# Introducing DGMV-IAM (CLI)

## Prerequisites

**Network Connection:** The device running the Admin CLI must be connected to a reliable network and must be able to reach the DGMV-IAM system. Be aware of the network address (IP address) of the system where DGMV-IAM is installed.

**SSH Installation:** Secure Shell (SSH) must be installed on your machine. This is essential for establishing secure network services between two networked devices.

**Knowledge of SSH:** Familiarity with SSH commands and concepts is highly recommended. Understanding how to establish and manage SSH tunnels will enhance your ability to securely interact with remote servers.

**Operating System:** A compatible operating system that supports SSH (e.g., most versions of Linux, macOS, and Windows with SSH clients).

**Private Key:** The private key to the public key that you used to install the system must be installed on your system. Otherwise you will not be able to access the admin CLI. 

**Modern Web Browser:** The admin CLI is a web application, which requires a modern web browser with javascript enabled.

**SuperAdmin secret:** In order to be able to use the CLI, you have to know the superadmin secret.<br>

## How to access Admin CLI

open a terminal and use the following command to create an SSH tunnel to the backend:

```
ssh -N -L 8001:localhost:8001 superadmin@<IP>
```

You will not see any messages if the tunnel was successfully opened. The terminal will look like it hangs. You can confirm whether the connection was successfully established by opening a browser and connect to <http://localhost:8001>. If everything went well, you will see a GUI<br>

## How to authenticate&#x20;

In order to be able to enter any relevant commands, you have to authenticate yourself by entering

```
auth <superadmin-secret>
```

Make sure to replace the `<superadmin-secret>` with the SuperAdmin Secret that was created during the installation.

If you entered the above command correctly, you will see the message:

```
Authentication Status: Success
```

<figure><img src="https://lh7-us.googleusercontent.com/HFaXxGwxQZlHXC7EPwNIPtcavGKJd2EwxG11x57j_dzBt1jSPDPh9QSF_L4A1HKPFziwpl28DYaF_BG1qNCH-62BB13AjygIAi6qnlgWEUtOWnC-pM-d-2WFm2YrNwF3h3ahdiLPejTMvVY6rUvgDQ" alt=""><figcaption><p>You can check your authentication status by entering auth</p></figcaption></figure>

## Policies

DGMV-IAM in its core works by defining policies for authentication. No user will be able to register unless you define policies. There are no dependencies on the policies.

### Create Azure Connector Policy

DGMV-IAM allows users to onboard using Azure AD.&#x20;

**Prerequisites:** Configure App-Registration in Azure Portal, note down Client ID, Tenant ID, Client Secret

Execute code:

```
create policy connector.azure
```

This will show you a configuration template for the azure connector that looks as follows:

```
{
    "policyId": "connector.azure",
    "clientId": "your-client-id",
    "clientSecret": "your-client-secret",
    "tenantId": "your-tenant-id",
    "redirectURI": "http://redirect-uri",
    "enabled": false
}
```

Fill in the fields:

1. igsyour-client-id (Client ID)
2. your-client-secret (Client Secret)
3. your-tenant-id (Tenant ID)
4. redirectURI: https\://\<domain>/api/v1/auth/azure - the \<domain> needs to be replaced with the hostname you chose when setting up the solution.
5. Make sure to set enabled to true

At the top right-hand corner, click **Save**.

#### Confirmation if Azure policy is created and enabled

Use your browser to visit the landing page of DGMV-IAM and go to the Register-Tab to validate that the corresponding button now appears:<br>

<figure><img src="https://lh7-us.googleusercontent.com/MXczovsjUAx-BIkeGrRyokGhREecN-NB7lxDK7yYA8fkFfoUvKe9qEhrVbdovZe70ntyk4HOQh3YCakv72yLaqLGZyYBnAlG6KqUKU3FKqX_BHh0gTkkPlmvRxeMlhJOKHhWMhZ9mVtKMKpCpKqdvQ" alt=""><figcaption></figcaption></figure>

Note, that once a user was successfully onboarded to DGMV-IAM, they never have to use a password again to sign-in into DGMV-IAM.

