Gigya Job Openings

Organization Management User Guide

Skip to end of metadata
Go to start of metadata

This section is currently in development and is subject to updates and changes.

CIAM for B2B will be available via Early Access to selected partners. To determine if you are eligible to participate as part of the Early Access implementations, contact your Customer Engagement Executive.

 

Unable to render {include} The included page could not be found.

Description

This guide assumes that you have already configured your sites and/or site groups in the Gigya Console that you are going to use with CIAM for B2B and that you have the necessary licensing enabled for your partner.

Additionally, this entire document is currently in development and is subject to change regularly, as well as may still be incomplete.

Enabling Organization Management

You can activate Organization Management for a single API key or a Site Group parent's API key. 

Navigate to the Admin space of the Gigya Console and select the Organization Management tab.

       

 

Once at the Organization Management section, locate the site(s) that you want to enable Organization Management for and click the button labeled Activate. It may take several minutes for the process of activation to complete, once activation has completed, the button will change to Deactivate. At this point you can proceed to the Organization Management configuration.

 

Opening the Organization Management Dashboard

As a Gigya Console admin you, you can access the Organization Management dashboard from the Product Switcher located in the header of the Console. Simply select Organization Management from the drop-down menu and the dashboard will open in a new tab.

 

If you do not see the Product Switcher arrow in your Console, please check that all of the following are true:

  • You are an Admin (you are in the _admins permissions group) for the Partner you are viewing.
  • You have the Organization Management license enabled for your account.
  • You have previously activated Organization Management for at least one site or site group of your Partner from the Organization Management tab of the Admin section of the Console.

Once your user is authorized for the Organization Management dashboard, you will see the main landing page where you can select the Gigya Partner you want to manage. Most clients will see only a single partner listed here, and even clients that may have more than a single Partner, will only see the partner(s) that has the Organization Management license enabled.

 

Editing Email Templates

Navigate to the Organization Management Dashboard.

Click Manage on the top-level organization you want to configure default emails for.

Open the Settings window and ensure that you have the top-level partner selected and then navigate to the Invite tab.

 

Here you can customize the text and format of your default Parent Email Template.

To edit any of the specific Organization email templates, select the organization from the left column and navigate to the Invite tab of the organization, click the Edit button from the Available Actions

 

and then choose Edit Template. Be sure that you modify both the template used for new users as well as the template sent to existing users.

 

Press Save after making any changes to either of the email templates.

 

Creating Roles

Enter the Organization Management dashboard and select Expand on the Partner you want to add the Rule to. If an entire site group will use the same Rule, you can click Manage on the appropriate Site Group, other wise, select Expand again, and then select the Organization you want to add the template to and click Manage there.

Once managing the proper entity, from the left-hand menu, navigate to Identities -> Roles.

 

By default, a group already exists that contains the necessary permissions for an IT Admin (Gigya/CDC Console user) and is named Delegated Admin. You can use this Role to assign to the delegated admins you invite to manage any of your organizations.

 

 

Modifying Your Organization Management Schema

Enter the Organization Management dashboard and select Expand on the Partner you want to add the Rule to. If an entire site group will use the same Rule, you can click Manage on the appropriate Site Group, other wise, select Expand again, and then select the Organization you want to add the template to and click Manage there.

Once managing the proper entity, from the left-hand menu, navigate to Identities -> Schemas.

 

 

 

 

 

 

 

 

Inviting Delegated Admins

As an IT Admin you can invite Delegated Admins  from any of your organizations you have configured in the dashboard to maintain their own implementation. To begin, navigate to the Organization Management Dashboard. Once there, click Expand until you reach the organization that you want to invite users for, and on the applicable organization, select Manage.

Navigate to the Members section and click INVITE.

 

This will display the form for inviting a new Delegated Admin. Fill out all the pertinent data and click Send.

 

The user you invited will receive an invite to their email address. If it is a new user, the email will contain a one-time verification code that they can enter into the Password field of the Gigya login form of your site to create their account, otherwise, the user will be asked to login to their account.

 

Creating Rules

Enter the Organization Management dashboard and select Expand on the Partner you want to add the Rule to. If an entire site group will use the same Rule, you can click Manage on the appropriate Site Group, other wise, select Expand again, and then select the Organization you want to add the template to and click Manage there.

Once managing the proper entity, from the left-hand menu, navigate to Implementation -> Rules.

 

Press CREATE NEW.

Fill out the necessary fields.

 

For the Asset Template field you must choose one of your existing templates. For information on creating asset templates, see Creating An Asset Template.

For the Attribute field, define the name of the attribute that this rule will apply to.

For the Settings field, define whether you want this rule to Apply to all or to Apply to some

In the Operator field, select how this rule will perform its validation, i.e.,

 

In the Value field, you can select one of the existing items, or type a new string and press Enter to add a new value.

Finally, define the Organization Usage Settings to either Private or Hierarchy.

When complete, press SAVE.

