Skip to main content

User / Role / Authorization management

Authentication mode

Qalita Platform supports the following authentication modes:

  • Password authentication : Users can authenticate themselves with a password and a user ID. This authentication can be set up to work with an enterprise directory using the ldap protocol.
Configuring LDAP

To configure LDAP authentication, you'll need to add environment variables to the backend.

  • LDAP_SERVER : The LDAP server address ldap://openldap:389
  • LDAP_DN : The base DN for user searches dc=example,dc=org.
  • LDAP_TLS : Enable TLS false
  • LDAP_SEARCH_USER: The search user cn=admin,dc=example,dc=org.
  • LDAP_SEARCH_PASSWORD: The search user password adminpassword.
  • LDAP_SEARCH_USER_FILTER: The search filter for users (&(objectClass=person)(uid=%s)).
  • LDAP_SEARCH_GROUP_FILTER: The search filter for groups (&(objectClass=posixGroup)(memberUid=%s))
  • LDAP_ROLE_MAPPING : The mapping of roles admin:cn=direction,dc=qalita,dc=io;dataengineer:cn=factory,dc=qalita,dc=io;datamanager:cn=conseil,dc=qalita,dc=io
  • SSO authentication: Users can authenticate with an external identity provider (Google, Azure, Okta, etc...).
Configuring SSO

To configure SAML authentication, you will need to add environment variables to the Backend.

  • QALITA_AUTH_MODE: Specify the authentication mode as saml
  • QALITA_SAML_AZURE_CLIENT_ID: The application's client ID (see #5-retrieve-application-details)
  • QALITA_SAML_AZURE_CLIENT_SECRET: The application's client secret (see #5-retrieve-application-details)
  • QALITA_SAML_AZURE_TENANT_ID: The application's tenant ID (see #5-retrieve-application-details)
  • QALITA_SAML_AZURE_REDIRECT_URL: The application's redirection URL https://api.<qalita-domain>/api/v1/users/saml/callback

To create an application in Azure Active Directory (Azure AD) and configure SAML authentication for your platform, here is a step-by-step approach you can follow. This approach integrates into the process of configuring Single Sign-On (SSO) for your application, using Azure AD as the identity provider.

1. Access the Azure Portal

  • Log in to the Azure Portal with your administrator account.

2. Navigate to Azure Active Directory

  • In the Azure portal's sidebar, select "Azure Active Directory" to access your Azure AD directory.

3. Register a New Application

  • Go to the "App registrations" section.
  • Click on "New registration" to start the process of creating a new application.
  • Name your application, select the supported account types, and specify the redirect URL (the callback URL used by your application after SAML authentication). This URL should match the QALITA_SAML_AZURE_REDIRECT_URL you will configure later in your environment variables.

4. Verify Authorized APIs

  • Once the application is created, access it in the Azure portal.
  • In the application's menu, look for the "API permissions" section.
  • Click on "Add a permission" > "Microsoft Graph" > "Delegated permissions" > search for User.Read and [Add permission]

5. Create an Application Secret

  • Navigate to the "Certificates & secrets" section of your application.
  • Click on "New client secret" to create a new application secret. You will need this secret to configure SAML authentication in your platform.
  • Use the value to configure the QALITA_SAML_AZURE_CLIENT_SECRET environment variable.

6. Retrieve Application Details

  • After configuring SAML, you will need to retrieve several details to use in your environment variables:
    • Client ID (QALITA_SAML_AZURE_CLIENT_ID): Found in the application's "Overview" section.
    • Client Secret (QALITA_SAML_AZURE_CLIENT_SECRET): You will need to create a secret for the application in the "Certificates & secrets" section.
    • Tenant ID (QALITA_SAML_AZURE_TENANT_ID): Visible in the "Overview" section of your Azure Active Directory.

7. Configure Environment Variables

  • On your server or development environment, configure the environment variables you retrieved in the previous step.

8. Test SAML Authentication

  • Test the SAML authentication to ensure everything is correctly configured and users can log in to your application via Azure AD.

By following these steps, you will have created an application in Azure AD, configured SAML authentication, and prepared your platform to use Azure AD as the identity provider for SSO authentication.

  • Token authentication: Users can authenticate with an API token. (for the backend)
info

By default any user is assigned the public role on first login, unless a role mapping is specified in LDAP configuration.

Create a user

To create a user, go to the Users & Roles section of the Parameters menu.

The different roles

There are different roles in Qalita Platform that discriminate between possible actions and access rights.

RoleDescriptionAuthorizations
The administrator role gives access to all the platform's functionalities.All
The Dataengineer role has access to most of the platform's functionalities, except parameters and data science.Agents - Packs - Sources - Projects - Reports - Tickets - Curation plan - Catalog
The data manager role has access to project, report, ticket and curation plan functionalities.Sources - Projects - Reports - Tickets - Curation plan - Catalog
The data scientist role has access to catalog, report and data science functionalities.Reports only with token - Catalog - Synthetic data - Model evaluation
Profile - Notifications - Reports only with tokenThe public role has minimal access to the platform's functionalities.

The different authorizations

There are different entitlements in Qalita Platform that allow you to grant rights to specific actions,

info

All authorizations have a lifetime (1 year by default).

HabilitationDescriptionAuthorizations
Sensitive DataThe Sensitive Data habilitation allows access to sensitive data.Sensitive Data
Share reportShare report enables you to share reports.Share reports