Manage Signon user/API accounts and access tokens
Signon is the single sign-on service for our admin applications. We also use it for creating API accounts for GOV.UK applications.
Differences between environments
User accounts from production are synced to staging every morning, so any changes made in production will be reflected in staging the next day.
User accounts in integration are completely separate.
How to create an account
User accounts should be created by the tech lead on the user’s team. There are exceptions such as when the tech lead has no admin access, or if the user has no obvious tech lead, in which a Senior Tech can create the account instead.
User accounts
Determine which environment the account is needed in:
Click ‘Create user’ and fill in the details. 2FA is encouraged for all, including editors, however it is only mandatory for admins and superadmins.
API user accounts
Determine which environment the account is needed in:
Then create the account:
- Click ‘Create API user’
- Fill in the name and email address of the team requesting the account
- An account will be created associated with their email address
Create application token for the API user
- From the API user’s account page, click ‘Add application token’
- Select the ‘Application’ for which you need a token, and click ‘Create access token’
- A token will be generated. Copy it to your clipboard and then manually email it to the team email address
An account can have API tokens for multiple applications.
Manage user accounts
Unsuspending a user
Find the user under the list of users.
On the edit page select Unsuspend user
.
Resetting a user’s 2FA
Find the user under the list of users.
On the edit page under “Account security” select Reset 2-step verification
.
Organisations with multiple parents
This structure cannot currently be modelled in Signon which sometimes leads to Zendesk tickets where users cannot access things they should be able to.
This can be applied manually for the day (it will reset when the organisations are imported from Whitehall):
> parent = Organisation.find_by!(slug: "...")
> child = Organisation.find_by!(slug: "...")
> child.update!(parent: parent)
Or if you think it makes sense to apply this permanently,
it can be added to the OrganisationFetcher
.
The decision of whether this should be applied for the day or permanently depends on which parent organisation is more likely to need access to the child organisation.