 

Creating An Action

Enter the Organization Management dashboard and select Expand on the Partner you want to add the action to. If an entire site group will use the same Action, you can click Manage on the appropriate Site Group, other wise, select Expand again, and then select the Organization you want to add the template to and click Manage there.

Once managing the proper entity, from the left-hand menu, navigate to Implementation -> Actions.

 

Press CREATE NEW.

Fill out the necessary information. The Action field must be the exact name of the action as you will use it in your implementation. Select the Organization usage settings and press SAVE.

 

Creating An Asset Template

Enter the Organization Management dashboard and select Expand on the Partner you want to add the template to. If an entire site group will use the same Asset Template, you can click Manage on the appropriate Site Group, other wise, select Expand again, and then select the Organization you want to add the template to and click Manage there.

Once managing the proper entity, from the left-hand menu, navigate to Implementation -> Templates.

 

Press the CREATE NEW button.

Fill out the details of the form that appears. All fields must be completed.

In Repository, select Virtual Repository (because we are using virtual assets).

Under Asset Attributes, select the Type of the data that this asset will define, options are string or numeric.

Select the Template type of either Data, Field, or Other (in most cases this will be Data for virtual assets).

Under Actions, press the ADD ACTIONS button.

If you already have actions defined, press the Search button to list all your current actions and choose the appropriate items. If you do not have any actions or need to create a new action for this template, press CREATE NEW. For additional information on creating actions, see Creating An Action.

Finally, set the Organization usage settings to either Hierarchy or Private and press SAVE.

 

Creating Your First Policy

This section will show you how to initially setup a policy. You should already have added the necessary Roles and Asset templates to your organizations configuration prior to doing this configuration.

Step One - Policy

Open the Organization Management Dashboard and navigate to the Site Group you want to create the policy for. Open the Policies from the left-hand menu and click CREATE NEW.

 

This will open the New Policy window. 

 

Give the new policy a Name and optional Description. You can set the Policy type to be either Access or Restricted as well as setting the Status as Enabled (active) or not.

You may also set the Organization Usage Settings here. The options are:

  • Private - Will apply to this Organization.
  • Hierarchy - Only used on top-level configurations, i.e., Partner level, This policy will apply to itself and all organizations underneath it. 

When finished, press Save.

 

Step Two - Connect Roles

Next, you will need to connect Members to the new policy. You do this using the Interface in the Dashboard and clicking on the Connect Dynamic Groups & Members link.

 

This will open the Connect Roles window.

 

Press the Search icon to see a list of all existing roles; you can then either select one of the existing roles or Create a new one.

 

Press Apply when finished.

After roles are connected, the Interface will display like below.

 

Note

Connecting conditions is not currently supported.

 

Step Three - Connect Assets

Finally, connect assets to the new policy. Do this by clicking the Connect Assets link.

 

This will open the Link settings window. Press the Search icon to show a list of your Asset templates. If you only have one, it's details will already be displayed in the right side of the window.

 

Press the Apply button next to the Asset template you want to connect to this policy.

 

Press CONTINUE to move to the Assets tab. Since we are using virtual assets, press SKIP on the Assets tab.

You will now be on the Assets Rules tab. Press MANAGE ASSET RULES which will display the Manage assets rules wizard where you can connect the rules.

 

Select the Rule you want to attach to the policy by using the drop-down. You can add additional fields using the Plus icon.

 

 

When finished adding the asset rules, press SAVE and then press CONTINUE on the main tab.

The Constraints and Obligations tabs are not currently supported, so press SKIP on both of these tabs.

On the Application tab, press the Search button to list all existing applications and select the one you want to attach this policy to. If you do not currently have any Applications configures, press SKIP & SAVE.

 

Your interface should now look similar to the following.

 

If you have already connected this Policy to an application, you can press the Deploy button, otherwise, create an application, below.

 

 

Creating Your First Application

Navigate to the Implementation -> Applications tab of the Site Group you are adding the application to and press CREATE NEW.

 

In the new application window add a Name and optional Description. You can also set the Organization usage settings here; the options are Private or Hierarchical.

 

When finished, press SAVE.

Next, select the Adaptive Assets tab of the application interface and in the Connect assets section, choose Asset.

 

In the Select assets window, press the Search button to display all your current assets in the left side of the window. You can add assets to the application by double-clicking them so they move to the right side under Selected items. When you have connected all the applicable assets, press APPLY.

 

You will then need to get the Application's client_id for your client-side application. You will find it by clicking the blue Keys icon to open the Application client keys window.

 

The first thing you will need to do is configure the Token Validity (in minutes) if you have not done it before for this app. This is the cache length of any credentials, for testing and development we can set this to 0, in a production environment you may want to set it a little higher, i.e., 5 or 10, so that you do not need to re-request a user's authorization within that time period. When finished, press SAVE.

 

The Token Validity configuration is being removed in a future release and will no longer be necessary.

 

You will then be presented with the full Application client keys interface and you will see your Client ID listed. You should save this key for use later during your implementation. You can disregard the Secret key, as it is not applicable to a CDC/Gigya REST integration.

