{{ title }}
What is eCourtDate?
eCourtDate is a cloud-native communications platform used by justice systems such as courts and prosecutors. Agencies can automatically send and receive two-way messages via texts (SMS), email, and voice calls.
eCourtDate Agency Required
Understanding OAuth 2.0
OAuth 2.0 is an open standard for access delegation, widely used for Internet users to grant websites or applications access to their information on other websites without giving them passwords. It separates the role of a user from that of a client, allowing the client to act on behalf of the user without sharing their credentials.
OAuth 2.0 operates through a series of handshakes involving various tokens. The basic steps include:
1. The client (an application requiring access) requests authorization from the resource owner (typically, the user).
2. If the user consents, the client receives an authorization grant, which it exchanges for an access token at the authorization server.
3. The client then uses the access token to access the protected resources from the resource server.
Advantages of OAuth 2.0 Over SSO
While SSO offers an easier login process, reducing password fatigue, and potentially lowering support costs related to password recovery, OAuth 2.0 brings in several distinct advantages:
1. Scoped Access: OAuth 2.0 permits scoped access, which means applications don't get full access to a user's account. They only receive limited, often read-only, access to the user's data. This is a significant advantage in terms of privacy and security.
2. No Shared Credentials: OAuth 2.0 doesn't require sharing the user's credentials with the client, which is a key security enhancement. The risk of a user's password being compromised is substantially reduced.
3. Delegation: OAuth 2.0 supports delegation, where a resource owner can delegate access to a client, which can act on behalf of the owner without impersonation. This is crucial for modern API-driven applications.
4. Revocable Access: OAuth 2.0 access tokens can be revoked by users at any time, providing better control over which applications have ongoing access to their data.
5. Standardization: OAuth 2.0 is a standardized protocol adopted widely across industries, including major players like Google, Facebook, and Microsoft. This standardization makes integration smoother and helps in staying up-to-date with security best practices.
Choosing OAuth 2.0 as your primary authentication method means embracing a secure, flexible, and modern approach to managing user access. Its capability of providing scoped and revocable access, coupled with delegation, and without sharing credentials, makes it a robust choice for any organization prioritizing security. While SSO still has its place, OAuth 2.0 represents a significant step forward in secure user authentication for government SaaS users.
CISA Guidelines
"Open ID Connect, OAuth 2.0, Kerberos, and SAML 2.0 are examples of protocols that use secure, non-password-based connections for SSO. Many social media-based SSO services that consumers use are based on Open ID Connect, allowing even consumers to use SSO while focusing on strong authentication for their primary login provider."
Read CISA's guide on Implementing Strong Authentication Here.
Getting Started
IDP Management is designed to integrate with any compliant OAuth 2.0 based Identity Provider such as Microsoft's Azure Active Directory and Google's Business Workspace.
You will need administrator level access to an IDP service to use this guide. We recommend using a test environment with a staging agency in eCourtDate.
One IDP profile can authorize users to multiple agencies based on group or role memberships in your IDP.
Each IDP profile can only authorize users in the same region.
Step 1 - Create an IDP Profile
- Log in to the eCourtDate Console at console.ecourtdate.com.
- Click on the IDPs link in the top navigation.
- Choose your desired customer from the top left customer switcher.
- Click on Add IDP.
- Choose your desired region and click Add.
- You will be automatically redirected to edit the new IDP.
Step 2 - Configure your Identity Provider
Azure
Go to your Azure Active Directory tenant and create a new App Registration:
Click on the Authentication tab:
Add a platform configuration, choose Web, then add the Redirect URL from the Console as the Redirect URL value:
Use the Logout URL as the Front-channel logout URL and enable Access Tokens:
Click on the Certifications & Secrets tab:
Create a Client Secret and note the value.
Click on the Overview tab:
Note the Client ID value.
Click the Endpoints button to retrieve the URLs.
To use your Azure group memberships to assign eCourtDate roles, add the GroupMember.Read.All permission:
If you wish to use Azure Groups to assign eCourtDate User Roles, enable the Emit groups as role claims option:
- Go to Google Cloud Console.
- Click on APIs & Services.
- Click the OAuth Consent Screen, choose User Type
Internal
, and click Create.
Complete the OAuth Consent Screen fields:
- App Name (eCourtDate or the name your users refer to the integration as).
- User support email (your internal help desk email).
- App Logo (your logo or save and upload our logo from here).
- Application Home Page
https://ecourtdate.com
- Application Privacy Policy Link
https://ecourtdate.com/terms-of-use
- Application Terms of Service Link
https://ecourtdate.com/terms-of-use
- Authorized Domains
https://ecourtdate.com
- Developer Contact Information - your internal email or
dev@ecourtdate.com
Click on Save and Continue.
