Introducing DGMV-IAM (CLI)

Prerequisites

Network Connection: The device running the Admin CLI must be connected to a reliable network and must be able to reach the DGMV-IAM system. Be aware of the network address (IP address) of the system where DGMV-IAM is installed.

SSH Installation: Secure Shell (SSH) must be installed on your machine. This is essential for establishing secure network services between two networked devices.

Knowledge of SSH: Familiarity with SSH commands and concepts is highly recommended. Understanding how to establish and manage SSH tunnels will enhance your ability to securely interact with remote servers.

Operating System: A compatible operating system that supports SSH (e.g., most versions of Linux, macOS, and Windows with SSH clients).

Private Key: The private key to the public key that you used to install the system must be installed on your system. Otherwise you will not be able to access the admin CLI.

Modern Web Browser: The admin CLI is a web application, which requires a modern web browser with javascript enabled.

SuperAdmin secret: In order to be able to use the CLI, you have to know the superadmin secret.

How to access Admin CLI

open a terminal and use the following command to create an SSH tunnel to the backend:

ssh -N -L 8001:localhost:8001 superadmin@<IP>

You will not see any messages if the tunnel was successfully opened. The terminal will look like it hangs. You can confirm whether the connection was successfully established by opening a browser and connect to http://localhost:8001. If everything went well, you will see a GUI

How to authenticate

In order to be able to enter any relevant commands, you have to authenticate yourself by entering

auth <superadmin-secret>

Make sure to replace the <superadmin-secret> with the SuperAdmin Secret that was created during the installation.

If you entered the above command correctly, you will see the message:

Authentication Status: Success

You can check your authentication status by entering auth

Policies

DGMV-IAM in its core works by defining policies for authentication. No user will be able to register unless you define policies. There are no dependencies on the policies.

Create Azure Connector Policy

DGMV-IAM allows users to onboard using Azure AD.

Prerequisites: Configure App-Registration in Azure Portal, note down Client ID, Tenant ID, Client Secret

Execute code:

create policy connector.azure

This will show you a configuration template for the azure connector that looks as follows:

{
    "policyId": "connector.azure",
    "clientId": "your-client-id",
    "clientSecret": "your-client-secret",
    "tenantId": "your-tenant-id",
    "redirectURI": "http://redirect-uri",
    "enabled": false
}

Fill in the fields:

1. igsyour-client-id (Client ID)

2. your-client-secret (Client Secret)

3. your-tenant-id (Tenant ID)

4. redirectURI: https://<domain>/api/v1/auth/azure - the <domain> needs to be replaced with the hostname you chose when setting up the solution.

5. Make sure to set enabled to true

At the top right-hand corner, click Save.

Confirmation if Azure policy is created and enabled

Use your browser to visit the landing page of DGMV-IAM and go to the Register-Tab to validate that the corresponding button now appears:

Note, that once a user was successfully onboarded to DGMV-IAM, they never have to use a password again to sign-in into DGMV-IAM.

All they need is their mobile device with DGMV-ID installed. They can use this to scan the QR code shown on the front page and they will be let in, if the device/wallet wasn’t blocked.

Create Email Connector Policy

DGMV-IAM can allow users to use their email addresses to register. For that, a policy has to be created.

Execute code:

create policy connector.email

This will show a template on the right side that looks as follows:

{
    "policyId": "connector.email",
    "host": "mail.yourhost.com",
    "user": "user@yourhost.com",
    "password": "yourpassword",
    "port": 543,
    "secure": true,
    "enabled": false,
    "registerTokenValidityMinutes": 5
}

Fill in the fields:

1. replace the host value with your mail host

2. replace the user value with the username of the mail sending account

3. replace the password value with the password of the email account

4. adjust the port if needed

5. adjust the secure flag if needed

6. make sure set enabled to true

7. Adjust the registerTokenValidityMinutes to define how long a magic link in the email is valid

At the top right-hand corner, click Save.

Confirmation if Email policy is created and enabled

Use your browser to visit the landing page of DGMV-IAM and go to the Register-Tab to validate that the corresponding button now appears:

A user that clicks this button, will be asked to enter their email address. After confirming, a magic link will be sent to their email address with a magic link.

Clicking that link will sign-in the user.

Create Seed Phrase Management Policy

DGMV-IAM is capable of handling seed phrases. However, for this, a policy needs to be defined.

Execute code:

create policy security.managed_seedphrases

This will show a skeleton for the configuration on the right side:

{
    "policyId": "security.managed_seedphrases",
    "enabled": false,
    "entropy": 256
}

Fill in the fields:

1. set enabled to true

2. alter the entropy if needed. Note that 256 bit will result in 24 words, 128 bits will result in 12 words.

At the top right-hand corner, click Save.

Create Geofencing Policy

DGMV-IAM can check the geolocation of requests and can match them against rules or constraints

Execute code:

create policy security.geo_check

This will show a skeleton for the configuration on the right side:

{
    "policyId": "security.geo_check",
    "enabled": false
}

Fill in the fields:

1. Make sure to set enable to true

At the top right-hand corner, click Save.

