Enable sub-organisation admins to login to Console & My Account

[brionmario]

Is your suggestion related to an experience ? Please describe.

Currently, organization users can't log in to Console & My Account.

Describe the improvement

We need to do the following set of tasks to enable this:

• [x] Users of the super tenant can access Console and My Account using the following URLs
  • Console https://localhost:9443/console
  • My Account https://localhost:9443/myaccount
  • When you log out, you will be landed on the login page of the super tenant
  • Authorize request sent to https://localhost:9443/authorize
  • Authorize request does not include fidp and orgId parameters
  • removing the carbon.super in the URL can be considered later to have the above URLs
• [x] Users of any other tenant can access Console and My Account using the following URLs
  • Console https://localhost:9443/t/<TENANT_DOMAIN>/console
  • My Account https://localhost:9443/t/<TENANT_DOMAIN>/myaccount
  • When you log out, you will be landed on the login page of that tenant
  • Authorize request sent to https://localhost:9443/t/<TENANT_DOMAIN>/authorize
  • Authorize request does not include fidp and orgId parameters
• [x] Users of organizations under the super tenant can access Console and My Account using the following URLs
  • Console https://localhost:9443/o/<ORG_ID>/console
  • My Account https://localhost:9443/o/<ORG_ID>/myaccount
  • When you log out, you will be landed on the login page of the organization
  • removing the carbon.super in the URL can be considered later to have the above URLs
  • Authorize request sent to https://localhost:9443/authorize
  • Authorize request include fidp and orgId parameters
• [x] Users belonging to organizations under any other tenants can access Console and My Account using the following URLs
  • Console https://localhost:9443/t/<TENANT_DOMAIN>/o/<ORG_ID>/console
  • My Account https://localhost:9443/t/<TENANT_DOMAIN>/o/<ORG_ID>/myaccount
  • When you log out, you will be landed on the login page of that organization
  • Authorize request sent to https://localhost:9443/t/<TENANT_DOMAIN>/authorize
  • Authorize request include fidp and orgId parameters
• [x] When a parent user switch and refresh the browser,
• From the first authentication, the console needs to store whether this is a tenant login or an org login in browser memory
• In this case, user organization id and organization id will be different
• Store the org_id value in browser memory
• If the initial login is for a tenant, then use the tenant authorize path without fidp and orgId
• If the initial login for the organization, then use the user_org value in id_token for orgId parameter
• After receiving the token switch to the stored ord_id value
• [x] When a user switch and logout,
• From the first authentication, the console needs to store whether this is a tenant login or an org login in browser memory
• Logout based on that
• [x] Need to enable adding admins in organizations via Console Settings.

[thanujalk]

Scenario 1: Super Tenant login - https://localhost:9443/console OR https://localhost:9443/t/carbon.super/console

https://github.com/wso2/product-is/assets/1498339/4e2ffdd1-eb3e-40f8-84c7-ffdd6048f11c

Scenario 2: Tenant login - https://localhost:9443/t/<tenant-domain>/console

https://github.com/wso2/product-is/assets/1498339/a3f7e331-5dd6-423e-81e6-91f231512b11

Scenario 3: Admin of super tenant switching to an organization

https://github.com/wso2/product-is/assets/1498339/3e55bdfc-65a5-46d7-a33b-a8ebee19f3ce

Scenario 4: Admin of a tenant switching to an organization

https://github.com/wso2/product-is/assets/1498339/a86aa3e3-d57a-42c8-9a2e-5403ed30f74e

Scenario 5: Admin from an organization under super tenant login to that organization - https://localhost:9443/t/carbon.super/o/<org-id>/console

https://github.com/wso2/product-is/assets/1498339/bace6464-7fc6-4fe4-bf38-1cd8125ea1f6

Scenario 6: Admin from an organization under a tenant login to that organization - https://localhost:9443/t/<tenant-domain>/o/<org-id>/console

https://github.com/wso2/product-is/assets/1498339/ab9fe959-134e-40a5-a025-4cd166c7b3d0

IMPORTANT

• When a user logs out from the Console he will land on the login page of the user's organization or tenant (where the user resides)
• Organization admins can switch to the underlying organizations
• My account login happens similarly but the organization switch is not enabled for that application

These changes are available in the IS 7.0-beta4 release.

[thanujalk]

Released with IS 7.0-beta4.

[malithie]

1. Considering the 'Admin' of the customer organization the way he/she should see this UI is as an admin portal. For them they should able to see Users, SSO settings for the app(s), security enforcing MFA likewise. Even the capabilities are available this view does not give right experience. Given the time, effort and need we can discuss to compromise. Refer the admin portal of front egg.

   

2. How does 'console settings' here now works for the two personas; 1. Admin of the B2B service providing business, 2. Admin of the customer organization. For (1) it will be confusing. They are supposed to manage access for the console from the parent org level. Their intention is rather to give access for admins of customer orgs for this portal. Having console settings could easily confuse. For (2), they should be able to provide access for other users of the same org to access this specific portal or other apps, should be able to enforce MFA. I feel the word 'console' can be confusing. Should find the right balance here

3. Applying branding will that apply for this portal as well ? It should be if it's supposed to be consumed by admins of the customer org

[brionmario]

Same support for My Account was added with PR: https://github.com/wso2/identity-apps/pull/5141