Everyware Cloud Developer's Hub

Everyware Cloud (EC) is an IoT Integration Platform distributed and supported by Eurotech. Based on Eclipse Kapua, Everyware Cloud offers an open and modular IoT Cloud Platform based on a micro-services architecture. Everyware Cloud provides device management, diagnostics, provisioning, remote access of IoT gateways and devices and integration services for the telemetry data.

Get Started

Users and Credentials

Everyware Cloud accounts contain users. Users have one identity and one or more credentials. Users can be assigned one or more roles and can be granted one or more permissions.

When logged into Everyware Cloud console, navigate to the Users section to review and manage all the users created under the current account in scope.

Before creating a new user consider to create one or more roles. Roles are the recommended way to assign permissions to users.

Define Users for a New Account

When a new account is created, the list of its users is empty. The responsibility to create the first user of a new account is in charge to the administrators of the parent account:

  • From the parent account check that the new account has a non zero user quota
    • Go to the settings of the User Service of the new account
    • Verify that max number of users is greater than zero otherwise set the number to the correct value.
  • Move from the parent account to the new account using the account menu at the top right.
  • Go to the Users view then create the new user.

Don't forget to assign Credentials and grant Roles and/or Permissions.

There's no mandatory requirements for the users that need to be defined in an account, however, it is strongly recommended to create at least one account administrator user. More users can be added during the lifecycle of the account.

It is a common practice that the default administrator user of an account is named as the account itself. For illustration purposes, the table below assumes "acme" as the account name. Replace "acme" with the name of the account just created.

User

Description

Credentials Type

Granted Role/Permissions

acme

Administrator for the Acme account.

PASSWORD

Role: admin

Create a new User

Account administrators can create new users for the Everyware Cloud Console. To create a new user, click the New button in the Users section to open the New User dialog as shown in the following screen capture.

The following table defines the User Information for new users.

Parameter

Description

Username

Must be at least 3 characters and can contain alphanumeric characters combined with dash and/or underscore.

Password

Must be 12 characters and contain at least one lower case letter, one upper case letter, one digit, and one special character. The password provided will be used to create the new user's credentials of PASSWORD type.

Display Name

A “user-recognizable” name assigned to the user, for display purposes only

Email

User’s email

Phone Number

User’s phone number

Enter the User Information and use the tooltips provided in the Console for assistance.
Two additional parameters control the status of the user, which can be enabled or disabled, and provide an optional user's expiration date.
When completed, click Submit to create the new user.

User Credentials

A user can have one or more credentials. Credentials can be of two types: password and API key.

Credentials Type

Credentials Description

PASSWORD

Password credentials can be used to authenticate to the Everyware Cloud platform through a username/password credentials pair.
Such authentication mechanism can be used for the Everyware Cloud Console, and the messaging broker.

When creating a new user, the password provided in the New User dialog is leveraged to create new Credentials of type PASSWORD.

API_KEY

API Key credentials can be used to authenticate to the Everyware Cloud platform REST API.

In the Users section, select a user and access the Credentials tab to review and manage the credentials associated with the user.

Click the Add button to add new credentials to the currently selected user. Select the Credentials type and use the two additional parameters to control the status of the credentials, which can be enabled or disabled, and provide an optional credentials's expiration date.

When creating credentials of type PASSWORD, provide the password and confirm it.

When creating credentials of type API_KEY, provide the password and confirm it. After the API_KEY are created, a confirmation dialog will show the resulting API Key. Write it down and keep it somewhere safe, since this will not be provided in clear any more..

To edit user's credentials, select the credentials in the table and click on the Edit.
To delete user's credentials, select the credentials in the table and click on the Delete.

Minimum Password Length

Users password must, by default, be at least 12 characters long, and must contain at least one uppercase letter, one lowercase letter, one number and one symbol. However, the 12 characters minimum limit can be increased both at Account level and at System level.