All they need is their mobile device with DGMV-ID installed. They can use this to scan the QR code shown on the front page and they will be let in, if the device/wallet wasn’t blocked.

### Create Email Connector Policy

DGMV-IAM can allow users to use their email addresses to register. For that, a policy has to be created.

Execute code:

```
create policy connector.email
```

This will show a template on the right side that looks as follows:

```
{
    "policyId": "connector.email",
    "host": "mail.yourhost.com",
    "user": "user@yourhost.com",
    "password": "yourpassword",
    "port": 543,
    "secure": true,
    "enabled": false,
    "registerTokenValidityMinutes": 5
}
```

Fill in the fields:

1. replace the host value with your mail host
2. replace the user value with the username of the mail sending account
3. replace the password value with the password of the email account
4. adjust the port if needed
5. adjust the secure flag if needed
6. make sure set enabled to true
7. Adjust the registerTokenValidityMinutes to define how long a magic link in the email is valid

At the top right-hand corner, click **Save**.

#### Confirmation if Email policy is created and enabled

Use your browser to visit the landing page of DGMV-IAM and go to the Register-Tab to validate that the corresponding button now appears:

<figure><img src="https://lh7-us.googleusercontent.com/OVTACohVs8OqH5oCjbfa_jheuDsFoD5JSmvJfDccuWwc8hYrTKv5sGuXYKIKFfoEUhsazcKiEV8tbckRJEHpO42hMbAjiMrvyU-RoKYuXEQFAqomSXUOMedyr9vDwugiLrWe9vxaCh-j3bK0_y3fDg" alt=""><figcaption></figcaption></figure>

A user that clicks this button, will be asked to enter their email address. After confirming, a magic link will be sent to their email address with a magic link.

Clicking that link will sign-in the user.

### Create Seed Phrase Management Policy

DGMV-IAM is capable of handling seed phrases. However, for this, a policy needs to be defined.

Execute code:

```
create policy security.managed_seedphrases
```

This will show a skeleton for the configuration on the right side:

```
{
    "policyId": "security.managed_seedphrases",
    "enabled": false,
    "entropy": 256
}
```

Fill in the fields:

1. set enabled to true
2. alter the entropy if needed. Note that 256 bit will result in 24 words, 128 bits will result in 12 words.

At the top right-hand corner, click **Save**.

### Create Geofencing Policy

DGMV-IAM can check the geolocation of requests and can match them against rules or constraints

Execute code:

```
create policy security.geo_check
```

This will show a skeleton for the configuration on the right side:

```
{
    "policyId": "security.geo_check",
    "enabled": false
}
```

Fill in the fields:

1. Make sure to set enable to true

At the top right-hand corner, click **Save**.

The policy is now active but without active rules every one will be let into the system.

### Create Network Check Policy

DGMV-IAM allows to do a network check of originating requests. For example, if your company requires the use of a VPN for phones, this can be constrained using a network check policy.

Execute code:

```
create policy security.network_check
```

This will show a skeleton for the configuration on the right side:

```
{
    "policyId": "security.network_check",
    "enabled": false
}
```

Fill in the fields:

1. Make sure to set enabled to true.

At the top right-hand corner, click **Save**.

By default, no network check will be performed unless you set up network rules.

### Policy CLI Commands

| Command                      | Purpose                               |
| ---------------------------- | ------------------------------------- |
| create policy *\<policy id>* | Create new policy                     |
| list policy                  | See the list of existing policies     |
| get policy *\<policy id>*    | Get and show data for selected policy |
| delete policy *\<policy id>* | Deletes the specified policy          |

## Users

Now that you have created Policies, users can now start to onboard.&#x20;

### Onboarding Users

After you have configured DGMV-IAM to allow users to onboard either using email or azure policies, you can now approve users who tried to register.

Execute code:

```
list onboarding
```

Copy the user ID of the user you want to onboard

Execute code:

```
create wsc
```

This will show a skeleton for the configuration on the right side:

```
{
    "userId": "user-id-here",
    "isManagedSeedPhrase": false
}
```

Fill in the fields:

1. Make sure you enter the user-id that you copied and replace the template value of the field userId.
2. Set isManagedSeedPhrase to true, if you want a seed phrase to be displayed to the user

At the top right-hand corner, click **Save**.

