Provider Management

This section provides more information on Provider-Tenant Configuration in Harmony Controller.

  • Creating the Root Provider
  • Adding a Tenant
  • Adding/Assigning Users

Creating the Root Provider

The first Root Provider is created via the API or a script. Once the Root Provider is created, you can use the UI/ APIs to create other roles/ users. This API or script is usually run at the time of installation of the controller. You can always create a different user and assign him/her root administrator role.

You need to use the script create-root-account.sh. This script takes four arguments.

$ ./create-root-account.sh args: <edge-ip> <email> <first-name> <last-name>

The email is the email id of the root administrator.

Example:

$ ./create-root-account.sh ec2-52-32-93-144.us-west-2.compute.amazonaws.com adsroot@yourcompany.com Joe Walsh

Note

Harmony Controller creates the first root provider for you. Contact A10 Support/Customer Success team for additional information.

Registering the Root Provider

Once Harmony Controller creates a root provider, you need to activate the root provider account from the confirmation email, as explained in these steps:

  1. The Root Provider’s email receives a mail with a Activation link.

  2. Click on the Activation link and accept the subscription services agreement page to activate the account.

    The Select Authentication Mode screen is displayed.

Authentication Methods

The user can specify multiple methods for authenticating administrators and refer to Multiple Authentication Methods for additional information.

Google Authentication Mode

The Harmony Controller is now equipped with Google Sign- in authentication mode for clients who are required to authenticate users based on Google login.

Google Sign-in provides OpenID Connect formatted ID tokens and OAuth 2.0 access tokens for further interaction with Google APIs.

The Google API allows an application to perform the following tasks:

  • Detect whether the current user is signed in.
  • Redirect the user to the appropriate sign-in page to sign in.
  • Request the user create a new Google account if they don’t have one already.

Following are the steps to set the Google authentication mode:

Prerequisite:

The Root Provider gets an account activation email which we will be using in the further configuration steps (Note that a Google/Google Apps account should be provided during account creation for the sign-in to perform successfully).

  1. Open the activation email, and clicking on the activation link redirects the user to the Harmony Controller authentication page.

    _images/email.png
  2. Harmony Controller authentication configuration page with Google Authentication option selected.

    _images/Google_Authentication.png
  3. When GCP is selected as the authentication mode, the root provider is on this page where the root provider needs to provide the Google Client ID which can be copied from the Google Cloud Platform page (For more information on generating Google Client ID, refer to the onscreen help provided).

    _images/image11.2.png
  4. Enter the Client ID and click Set Authentication Mode.

    _images/image11.3.png
  5. The Google sign-in is activated successfully.

    _images/image11.4.png
  6. Click on Sign in Using Google button. The Google permission page pops up for the first login, click Allow.

LDAP Authentication Mode

Perform these steps to configure LDAP Authentication mode:

  1. Provide the required information in these fields for configuring the LDAP Authentication mode.

    _images/LDAP.png
    • Comma separated LDAP hosts

      Provide the IP address or URL of the LDAP hosts.

      Note

      That you need to add the prefix ldap: before the IP Address. Example: ldap://53.24.141.85. If there are multiple hosts, provide comma-separated values.

    • User DN Pattern

      This is the Distinguished Name (DN) pattern that is used to directly login users to the LDAP database. This pattern is used for creating a DN string for “direct” user authentication, where the pattern is about the base DN in the LDAP host IP. The pattern argument {0} will be replaced with the username in runtime.

      Example: uid={0},ou=users,dc=companyname,dc=com

    • LDAP User ID

      Provide your LDAP user ID.

    • LDAP Password

      Provide your LDAP password.

  2. Click Set Authentication Mode.

  3. Set the password and you are redirected to the login page where you need to log in with your credentials.

    _images/image8.2.png
    _images/image8.3.png

Adding a Tenant

The Root Provider can add its tenants and perform the following steps to add a tenant:

  1. Select Organization > Tenants > + Add a Tenant in the dashboard to create a Tenant.

    _images/add_tenants.png
    _images/add_tenant_info.png

    The Tenant Information window is displayed.

  2. Provide these details in the Tenant Information window:

    • Tenant Name
      Enter the name of the tenant.
    • Description
      Enter the description for the tenant.
    • Tenant Admin Email
      Enter the email address of the Tenant Admin.
    • Tenant Admin First Name
      Enter the First name of the Tenant Admin.
    • Tenant Admin Last Name
      Enter the Last name of the Tenant Admin.
  3. Save the Tenant information using the Save button. Then, the Tenant Administrator gets an activation email.

The tenants added are displayed in the dashboard.

Deleting/Editing a Tenant

The Tenant(s) can either be deleted or edited using the available dashboard options as shown.

To delete a Tenant, select : and click Delete.

To edit a Tenant, select : and click Edit.

Viewing Tenant Details

Perform the following steps to view the tenant details:

  1. Click on the tenant name to view the details.

    In the <Tenant Name>-Details window, you can view these details:

    • Name
      The name of the tenant.
    • Tenant Type
      The type of tenant. This can be hosted, managed, or self-managed.
    • Created On
      The date and time on which the tenant was created.
    • Total Applications
      The number of applications that are added to A10 Application Delivery System (ADS) by the tenant.
    • Users
      The number of users under this tenant.
    • Admins
      Details of the tenant admin, including the name and email address. There is also an option to revoke access to this tenant. When you click on the hyperlink (email address), you can view the more details of the tenant admin, as shown in the image below:

    image16

    To view the tenant details:

    • Name

      The name of the tenant admin.

    • Email Id

      The email id of the tenant admin.

    • State

      The state of the tenant admin- whether it is active/inactive.

    • Roles

      This table provides details of the roles assigned to this user (here tenant admin), scope and option to revoke access permissions (if required).

      1. Access Level
        The access level of the user- here it is tenant admin.
      2. Scope
        The scope which indicates the hierarchy under which the tenant is categorized.
      3. Action
        Option to revoke access to the tenant.

Adding/Assigning Users

The Root Provider, the Sub-Provider, and the Tenant can add its users. The steps below are to add a User from the dashboard:

  1. Select Organization > Users > + Add User in the dashboard to create a user.

    _images/add_user.png
    _images/add_user_info.png

    The Add/Assign User window is displayed.

    The Add/Assign User screen has three user creation options to choose from as shown:

Deleting/Editing a User

The User(s) can either be deleted or edited using the available dashbord options as shown.

To delete a User, select : and click Delete.

To edit a User, select : and click Edit.

Example Scenarios

Scenario 1

Suppose the Root User is Company ABC which provides product XYZ as a SaaS offering to its various customers. Here, an ABC customer is someone who has an XYZ account. A tenant is any customer of Company ABC who has its users (who uses XYZ).

image24

In this scenario, the customers are added as tenants. That is, every customer is added as a tenant by the Root User (Company ABC), and is also managed by the Root User. If the tenant wants to manage its users, they can add a user(s) as Tenant Administrators.

Password Management

Password Management for Harmony Controller in case of Offline mode:

  1. Root Provider Admin

    The password for the root provider admin provided during installation cannot be reset. However, support can help by changing the password in the DB or provide a mechanism to change the password to user.

  2. Other users

    The user can reset the password from user interface by selecting the forgot password option. Password can be changed by parent provider/admin or provider can provide the link to change the password.

  3. If user recollects the password before using the link to change it, user can login and the provider or admin will not see the password change link.

    • Password Management for Thunder Device
    • Password Management for Harmony Controller