/
Admin Console Security

Admin Console Security

Owned by Nora Kinal
Last updated: Mar 30, 2020 by Robin Rodrigue

Overview

The Security tab is made up of a few Administrative functions, such as changing your own password, managing users, and configuring authentication methods.

Change my passwordLDAP Configuration
User MaintenanceOIDC Configuration

Change my Password

It's important to change your password to protect your account.

  1. From the Security tab, select Change my password.
  2. Type in your new password, then confirm your password.
  3. Click Ok when complete.

Return to Top

User Maintenance

Within the User Maintenance feature, you have the ability to add, edit, remove, and change passwords for users.

From the Security tab, select User Maintenance.

Add a User
  1. From the User Maintenance window, click Add User.
  2. Enter the User Name and Password and then confirm the password.
  3. Select the Is Administrator checkbox to indicate that the user has administrative privileges.
  4. Select Ok when finished.
Edit an existing User
  1. From the User Maintenance window, select a user and then click Edit User.
  2. Select or unselect the checkbox Is Administrative User to give or remove administrative permissions to or from the current user.
  3. Select Ok when finished.
Remove a User
  1. From the User Maintenance window, select a user and then click Remove User.
  2. Select Yes to remove the user or No to cancel.
Change a Password
  1. From the User Maintenance window, select a user and then click Change Password.
  2. Enter the new password and then enter the password again to confirm.
  3. Select Ok when finished.

Return to Top

LDAP Configuration

You are not able to use both LDAP and OIDC Settings at the same time. Selecting the checkbox for one setting will remove all data from the other setting.

Return to Top

OIDC Configuration

You are not able to use both LDAP and OIDC Settings at the same time. Selecting the checkbox for one setting will remove all data from the other setting.

The Open ID Connect (OIDC) Single Sign-on feature provides the ability for users to login to multiple applications with the same login credentials (username and password).

.NET 4.7.2 is required to use OIDC Authentication.
MCSApplicationServer must be upgraded to version 4.0.1.56306 prior to running the AdminConsole launching.

MCSApplicationServer Installation Instructions

OIDC Authentication Setup

Complete the following steps to Setup OIDC Authentication:

  1. Login to AdminConsole. You should note that the version is 1.8.1.55571 or newer. 
  2. From the Security drop-down menu, select OIDC Configuration.
  3. Click the checkbox Use OIDC for User Authentication to enable OpenId Connect Settings.

  4. Fill out the OIDC configuration settings for your District’s OIDC-compatible Identity Provider, such as Azure AD, ADFS 4.0, or Red Hat SSO 7.0.


    *Indicates a Required Field

    1. Discovery Document URL* - The discovery URL used to configure the OpenID Connect server. Typically this is in the form of https://example.com/path_to_issuer/.well-known/openid-configuration.
      For Azure AD, use https://login.microsoftonline.com/<Azure-AD-Tenant-ID>/.well-known/openid-configuration.
      For RedHatSSO, use the format https://example.com/auth/realms/<realm-name>/.well-known/openid-configuration.
    2. Client ID* - The client id to use when communicating with the OpenID Connect (OIDC) server.
    3. Client Secret* -The client secret for the above client id to use when authenticating to the OpenID Connect (OIDC) server. For Public Key JWT, use XML representation of the RSA private key corresponding the public key known by the OIDC server.
    4. Client Auth Mode* - Use the drop-down menu to select one of the following modes: None, Basic, Post, ClientSecretJwt, PublicKeyJwt.
    5. Username Source Mode* - The source of the username to use when authenticating to the OpenID Connect (OIDC) server. For Azure AD, choose UPN.
      Use the drop-down menu to select one of the following source modes: OIDC Subject, Preferred Username, Email Address, UPN (User-Principal-Name).
    6. Browser Mode* - The initial display size of the popup-browser to display when performing client-side SSO authentication.
      Use the drop-down menu to select one of the following browser modes: Small, Normal, Maximized.
    7. Authorized User Claim Type – The claim type (name) used to identify whether or not a user is an administrator. For group membership in Azure AD, use ‘groups’ and be sure that “groupMembershipClaims” is set to “Security Group” or “1” in the app registration manifest in Azure.
    8. Authorized User Claim Value – * A regular expression used to test the value reported by the OIDC Admin User Claim. If blank, the claim value will be tested for true/false (assume false). If non-blank, the claim value will be tested to see if it is a match of this regular expression. If using ‘groups’ claim type in Azure AD, use the object id of the group (guid with dashes).
    9. Admin User Claim Type – The claim type (name) used to identify whether or not a user is an administrator. For group membership in Azure AD, use ‘groups’ and be sure that “groupMemebershipClaims” is set to “SecurityGroup” or “1” in the app registration manifest in Azure.
    10. Admin Users Claim Value – * A regular expression used to test the value reported by the OIDC Admin User Claim. If blank, the claim value will be tested for true/false (assume false). If non-blank, the claim will be tested to see if it is a match of this regular expression. If using ‘groups’ claim type in Azure AD, use the object id of the group (guid with dashes).

    11. Keycloak IDP Hint – An identify provider (IDP) that contains a hint with signing key ID.

      RedHat login hint is only required if connecting to a Red Hat SSO Server.

  5. Select Apply. Then, select Ok.

  6. Close AdminConsole.

MCS Software Login

Login to AdminConsole, Newton, Franklin, and Edison.

  1. Login to any connected MCS software.
    Note: If users were previously configured to authenticate either normally or through LDAP, the first time a user attempts to login using OIDC they will receive the following message:

    After this message appears, the username and password fields will be disabled.
  2. Now you may login to the selected software using your network credentials without typing in your password.
    Click Connect to open a new web-based single sign-on screen where you will be prompted to enter your credentials.
  3. When prompted, enter your domain credentials. Then, click Sign in.
    Note: Your domain credentials should be the same credentials with which you sign in to your work email. If unsure of your domain credentials, please contact your domain administrator.
 Microsoft Login

  1. Enter your domain username.

    The following screenshots may appear different based on your Single Sign-On provider. These screenshots are from Azure AD.

  2. Enter your password.

  3. Select Accept to proceed and login to the selected software using Single Sign-On.

    You may be requested once to grant permissions for this application to verify your identity, depending on your Single Sign-On provider.

Newton Point-of-Sale Login

Login to Newton Point-of-Sale

  1. Select Ok at the login screen.
    Note    : When using Single Sign-On, the Username and Password fields are not required on this screen.
  2. When prompted, enter your domain credentials. Then, click Sign in.
    Note: Your domain credentials should be the same credentials with which you sign in to your work email. If unsure of your domain credentials, please contact your domain administrator.
Return to Top

Related content

System Security
System Security
Edison (Menus & Inventory)
More like this
Admin Console Overview
Admin Console Overview
Admin Console
More like this
System Settings
System Settings
Edison (Menus & Inventory)
Read with this
System Security
System Security
MySchoolApps Client
More like this
System Security
System Security
Newton (Cafeteria Management & Point of Sale)
More like this
System Security
System Security
Franklin (Free & Reduced)
More like this