📖 CICA staff access to QuickSight on the AP

[simon-pope]

User Story

As a member of the Criminal Injuries Compensation Authority (CICA) team
I need access to Quicksight on the Analytical Platform
So that I can have analytics and real-time data visualisation after moving from our legacy, MI/BI system

Value / Purpose

• Enable analytics and real-time data visualization to meet requirements.
• Provide continuity of standardized MI/BI capabilities post-February.
• Support seamless migration to a scalable, sustainable platform.

Useful Contacts

Adedotun Adenipekun, CICA

Proposal

The request is challenging in that CICA users will need access from a different EntraID tennant with a cica.justice.gov.uk domain. [Information about the tenant will be provided at the time the work commences]

This will require the following changes:

1. When collecting users' justice identities, a new option must be added to collect their CICA identity instead.
2. Any Control Panel references to justice.gov.uk domain will need to be amended to allow cica domains as well.
3. SCIM Lambda will need to be amended to poll CICA tenant for groups (we will use the same group format)
4. Currently the plan is to allow them to auth to Control Panel using Github as normal (meaning GH accounts in the moj-analytical-platform organisation.
5. For discussion: Should we amend the users api endpoint to shift from justice to external address?

Additional Information

From Feature Request:

CICA is transitioning from a legacy, custom-built MI/BI system that no longer aligns with current operational requirements or supports data-driven decision-making. The current MI tool will no longer be supported as the contract with the existing supplier ends in February 2025, necessitating a shift to a sustainable and scalable solution.

This migration aims to adopt AWS QuickSight as the new platform to enhance reporting capabilities and empower stakeholders. To ensure a smooth transition, the CICA data team, along with MI users and key stakeholders, will require access to QuickSight for both report creation and consumption.

Definition of Done

• Control Panel identity collection code modified to collect CICA identity
• Control Panel code amended in places where justice identity is explicitly referenced.
• SCIM job amended
• Proposal implemented
• Tested
• Follow-on stories raised
• Documentation updated

[tom-webber]

https://learn.microsoft.com/en-us/entra/identity-platform/howto-convert-app-to-be-multi-tenant

[michaeljcollinsuk]

Some notes/links from reading on multi-tenant apps in Azure:

https://stackoverflow.com/questions/52347821/azure-ad-multi-tenant-applications-how-to-implement-token-validation

From docs about the ID token claims relating to iss

Your app should use the GUID portion of the claim to restrict the set of tenants that can sign in to the app, if applicable.

And an issue about using authlib (used in Control Panel) with MS multi-tenant apps, with an example solution lepture/authlib#295

From looking at how the issuer is verified in the source code for Authlib, I think one option is that we pass in our own claims_options when calling the authorize_access_token method, passing in both tenant ID's that we expect to receive tokens from. e.g.:

claims_options = {'iss': {'values': [f"https://login.microsoftonline.com/{tenant_id}/v2.0" for tenant_id in settings.ENTRA_TENANT_IDS]}}