[Backend] As ACF staff, I must use ACF AMS for authentication.

[andrew-jameson]

Description:
Provide a brief background and justification for this issue
ACF users (OFA sys admin, OFA admin, OFA Regional Staff, OFA Data Analyst) should not be allowed to utilize anything except ACF AMS.

Acceptance Criteria:
Create a list of functional outcomes that must be achieved to complete this issue

• ACF staff user is not actually authenticated by Login.gov (not able to browse/utilize TDP)
• If an ACF staff user uses login.gov for authentication, an error is returned indicating incorrect authentication method
• First-time ACF user story is handled for a user not yet assigned a role
• Testing Checklist has been run and all tests pass
• Ensure logout is working as expected
• README is updated, if necessary

Tasks:
Create a list of granular, specific work items that must be completed to deliver the desired outcomes of this issue

• From openid payload, trigger off @acf.hhs.gov e-mail domain for determining if failure is warranted
• Make sure logout redirects as expected
• Run Testing Checklist and confirm all tests pass

Notes:
Add additional useful information, such as related issues and functionality that isn't covered by this specific issue, and other considerations that will be helpful for anyone reading this

Supporting Documentation:
Please include any relevant log snippets/files/screen shots

[amilash]

@abottoms-coder can you add any relevant criteria/dev work to build for enforcing piv/cac into this ticket?

[amilash]

Blocked by design user flows

[valcollignon]

We need answers to open questions before we can refine. Per backlog refinement 11.2.21.

[lfrohlich]

@ADPennington : how do you enforce PIV/CAC if they don't have a role, this is their first time logging in? Need to better understand this flow

[valcollignon]

Discuss this in dev sync to revisit open questions. Priority is #1136.

[ADPennington]

Discuss this in dev sync to revisit open questions. Priority is #1136.

Notes from dev sync:

• The expectation is that first time ACF user will request access to TDP after clicking ACF AMS button and authenticating via PIV/CAC. At this stage they will not have a role, so in order to confirm that the correct authentication button was used, we would ideally rely on metadata returned about the user that lets us know that this is an ACF user (e.g. has an acf.hhs.gov email address).
• We will confirm via [Backend] Accept AMS OpenId #1136 the types of metadata to be returned about these users from ACF AMS.
• if, based on the metadata, it is determined 1)this is an ACF user and 2) this user did not use ACF AMS to authenticate, an error would be returned to the user informing that the incorrect authentication method was used.

[valcollignon]

Keep in unrefined until issue is unblocked - per backlog refinement 11.16.21

[valcollignon]

Front end work is being done in #1155.

[valcollignon]

As soon as #1136 is complete, this issue may be brought into the current sprint immediately.
CC: @abottoms-coder @ADPennington @lfrohlich

[valcollignon]

Per @abottoms-coder's conversation with Leon, this issue is blocked until February at the earliest. The openid platform we use to connect to AMS can't be setup to pass through neither the hhs_id nor any PIV-relevant information.

[ADPennington]

notes from 12/21 pair w/ @jorgegonzalez and @abottoms-coder:

• ACF AMS team informed today that they have an unknown timeline for setting up to return the hhs_id in the payload for our use. this ID is a nice to have and is not considered a blocker for this epic (returning the user email is sufficient)
• a null value will be returned for hhs_id field for now.
• (1) there currently is no PIV/CAC metadata returned with the user payload + (2) Andrew and I are not able to authenticate using our ACF AMS network u/p credentials---both of which we expected for us to complete this work. This suggests that using ACF AMS effectively means that a user has authenticated with PIV/CAC (because no other credentials are accepted), but we need to confirm the expected behavior with ACF AMS team.
• We also need to confirm ACF OCIO's intention for TDP's ACF users leveraging ACF AMS authentication service. Is enough to know that the user came through ACF AMS, or must we also know that they came through ACF AMS and used PIV/CAC? if it is the latter, we need to know what user metadata returned in the payload will tell us that and how it will be made available to us.
• Depending on the outcome of these follow-ups, [Backend] As ACF staff, I must use ACF AMS for authentication. #1170 issue and associated ACs may need to be revised.

cc: @lfrohlich

[ADPennington]

From ACF AMS team 12/23:

• ACF OCIO supports authenticating with PIV/CAC or network credentials when using ACF AMS.
• if network credentials are unsuccessful, this is something that would need to be elevated to the attention of the HHS AMS team if it is something we need to support (it isn't). What is most important is that ACF users are using ACF AMS to authenticate and not login.gov.
• ACF AMS team will be speaking with HHS AMS team sometime in the new year and will ask about whether or not PIV metadata will ever be made available to return in the payload.

Other notes:

• it is worth testing a few routes to provide us with reassurance about what is returned in the payload about the user when attempting to authenticate via ACF AMS with either piv or network credentials, for our records:
  • HHS, non-ACF user: we expect them to have a different email address (i.e. not ending in @acf.hhs.gov) but in the worse case scenario, maybe they arent blocked from authenticating (with PIV or network credentials) and make it into TDP to request access. even if this does happen, their permissions would still need to be assigned in order to have access to the TDP, so the risk is low for this to cause problems for us (aside from the user management headache). (e.g. ASPE)
  • non-HHS user, non-federal: shouldnt be able to get to the point of requesting TDP access because they dont have any required credentials (e.g. Raft)
  • non-HHS user, federal: shouldnt be able to get to the point of requesting TDP access because they dont have any required credentials but want to see what is returned in the payload because they would have a piv (e.g. 18F)
  • ACF user: we've tested this route, and it appears as though these users can only authenticate with PIV/CAC. (e.g. OFA)
• this means that the title of this ticket should not include piv/cac as the only authentication credential. we should add this clarification to the agenda for our next IPT in 2022.
• ACF staff user cannot authenticate via username and password in ACF AMS should be removed as an AC in this ticket.

cc: @lfrohlich

[andrew-jameson]

Reopened to address #1600 .