A Python Flask implementation of an SSO dashboard with OIDC for authentication.
High-Level Architecture Diagram of the Dashboard and related services. Diagram source is available here.
The dashboard prototype as it exists today. This screenshot will be updated as the dashboard UI evolves.
- Jake Watkins [:dividehex] [email protected]
- Andrew Krug [:andrew] [email protected]
- Flask
- Redis
- Jinja
- Flask-SSE
- Gunicorn
- MUI-CSS Framework
- Docker
- Control over what apps a user sees
- User profile editor
- Vanity URLs for applications
- Quick search for locating and opening applications
All authentications are performed through Auth0 for all users.
This app does not technically provide authorization. However, it does check a file using rule syntax to determine what applications should be in the user's dashboard. The rule file exists in dashboard/data/apps.yml.
---
apps:
- application:
name: "Demo App 1"
op: auth0
aal: LOW
url: "https://foo.bar.com"
logo: "auth0.png"
authorized_users: []
authorized_groups: []
display: false
vanity_url:
- /demo
During authorization, the app checks the user's group membership. If a user is a member of the required groups and they exist in their profile, the user is shown the icon.
Note: The display false attribute will cause the app not to be displayed at all under any circumstance. This exists largely to facilitate dev apps or app staging and then taking apps live.
To add applications to the dashboard, create an application entry in the apps.yml
file and add a logo under the images directory.
https://github.com/mozilla-iam/sso-dashboard-configuration
These are the rules for the logos. They have to conform to some standards due to the fact they are in a responsive grid.
- Logos should be 120px by 40px (or same aspect).
- Logos should be in .png format.
For more information on developing features for the SSO Dashboard, see the development guide.
This section gives an overview of the SSO Dashboard deployment. For a more detailed explanation, check this document.
The Single Sign-On (SSO) Dashboard runs on GCP Cloud Run and is automatically deployed to a Cloud Deploy pipeline via GitHub Actions upon merging to the master branch. Once deployed to Cloud Deploy, it becomes immediately available in the Cloud Run development environment for smoke testing. The IAM team can then promote the build from development to staging for further testing, and subsequently to production when ready.
Cloud Run environments:
- Production environment can be reached at https://sso.mozilla.com
- Staging environment can be reached at https://staging.sso.mozilla.com
- Development environment can be reached at https://sso.allizom.org
Each Cloud Run environment's settings are located in the clouddeploy
directory.