To change the limit for a single account, go to the Account Settings and open the CredentialService configuration:

CredentialService configuration

Using the password.minLength configuration, a new minimum limit can be enforced when creating a new password; the allowed values are numbers between 12 and 255 (inclusive). If empty, the default system value will be used. Such default value can be specified at deploy time with the AUTH_PASSWORD_MIN_LENGTH variable. Again, allowed values are numbers between 12 and 255 (inclusive). If a value lower than 12 is used, 12 will be assumed; similarly, if a value higher than 255 is used, 255 will be assumed.

The minimum password length will only be enforced on new passwords; existing passwords will not be affected in any way after modifying the setting.

Multi Factor Authentication

Everyware Cloud provides a Multi Factor Authentication feature (a.k.a. MFA), which allows a user to authenticate to a system only when he presents the password and another valid factor. A user can enable the MFA through the User menu in the Console. The user can also access the MFA configuration dialog through the upper right menu. Note that only the user itself can enable the MFA.

MFA tab in the Users section

MFA uses a secret to produce a one-time code to authenticate. The secret will be displayed in the form of a QR code during the MFA activation. This QR code can only be viewed once during MFA activation, and only by the user itself. To collect the QR code, use an authenticator app (e.g. the Google Authenticator App) installed on a smartphone. This app will be used to produce one-time authentication code.

Scratch codes are also produced, in order to pass the multi factor authentication in case the authenticator app is temporarily unavailable. Similarly to the QR code, also scratch codes can only be viewed once during MFA activation, and they can be viewed only by the user itself. Users have a limited number of scratch codes (the maximum number of scratch codes can be set through a dedicated environment variable, see the Web Console container properties section for more information). Furthermore, each scratch code is invalidated after being used once.

QR code and scratch codes.

The admin is able to see if the user have the MFA enabled or not. Moreover, even if only the user is allowed to enable MFA, the admin is allowed to disable it for each one of the users in the account.

User view, from an admin point of view, with "Disable MFA" button.

When the MFA is enabled for a given user, such user has to type the one-time authentication code provided by the authenticator app as part of the login process to the Web Console.

MFA authentication code view during the login process.

The user with enabled MFA can also trust the access to the console from one or more devices. In this way, the MFA procedure is enforced only on un-trusted devices. Note that the trust on the device expires after 30 days, and the admin is able to revoke the trusted device.

"Revoke trusted machine" button.

Delegated Authentication

Everyware Cloud supports delegated authentication of users through external identity provider. This feature is based on the OpenID Connect identity layer where Everyware Cloud acts as the client and the external OpenID Connect provider act as the authentication service. The provider is unique for the an Everyware Cloud instance, thus it is shared by all the accounts in the instance. To enable this feature Everyware Cloud needs to be properly configured to connect to the OpenID Connect provider; please refer to the Container Properties page in order to provide the required configuration parameters.

In order to inform Everyware Cloud that the authentication of a user has to be delegated to an external identity provider, the user must be defined as an "external user". External users have permission and roles attached to them so that they can have an authorization profile like any other user in Everyware Cloud.

To create a new external user in Everyware Cloud, click the New button in the Users section to open the New User dialog as shown in the following screen capture and chose the "External user" type.

External user creation.

An external user is a regular user that does not have any credentials defined within Everyware Cloud since its credentials are managed by the OpenID Connect provider. Thus, when an external user is disabled in the external identity provider, he can no longer connect to Everyware Cloud.
The following table defines the User Information for new external users. Internally and externally authenticated users can coexist in a single account.

Parameter

Description

Username

Must be at least 3 characters and can contain alphanumeric characters combined with dash and/or underscore.

External Id

User Id on the OpenID Connect provider, it can be in the form of an UUID or a simple username, depending on the chosen provider.

When the delegated authentication is enabled, the login dialog shows the "SSO Login" button, which allows the user to login via the OpenID Connect provider.

"SSO Login" button on the login dialog.

 User Roles and Permissions

A user can be assigned one or more roles and can be granted one or more permissions.
More information on managing roles and permission is available in the Access Control section.

Edit an User

To make changes to an existing user, select the user from the Users and then click Edit.

Delete an User

To delete an existing user, select the user from the Users and then click Delete.

Updated 16 days ago

Users and Credentials


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.