Configure Scopes
Add the following non-sensitive, read-only scopes:
./auth/userinfo.email
See your primary Google Account email address- https://www.googleapis.com/auth/userinfo.email
./auth/userinfo.profile
See your personal info, including any personal info you've made publicly available- https://www.googleapis.com/auth/userinfo.profile
To provide eCourtDate access to the user's group memberships, add the following read-only scopes:
https:/
https://www.googleapis.com/auth/admin.directory.group.readonly
Use Google oAuth2 Playground to Test Scopes.
Try jwt.io to decode Identity Tokens (received from the playground or other testing).
Group member scopes are only required if you wish to use Google Groups to map to the User's enabled Roles and/or Agencies in eCourtDate. For example: if a user is a member of a Google Security Group, then create an eCourtDate Role with the same group name. If the user should only have access to a certain agency, then include the Agency Reference as the Role Prefix {01_Security} {02_Security}. User group memberships will automatically remain in sync with each user login. If the user's access is revoked, then the eCourtDate Role/Agency is detached on login or session expiration. Alternatively, use the Console IDP Default Role configuration to define an eCourtDate role for all authenticated users by the IDP, then designated Super Admins can manage eCourtDate Role/Agency assignments separately from Google Group memberships.
The above scopes are only used to identify a user after successful login through your IDP. The application does not make changes to your IDP - whether by or on behalf of the user.
Click on Save and Continue to review the completed OAuth consent screen summary.
Under Google APIs and Services, go to Credentials.
Click on Create Credentials.
Choose OAuth Client ID.
For Application Type, choose Web Application.
For Name, choose your preferred name (ex: eCourtDate Client).
Authorized Javascript origins: ecourtdate.com
Authorized Redirect URLs: https://{region}.api.ecourtdate.com/oauth/{yoursignin}/redirect
The {region} and {signin} chosen from Step 1 should be used to construct the Redirect URL.
Click on Create.
Note the Client ID and Client Secret for the next step.
AWS
AWS Cognito OAuth configuration steps coming soon.
Step 3 - Update IDP Profile
Return to the Console IDP profile to configure the following fields based on your IDP:
- Well Known URL: https://login.microsoftonline.com/{your-tenant-id}/v2.0/.well-known/openid-configuration
- Base URL: https://login.microsoftonline.com/{your-tenant-id}
- Authorization URL: https://login.microsoftonline.com/{your-tenant-id}/oauth2/v2.0/authorize
- Token URL: https://login.microsoftonline.com/{your-tenant-id}/oauth2/v2.0/token
- User URL: https://graph.microsoft.com/oidc/userinfo
- End Session URL: https://login.microsoftonline.com/{your-tenant-id}/oauth2/v2.0/logout
- Client ID: {your-client-id}
- Client Secret: {your-client}
-
Well Known URL:
https://accounts.google.com/.well-known/openid-configuration
-
Base URL:
https://accounts.google.com
-
Authorization URL:
https://accounts.google.com/o/oauth2/v2/auth
-
Token URL:
https://oauth2.googleapis.com/token
-
User URL:
https://www.googleapis.com/oauth2/v3/userinfo
-
End Session URL:
https://accounts.google.com/o/oauth2/revoke
- Client ID: {your-client-id}
- Client Secret: {your-client-secret}
At this stage, an authorized user in the IDP should be able to sign in to eCourtDate using the Sign-in Link.
If the user does previously exist in eCourtDate, you should expect the user profile to be created and assigned to the Default Agency.
No roles or permissions should be assigned to the user automatically.
Step 4 - Configure Roles and Enabled Agencies
Choose a Default Role
to auto-assign an eCourtDate role to any authorized user.
Users will be auto-assigned the Default Agency
.
To assign additional agencies, the group name must match the following format (case insensitive): {AgencyReference_ECOURTDATE}.
For example, if your agency reference is: municipal-court-123 then the Azure group name should be municipal-court-123_ECOURTDATE
Prerequisite: the agency must be included in the IDP Enabled Agencies setting to be used for Group -> Agency assignment.
Note: Any Role that is a case-insensitive match to one of the following: SECURITY or ADMIN or ROOT will be assigned Super Admin in addition to any other roles. You may need to enable the Security groups in the above setting.
Technical Support
If you have any questions or issues while using this guide, please contact our support team at help@ecourtdate.com. We're here to help.
We appreciate any feedback or suggestions to improve our technical guides and resources.