Login
Contents x
Service Accounts
  • 07 Aug 2024
  • Dark
    Light
  • PDF
Contents

Service Accounts

  • Updated on 07 Aug 2024
  • Dark
    Light
  • PDF
Article summary

Authorization Clients and Service Accounts

Applications that need a point of entry to interact with IAP APIs in order to perform tasks are created as Service Accounts in IAP. Using OAuth2 protocols that work over HTTPS to send a client token ID and secret key, authorization policies and controls are applied to limit what the requesting application is permitted to do and for how long. The client ID is used to identify the Service Account and the secret key is used to provide proof of right-to-access. Most notably, the client ID and secret key associated with a Service Account may be distributed to one or more Service Applications.

Feature Benefits

There are several benefits to encapsulating applications as Service Accounts in IAP. This new functionality:

  • Provides a more secure way to connect IAP to external systems via one set of login information.
  • Uses tokenization to give limited access to user data across applications and devices.
  • Protects user data by providing access via client token ID without revealing user credentials.
  • Allows third-party services to make requests on behalf of a user without accessing passwords and other sensitive information.

Parameters

Service account properties are referenced in the following table.

Parameter Type Description
name string The specific name associated with the Service Account.
description string A brief description of the service account for the external system.
client_id string Auto-generated by IAP; can be copied by the administrator.
client_secret string Auto-generated by IAP; can be copied by the administrator.
grant_type string A JSON Web Token (JWT) providing the service application authenticated access to IAP for a set amount of time.

Sample Configuration

"accountData" : {
  "name": "Service Account Hello",
  "description": "This is a service account",
  "client_id": "638e17011ba61d5e222a16ab",
  "client_secret": "94367284-b12a-4858-b6c1-0bb11f1f126b",
  "grant_type": "xxxxx.yyyyy.zzzzz"
}

APIs

Listed below are the four (4) CRUD APIs with admin-level permissions used to support and manage service acounts.

API Description
createserviceAccount Creates a service account in the Mongo database.
getServiceAccounts Returns the service account based on query parameters, but does not include "clientSecret" in any of the data that is returned. This is a one-time value generated once a service account is created, and never generated again.
updateServiceAccount Updates the service account "description".
deleteServiceAccount Deletes the linked service account from the accounts collection.

Error Responses

The codes below indicate whether the HTTP request for a service account has been successfully executed or not.

Error Code Description
400 Unable to authenticate; grant-type unsupported or client secret incorrect.
409 Duplicate service account is not allowed.
415 Unsuppprted format type for the HTTP method used.
500 Missing parameters; failed to call adapter route for service_name.

Using Service Accounts in IAP

The following sections summarize how to use the Service Accounts feature in IAP.

Create a New Client for a Service Account

Navigate to IAP → Admin Essentials (AE). From the AE application:

  1. Click the + sign on the toolbar to open the global Create dialog.

  2. Select "OAuth Client" from the dropdown menu list.

  3. Input a unique client name and a brief description, if desired (Figure 1)

    Figure 1: Create New Client
    01-create-newClient-AE.png


  1. Click the Save button. The Authorization Client Details page displays with the Client Secret visible so the adminisrator can copy it to clipboard. A timestamp identifying the date and time the Client Secret was generated is also displayed (Figure 2).

    Figure 2: Client Details and Client Secret
    02_auth_client_secret_ae.png


  1. A message to save the client secret displays in bold beneath the timestamp. If the secret is lost, use the Regenerate button to create a new one and invalidate the old one (Figure 3).

    Figure 3: Regenerate Client Secret
    03_regenerate_client_secret.png


  1. If a user leaves the Authorization Client Details page and later returns via the Clients Collection view (Admin Essentials → Authorization → Clients), they will not be able to see the client secret (Figure 4). They will, however, see the client secret timestamp.

    Figure 4: Client Secret Masked
    04_auth_clients_secret_masked_AE.png


Edit Client Permissions for a Service Account

From the Clients Authorization Details page:

  1. Click the Edit Permissions button (Figure 5). The Edit User dialog displays.

    Figure 5: Edit Permissions
    05_edit_client_permissions.png


  1. Select the appropriate user role permissions to assign (Figure 6).

  2. Click the Save button to retain your changes.

    Figure 6: Edit Client User Role Permissions
    06_edit_user_roles_client.png


Enable/Disable Clients for a Service Account

Use the toggle switch located at the top of the Client Details page to enable (turn on) or disable (turn off) the Service Account. Click the Save button to retain your changes. A message banner displays to inform users when the enable/disable state is activated for the Service Account. Authentication is not permitted against disabled Service Accounts.

Figure 7: Enable (Toggle On) Service Account Client
07_auth_client_enabled.png


Figure 8: Disable (Toggle Off) Service Account Client
08_auth_client_disabled.png

View & Edit Service Accounts

To view all Service Accounts on the system, select Users from the left navmenu in Admin Essentials and then click the Service Accounts tab. From this table view, you can also click the pencil icon to edit the permissions associated with a Service Account.

Figure 9: Service Accounts Tab
09_service_accounts_tab.png


Delete a Client from a Service Account

To delete a client associated with a Service Account, click on the Clients name in the list to open the Client Details page (Figure 10). Next, clicked the menu button () in the upper-right corner of the page to open the menu dialog (Figure 11). Select the Delete option to remove the client.

Figure 10: Authorization Clients List
10_auth_clients_list.png


Figure 11: Client Menu Button
11_menu_button_delete_client.png

View & Modify Client Metadata for a Service Account

From the menu button () in the upper-right corner of the Client Details view, select the Metadata option (Figure 11). In the metadata drawer that opens, you will see a Created field with a date timestamp and the user that created/updated the client. Click the Close button to remove the current window from the screen (Figure 12).

Figure 12: Client Metadata
12_client_metadata.png

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2024 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout