User Authentication within a Self-Service

Within a self-service solution, users will constantly need to be created and linked to the right user groups to ensure they have the correct privileges. In addition, these user credentials must be validated upon each log in via an authentication setup. A couple of options exist for the best approach to this issue, each with their own advantages and disadvantages. The following describes these approaches as well as how to use the provided example to this within the initial configurations.

Identity Providers

STEP as an identity provider for external users

One approach to supplier user management & authentication is to allow the initial user creation and communication to the external supplier to be managed via STEP workflows and business rules. This approach allows the supplier admin user to create and manage their own subset of users within the STEP Web UI. Authentication mechanism, password policies, etc. are limited to what STEP offers. Additional information can be found in the Security Policy topic of the System Setup documentation here.

A disadvantages to this approach is that authentication monitoring is not offered.

The following image is the process involved for user management and authentication where STEP is used as the identity provider.

  1. A new user is created under the relevant supplier user group. This enables view restrictions to only objects related to this particular supplier group.

  2. The new user may be linked into additional user groups. This enables privilege customization through the user gaining cumulative privileges of all groups they are a part of.

  3. This user must have a password that is validated upon each login. This is user authentication.

Integrate with customer's identity provider

It is likely customers may have their own user management & authentication management solutions in place. Either automatically or through a manual process the identify provider must be integrated with STEP to allow for the initial creation and authentication of supplier users. In these scenarios, the customer's identity provider must manage the authentication and monitoring of users. Stibo Systems technical services can provide additional guidance and support for the specific integration between STEP and an external identity provider. It is possible to support multiple identity providers.

A disadvantage to this approach is there is no user management in Web UI, so onboarding of additional users for an existing supplier, must happen through a different process outside of STEP.

The following image shows the process involved for user management and authentication where an outside identity provider is used.

  1. User credentials are authenticated via an outside system

  2. Users are managed in the outside system

  3. Authentication information is passed to STEP to allow supplier users access

  4. User group information is synced to STEP and users are placed into the appropriate groups.

Initial Configuration Solution

The initial configurations for Supplier Onboarding with self-service use the first approach discussed above by managing the creation of supplier users via a workflow with contributing business rules. As part of the onboarding process of a self-service supplier, the user is asked to provide the email address of the initial supplier admin. The required Web UI bind for passing this value to the business rule is 'Attribute validated parameter.'

This email address is used to provide the external user with a username and password. This initial user is an admin and will have privileges to create additional users. They accomplish this by having additional user groups that contain various privileges. Supplier admin users can then link users to multiple groups to gain the cumulative privilege set.