Configuring MyID for server-to-server authentication

3.1 Configuring MyID for server-to-server authentication

The MyID Core API uses a user account to log on to the MyID system. This allows you to configure access to particular MyID features and groups using the standard roles, groups, and scope feature of MyID. All actions carried out through the API are audited under this user account, and if necessary you can disable the account to prevent access to the API.

3.1.1 Allowing the Client Credentials OAuth2 logon mechanism

To allow access to MyID through server-to-server authentication, you must enable the Client Credentials OAuth2 logon mechanism.

In MyID Desktop, from the Configuration category, select Security Settings.
On the Logon Mechanisms tab, set the following option:
- Client Credentials OAuth2 Logon – set to Yes to enable server-to-server authentication, or No to disable it.
Click Save changes.

3.1.2 Creating a role for the external system

You are recommended to create a new role to be used for controlling access to MyID from the external system, rather than using an existing role. This allows you to maintain clear control over the MyID features the external system can access.

To create the role:

In MyID Desktop, from the Configuration category, select Edit Roles.
Click Add.
Give the role a name; for example, External API.
From the Derived from drop-down list, select Allow None.
Click Add.
Select the options that relate to the API features you want to be able to access through the API.

See section 2.2, Accessing the API features for a list of which options map to the API end points.

You are strongly recommended to select only those options that your external system will need to use.
Click Logon Methods.
For the role you created, select the Client Credentials OAuth2 logon mechanism, then click OK.
Click Save Changes.

For more information about using the Edit Roles workflow, see the Roles section in the Administration Guide.

3.1.3 Selecting a group for the user account

Before you create the user account, you must consider into which group you want to put the account. The group you select affects the scope of the user.

If you want to restrict the access of the API to a particular group of users in MyID, put the API user into the same group, then select a scope of Department or Division when you specify the role for the user account.
If you do not want to restrict the access of the API, you are recommended to create a separate group for the API user, then select a scope of All when you specify the role. Use the Add Group workflow in MyID Desktop to create the group; you can restrict this group to the API role only, and assign this as the default role with a scope of All.

See the Adding a group section in the Operator's Guide for details of adding groups, and the Default roles section in the Administration Guide for details of setting default roles.

3.1.4 Creating a user account for the external system

Once you have created the role and decided which group to use, you can create the user account that the API will use to access MyID.

To add the user account:

In the MyID Operator Client, select the People category.
Click ADD.
Provide a First Name and Last Name; for example, External API.
Provide a Logon name; for example, api.external.
Select a Group for the user account.

See section 3.1.3, Selecting a group for the user account above for considerations.
Select the Roles for the user account.

Select the role you created for use by the external system. Set the appropriate scope; for example, All to allow the API to access data related to any user account in the system, or Division to restrict access data related to accounts in the same group as the API user, along with any subgroups.
Click SAVE.

Make sure you take a note of the logon name for the user; you need this for configuring the web.oauth2 web service.