Introduction
Since 2023.02 it is possible to integrate Open ID Connect in most Delft-FEWS components. This setup has been tested with the Azure Entra ID implementation of Open ID Connect.
See the following picture that shows how the different Delft-FEWS components can support Open ID Connect using the authorization code flows. From 2024.01 also integration from system to system components is supported using the client credentials flow (Required for seamless integration in the Web Services and Archive integration from a Forecasting Shell Server).
Azure Microsoft Entra ID Configuration
To configure support in Azure with Microsoft Entra ID it is required to have app registrations. For Delft-FEWS it is recommended to have 2 app registrations. One for the Backend and one for the Frontend. Optionally some extra app registrations can be created to support access for external tools.
Backend App Registration
In the Backend App Registration a number of Delft-FEWS System app roles have to be configured. These app roles can be assigned to AD users or groups.
The backend app registration will serve as an API for different Delft-FEWS components.
Optionally some functional groups can be added as well if the UserGroups.xml is using user groups to apply permissions. In the following example the "OC Forecaster" group is mapped to the OC_FORECASTER system user group. The OC_FORECASTER system user group should be registered as an App role in the backend app registration.
<?xml version='1.0' encoding='UTF-8'?>
<userGroups xmlns=http://www.wldelft.nl/fews xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xsi:schemaLocation=http://www.wldelft.nl/fews http://fews.wldelft.nl/schemas/version1.0/userGroups.xsd>
<userGroup id="OC Forecaster">
<systemUserGroup id="OC_FORECASTER" />
</userGroup>
</userGroups>
See the following on how to Expose an API. Finally it is important to configure the access token to contain the email address as an optional claim. See the following example on how to do this:
Frontend App Registration
In the Frontend App Registration the AI_ADMIN role needs to be configured to allow access to the Admin Interface GUI and the ARCHIVE_ADMIN role needs to be configured to allow access to the Archive Server GUI.
The Frontend app registration needs API Permissions to the Delft-FEWS Backend API. You can see it in the following screenshot and has been given delegated permissions.
Since 2024.01 also Application type permissions with the client credential flow are supported. See the following for more information on the client credentail flow.
https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow
In the following screenshot is displayed that after selecting "Add a permission", Select the backend Registration and finally select Application Permissions, the different application roles that support both User Groups and Applications can be selected. In this case the ARCHIVE_EDITOR role and ARCHIVE_USER roles can be selected.
For Frontend application to be able to use this app registration, redirect URLs have to be configured. In most cases the Web application platform should be chosen (Database Proxy URL or Archive Server URL). Only for the Web Operator Client the Single-page application has to be used. Refer to the different components on how to configure Open ID Connect.
To manage access by external applications (tools, scripts) that run in an automated fashion, some extra app registrations can be created and configured to use the client credential flow. This is not required though.
