portal node using the Security Manager.  Authentication provider links:

• Google provider application registration.
• Microsoft openId provider application registration.
• ADFS (no link provided as this is likely to be controlled by your organisation's IT section).
  
  

Microsoft OpenId configuration

• see updated article Office365 external authentication in portals

Google Authentication

1. Navigate to the Google apis website, sign in with your Google account credentials, click Create Project, provide a Project name, then click Create.
2. Once the project is created, select it. From the project dashboard, click Go to APIs overview.
3. Select Enable APIs and services. Search for Cloud Identity API, and select it. Then click Enable.
4. In the left navigation, Credentials > OAuth consent screen, enter a Application Name, optional Application logo, then select your Support email address, enter the Authorized domains, Application Homepage link, optional policy and terms and click Save.
   
   
   
5. In the Credentials tab, click Create credentials > OAuth client ID.
   
6. On the "Create client ID" screen, select Web application.
7. Paste the App Service URL you copied earlier into Authorized JavaScript Origins, then paste your redirect URI into Authorized Redirect URI. The redirect URI is the URL of your application appended with the path, /signin-google. For example, https://staging.vettrak.com.au/TrainerPortal/signin-google. Make sure that you are using the HTTPS scheme. Then click Create.
   
   
   

8. On the next screen, make a note of the values of the client ID and client secret.
   
   
   

   The client secret is an important security credential. Do not share this secret with anyone or distribute it within a client application.
9. Enter these details on the relevant Application - Authentication providers node in the VETtrak Security Manager:
   
   
   

Active Directory Federated Services

The portal requires four pieces of information to be set up in VETtrak software (Security Manager -> Application/Role management -> <portal name> -> Authentication providers):

• Metadata Address eg. https://yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml where yourdomain.com is your own ADFS server FQDN.
• Wtrealm eg. https://yourdomain.com/StudentPortal (this needs to match exactly with your "Relying party identifiers", see ADFS step 1 below)
• Identity logging-in users using this client field.   Select either:
  • Primary email address
  • External system code
  • Client code
• Claim name. Claim name URI of the returned set of claims for the external provider.

Setting up on your ADFS will require a relying party trust configured to the portal:

1. Identifiers:
   
   
   
2. Endpoints:
   
   
   
3. Issuance transform rules:
   The only claim necessary is the users email address. This must map back to a clients primary email address in VETtrak’s database.