Skip to main content
Warning This document has not been updated for a while now. It may be out of date.
Last updated: 27 Jul 2023

Manage Signon user/API accounts and access tokens

Signon is the single sign-on service for our admin applications. We also use it for creating API accounts for GOV.UK applications.

Differences between environments

User accounts from production are synced to staging every morning, so any changes made in production will be reflected in staging the next day.

User accounts in integration are completely separate.

How to create an account

User accounts should be created by the tech lead on the user’s team. In usual circumstances, Technical 2nd Line should not have to do this, although there are exceptions such as when the tech lead has no admin access, or if the user has no obvious tech lead.

User accounts

Determine which environment the account is needed in:

Click ‘Create user’ and fill in the details. 2FA is encouraged for all, including editors, however it is only mandatory for admins and superadmins.

API user accounts

Determine which environment the account is needed in:

Then create the account:

  • Click ‘Create API user’
  • Fill in the name and email address of the team requesting the account
  • An account will be created associated with their email address

Create application token for the API user

  • From the API user’s account page, click ‘Add application token’
  • Select the ‘Application’ for which you need a token, and click ‘Create access token’
  • A token will be generated. Copy it to your clipboard and then manually email it to the team email address

An account can have API tokens for multiple applications.

Manage user accounts

Unsuspending a user

Find the user under the list of users. On the edit page select Unsuspend user.

Resetting a user’s 2FA

Find the user under the list of users. On the edit page under “Account security” select Reset 2-step verification.

Organisations with multiple parents

This structure cannot currently be modelled in Signon which sometimes leads to Zendesk tickets where users cannot access things they should be able to.

This can be applied manually for the day (it will reset when the organisations are imported from Whitehall):

> parent = Organisation.find_by!(slug: "...")
> child = Organisation.find_by!(slug: "...")
> child.update!(parent: parent)

Or if you think it makes sense to apply this permanently, it can be added to the OrganisationFetcher.

The decision of whether this should be applied for the day or permanently depends on which parent organisation is more likely to need access to the child organisation.