The policy is now active but without active rules every one will be let into the system.

Create Network Check Policy

DGMV-IAM allows to do a network check of originating requests. For example, if your company requires the use of a VPN for phones, this can be constrained using a network check policy.

Execute code:

create policy security.network_check

This will show a skeleton for the configuration on the right side:

{
    "policyId": "security.network_check",
    "enabled": false
}

Fill in the fields:

1. Make sure to set enabled to true.

At the top right-hand corner, click Save.

By default, no network check will be performed unless you set up network rules.

Policy CLI Commands

Command	Purpose
create policy <policy id>	Create new policy
list policy	See the list of existing policies
get policy <policy id>	Get and show data for selected policy
delete policy <policy id>	Deletes the specified policy

Users

Now that you have created Policies, users can now start to onboard.

Onboarding Users

After you have configured DGMV-IAM to allow users to onboard either using email or azure policies, you can now approve users who tried to register.

Execute code:

list onboarding

Copy the user ID of the user you want to onboard

Execute code:

create wsc

This will show a skeleton for the configuration on the right side:

{
    "userId": "user-id-here",
    "isManagedSeedPhrase": false
}

Fill in the fields:

1. Make sure you enter the user-id that you copied and replace the template value of the field userId.

2. Set isManagedSeedPhrase to true, if you want a seed phrase to be displayed to the user

At the top right-hand corner, click Save.

Confirmation if selected user is now able to proceed with onboarding

Ask the onboarding user to refresh their screen. They will now see the onboarding steps they have to perform.

User CLI Commands

Command	Purpose
create wsc	Create a wallet secure code
list onboarding	See the list of users onboarding
list users	See the list of users
get user <user id>	Get and show data for selected user
edit user <user id>	Update the data of the selected user
delete user <<user id>	Deletes the specified user

Client Configurations

Applications needs to be added on DGMV-IAM. This means creating clients

Creating a client

DGMV-IAM will not be able to connect to client applications, unless client configurations are added

Execute code:

create client

Paste the following JSON and adjust the redirect-URIs.

{
    "client_id": "dgmv-secure-meets",
    "client_name": "DGMV-Secure Meets",
    "redirect_uris": [
        “https://<secure-meets-hostname>/b/auth/openid_connect/callback”
    ],
    "scope": "openid email profile",
    "application_type": "web",
    "authorization_signed_response_alg": "RS256",
    "backchannel_logout_session_required": false,
    "backchannel_user_code_parameter": false,
    "grant_types": [
        "authorization_code",
        "implicit"
    ],
    "id_token_signed_response_alg": "RS256",
    "introspection_signed_response_alg": "RS256",
    "post_logout_redirect_uris": [],
    "require_auth_time": false,
    "require_pushed_authorization_requests": false,
    "require_signed_request_object": false,
    "dpop_bound_access_tokens": false,
    "response_types": [
        "code",
        "id_token"
    ],
    "subject_type": "public",
    "tls_client_certificate_bound_access_tokens": false,
    "token_endpoint_auth_method": "client_secret_basic",
    "web_message_uris": []
}

You can add the field “client_secret” if you have a specific secret you want define. However, if you omit the field, DGMV-IAM will generate a secure secret for you and display it after you save the client configuration. Keep in mind, that the secret that DGMV-IAM generates must be entered in secure-meets.

Client CLI Commands

Command	Purpose
create client	Create a new client
list client	See the list of clients added
get client <client id>	Get and show data for selected client
edit client <client id>	Update the data of the selected client
delete client <client id>	Deletes the specified client

Geo Positions

Used to manage geo positions to arppove or deny users from IAM

Create Geo Position

After creating a policy for the geofencing, you can add location rules.

Enter code:

create geoposition

This will show a skeleton for the configuration on the right side:

{
    "lat": "52.06316069891765",
    "lon": "4.279255681561278",
    "r": 100,
    "city": "Den Haag",
    "mode": "approve",
    "isDisabled": false,
    "isGlobal": true,
    "priority": 0
}

Fill in fields:

1. lat and long

2. r is the radius in km. With this you can define circles around the globe that can be used to approve or deny login request

3. city can be used to add metadata to the geoposition.

4. mode is either approve or deny, be default it's approve. Deny will reject the user

5. priority defines the order of rules during execution, 0 is the highest priority

6. isDisabled disables the rules if set to true

Networks

After creating a policy for the network checks, you can go ahead and create network rules.

Execute code:

create network

This will show a skeleton for the configuration on the right side:

{
    "ip": "127.0.0.1",
    "bitmask": 24,
    "mode": "approve",
    "isDisabled": false,
    "isGlobal": true,
    "priority": 0
}

You can define a network by specifying the network in the CIDR notation (split up into two fields).

So enter a network ID by entering an IP address and specify the bitmask. Similar to section 6, you can specify approve/deny for the mode. Refer to section 6 for best practices and an explanation for the other fields.