 

 

Deploy Your Policy

Navigate to the Policies -> Manage section of the dashboard, select the policy you want to activate and press the Deploy icon.

 

 

Add Roles To An Existing User

First, navigate to the Organization that the user belongs to an click Manage.

 

Next, go to the section and select the user you want to modify.

 

Open the Role Management tab and press ADD ROLES.

 

Press the Search icon to display all available roles for this organization, and click the desired role to move it to the Selected items window. Do this for all necessary roles for the user, and then press APPLY.

 

You can then see all assigned roles to the user in the Role Management tab.

 

 

Remove Roles From A User

You can un-assign roles from a user at any time by clicking the Unlink icon next to the specific role you want to remove in the Role Management tab of the member (see Add Roles To An Existing User for additional information).

 

Construct An Authorization Request

To determine if the current user is authorized to a specific resource, you must send a request to the Organization Management server which will return a response with the details.

There are two (2) way to query the server; you can use a Basic authorization request or a Detailed authorization request. The difference between these is that when using basic, you are checking if the user is authorized for a specific asset as the asset is being requested, whereas, Detailed is when you want to receive an array of all the assets that the user is able to access and what actions that the user is allowed to perform on those assets. This walk-through will cover the Basic authorization scenario.

We recommend using Postman for testing your configuration. This chapter will be using Postman as the client's server for the included examples.

You can download Postman here: https://www.getpostman.com/

 

Obtain Your Client_ID and Secret

Navigate to the Organization Management dashboard (see Opening the Organization Management Dashboard).

Select the Manage option for the Partner you created the application in from the previous section.

 

Then go to Settings and select the top level entity. Go to the Security tab and choose the API Key Management button. Copy the Key and Secret from the Authorization Request API Key section for use in your implementation.

 

Construct the API URI

To send the request, construct the API URI as follows, where <YOUR-GIGYA-API-KEY> is the Gigya API key associated with this site or site group in the Gigya Console and <YOUR-ORG-MNGT-APP-CLIENT-ID> is the Client ID you obtained from the Organization Management dashboard in the previous section.

Basic Authorization API Format
https://us1api.b2b-gigya.com/runtime/<YOUR-GIGYA-API-KEY>/authorization/basic/<YOUR-ORG-MNGT-APP-CLIENT-ID>

This example URI is used for Basic authorization, for constructing a Detailed authorization request see LINK:TBD.

 

Insert the URI you constructed above, into the Postman interface as a POST request.

 

Configure The POST Body

Next, we will configure our POST body, using the raw option so we can paste our JSON directly.

The generic format of a request is detailed below.

Basic Authorization JSON Structure
// Note: JSON must not contain comments
{
    "identity": {
        "id": "<THE-GIGYA-UID-OF-THE-USER-TO-VALIDATE>"
    },  
    "context": {
        "organization": "<THE-ORG-MNGT-orgId-OF-THE-USER'S-ORGANIZATION>"
    },
    
    "assets": [
        {
            "type": "urls",  // Asset template name
            "path": "admin", // path of resource or "/"
            "actions": ["view_url"], // Attempted action(s)
            "attributes": {
                "url": ["public"] // name of the asset being accessed
            }
        }
    ]
}

 

 

After providing the applicable data for your user, enter it into Postman, ensuring that you have JSON (application/json) selected from the drop-down options.

 

 

Configure the POST Authorization Token

To construct our authorization JWT we will use https://jwt.io

Navigate to jwt.io and make the following changes:

The HEADER should be the default of:

  • "alg" : "HS256"
  • "typ" : "JWT"

The PAYLOAD DATA should be edited to contain only the following properties:

  • iss - Where this is the Authorization Request API key, from above (client_id).
  • exp - Is the time the token will expire in Unix format, i.e., 1558868994; this must be no more than one (1) hour (3600 seconds) from the time the token is sent. For testing, you can use the Expiration Generator tool below.

In the VERIFY SIGNATURE section you should check the Secret Base64 encoded option and input your secret (from the Authorization Request API key section) into the available field.

 

Copy the JWT from the left-hand pane and paste it into the Token field of the Authorization tab of Postman, being sure to select Bearer Token from the left drop-down.

 

 

Sending The Request

If you have previously constructed the POST body, you can now send the test request to the Organization Management server for a response. If you have constructed the request properly, you will receive one of the following two responses:

  • allow

    Authorized Response
    {
        "access": "allow"
    }
  • deny

    Denied Response
    {
        "access": "deny"
    }

Expiration Generator

Generate an EXP for your JWT

This tool will generate an EXP based upon the current time and add the inputted value to it.

Enter TTL of token (in seconds):      

0000000000

 

The maximum allowed lifetime of a supported JWT is 3600 seconds. Using any value larger than this will result in the following error response from the authorization server:

{
    "exp": "expired"
}

 

 

Additional Information

CIAM for B2B

Groups Object

 

Important

 The Organization Management Dashboard is only supported on Chrome browser.



The license could not be verified: License Certificate has expired!

 

 

 

 

 

 

 

 

 

 

  • No labels