#### Confirmation if selected user is now able to proceed with onboarding

Ask the onboarding user to refresh their screen. They will now see the onboarding steps they have to perform.

### User CLI Commands

| Command                   | Purpose                              |
| ------------------------- | ------------------------------------ |
| create wsc                | Create a wallet secure code          |
| list onboarding           | See the list of users onboarding     |
| list users                | See the list of users                |
| get user *\<user id>*     | Get and show data for selected user  |
| edit user *\<user id>*    | Update the data of the selected user |
| delete user <*\<user id>* | Deletes the specified user           |

## Client Configurations

Applications needs to be added on DGMV-IAM. This means creating clients

### Creating a client

DGMV-IAM will not be able to connect to client applications, unless client configurations are added

Execute code:

```
create client
```

Paste the following JSON and adjust the redirect-URIs.

```
{
    "client_id": "dgmv-secure-meets",
    "client_name": "DGMV-Secure Meets",
    "redirect_uris": [
        “https://<secure-meets-hostname>/b/auth/openid_connect/callback”
    ],
    "scope": "openid email profile",
    "application_type": "web",
    "authorization_signed_response_alg": "RS256",
    "backchannel_logout_session_required": false,
    "backchannel_user_code_parameter": false,
    "grant_types": [
        "authorization_code",
        "implicit"
    ],
    "id_token_signed_response_alg": "RS256",
    "introspection_signed_response_alg": "RS256",
    "post_logout_redirect_uris": [],
    "require_auth_time": false,
    "require_pushed_authorization_requests": false,
    "require_signed_request_object": false,
    "dpop_bound_access_tokens": false,
    "response_types": [
        "code",
        "id_token"
    ],
    "subject_type": "public",
    "tls_client_certificate_bound_access_tokens": false,
    "token_endpoint_auth_method": "client_secret_basic",
    "web_message_uris": []
}
```

You can add the field “client\_secret” if you have a specific secret you want define. However, if you omit the field, DGMV-IAM will generate a secure secret for you and display it after you save the client configuration. Keep in mind, that the secret that DGMV-IAM generates must be entered in secure-meets.

### Client CLI Commands

| Command                      | Purpose                                |
| ---------------------------- | -------------------------------------- |
| create client                | Create a new client                    |
| list client                  | See the list of clients added          |
| get client *\<client id>*    | Get and show data for selected client  |
| edit client *\<client id>*   | Update the data of the selected client |
| delete client *\<client id>* | Deletes the specified client           |

## Geo Positions

Used to manage geo positions to arppove or deny users from IAM

### Create Geo Position

After creating a policy for the geofencing, you can add location rules.

Enter code:

```
create geoposition
```

This will show a skeleton for the configuration on the right side:

```
{
    "lat": "52.06316069891765",
    "lon": "4.279255681561278",
    "r": 100,
    "city": "Den Haag",
    "mode": "approve",
    "isDisabled": false,
    "isGlobal": true,
    "priority": 0
}

```

Fill in fields:

1. **lat** and **long**
2. **r** is the radius in km. With this you can define circles around the globe that can be used to approve or deny login request
3. **city** can be used to add metadata to the geoposition.
4. **mode** is either approve or deny, be default it's approve. Deny will reject the user&#x20;
5. **priority** defines the order of rules during execution, 0 is the highest priority
6. **isDisabled** disables the rules if set to true

## Networks

After creating a policy for the network checks, you can go ahead and create network rules.

Execute code:

```
create network
```

This will show a skeleton for the configuration on the right side:

```
{
    "ip": "127.0.0.1",
    "bitmask": 24,
    "mode": "approve",
    "isDisabled": false,
    "isGlobal": true,
    "priority": 0
}
```

You can define a network by specifying the network in the CIDR notation (split up into two fields).

So enter a network ID by entering an IP address and specify the bitmask. Similar to section 6, you can specify approve/deny for the mode. Refer to section 6 for best practices and an explanation for the other fields.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://digicorplabs.gitbook.io/digithree-labs/documentation/introducing-dgmv-iam-cli.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.