Organizations and Users
Every user of Kaleido gets their own Kaleido Organization, and can add other users/administrators to that organization.
You named your Kaleido Organization when you signed up for Kaleido, but you can change it.
As the owner of your organization you are the sole administrator who can add/remove users, manage billing details, or upgrade to a different plan level.
You also have the ability to create "sub-orgs" beneath your parental/root organization. Sub-orgs are unilaterally owned and controlled by the parent organization and offer a unified administrative domain over multiple separate sets of resources. By default, the billing for the sub-org will initially be rolled up into the root organization. If necessary, the ownership CAN be transferred after the fact and the sub-org can be detached from its association for separate management and billing administration. See below for more information on organization management and sub-orgs.
Managing your organization
- Click the user icon in the lower lefthand corner of the console
- Select "Manage Orgs"
- Beneath your org name, click "Manage Organization"
- This will take you to the management dashboard
If you have been invited to other organizations, you will see them listed here too. In the below screenshot, the user is the owner of the Alpha org and has been invited as a co-administrator to the Demo org.
Adding users to your organization
You can add additional users to your organization, so that when they log in with their own email, they will be able to access the Kaleido resources (consortia, environments, nodes and services) owned by your organization. This is useful approach for scenarios where an organization benefits from a shared workspace for collaboration and iteration.
- Click the "Manage Users" tab in the lefthand navigation
- Click the "ADD USER" button in the upper righthand portion of the screen
- Use the email address bound with the user's Kaleido account.
- You can remove users at any time from your organization
- Only the organization owner can invite users
- Click "Dashboard" in the lefthand navigation to access your organization management portal
- Click "Create Sub Org" within the "Relationships" modal
- Input a name for the new organization
- If you are the owner of multiple root organizations, use the dropdown to select the desired org. (Ownership of organizations can be transferred in certain circumstances, and sub-orgs can also be detached after the fact. As a result, there is potential to be the owner of multiple root organizations.)
- Optionally use the Advanced Settings dropdown to modify the sub-org's Home region and/or the contact email associated with it.
- Click CREATE to provision the new sub-org
- Upon success you will see a notification screen with the option to change the current plan or deploy resources
Managing a Sub Org
- Use the org switcher dropdown in the upper right hand portion of the screen to switch to a sub-org
- You can also use the lefthand navigation within your organizational management portal
- Subscription and Billing - use this to alter plans or see current and forecasted billing
- Manage Users - use this to add additional users to the sub-org
- Security - optionally enforce or remove multi factor authentication on the sub-org
- Settings - use this to change the name, transfer ownership or alter the associated email
Once you are operating under the context of the sub-org, you can proceed to deploy and manage resources in the same fashion as you would for your root organization(s).
Kaleido allows you to create an Enterprise Organization that is linked to your own user security management via a federated login.
Enterprise Organizations must have billing attached, and be configured on the Enterprise plan
Federated Login Providers
Currently the Amazon Cognitio is available as federated login provider, which itself provides onward integration via:
- OpenID Connect (OIDC)
- Microsoft Active Directory (via SAML)
- Social identity providers - such as Google and Facebook
Please contact us if you have a requirement for an additional federated login provider.
Kaleido requires you map each federated login identity to an email that has been registered against the Enterprise Organization in Kaleido.
Creating Enterprise Organizations
The Enterprise Organization creation flow is summarized as follows:
- Create a new AWS Cognito user pool, with application credentials for Kaleido to access it
- With your existing email login to Kaleido, create a new Enterprise Organization bound to that AWS Cognito user pool
- Configure the redirect URL from the new Enteprise Login back into AWS Cognito to allow the login to complete
- Authorize the first email address that will be allowed to login to the Enterprise Organization
- Use the newly generated dedicated login link for Kaleido, to log into the Enterprise Organization via AWS Cognito
- Configure your billing provider in the Enterprise Organization
Once complete, the new organization is detached from the original organization you used to create it, and the first user that logged into it (via the federated login) will be the owner of the organization.
Please get in touch to help you walk through the process if you get stuck, as setting up federating login via OpenID Connect integration with Amazon Cognito can be complex.
Example: Create an Enterprise Organization linked to a Cognito User Pool
This sample flow makes use of Google Sign-In as the Identity Provider, however alternate methods such as Open ID, SAML, Facebook, etc… can be leveraged as long as they ultimately resolve to a registered email on the targeted Enterprise Org.
These steps outline the creation of a custom user pool and domain using AWS Cognito. These AWS resources are prerequisites for creating a Kaleido Enterprise Org.
- Log into your AWS account and navigate to the Cognito service.
- Click the Manage User Pools button to create the custom user pool. If you have no existing user pools, follow the click here to create a user pool hyperlink to generate your first pool.
- If you prefer to leverage an existing user pool, it must be edited to require
- Supply a name for your user pool in the Pool name box and select Review defaults as the method for pool creation.
- Before finalizing the pool, you need to specify
Allow email addressesfield is enabled. In the Which standard attributes do you want to require? section select
- Next, click the App clients tab in the lefthand navigation panel to create an application client for the pool. Click the Add an app client hyperlink to provision the client credentials. The credentials are visible once the pool has been created.
- Supply a name for the app client in the App client name box and leave the
Generate client secretoption enabled. Kaleido needs both the client ID and secret in order to securely communicate with your Cognito Pool. Click the Create app client button to finish.
- On the new screen click the Return to pool details hyperlink to review your settings. Ensure that
- Lastly, provision a domain for the Cognito enterprise sign in. Click the Domain name tab in the lefthand navigation and supply a prefix for the Amazon Cognito domain. Click the Check availability button to make sure the domain is available. Click Save changes to save your domain.
Generating an Enterprise Organization in the Kaleido Console
These steps outline the creation of an Enterprise Organization through the platform UI. Ensure that you have provisioned the requisite resources (User Registry, Application Client and Domain) before proceeding. Refer to the previous section for instructions on creating these cloud resources.
- Log into your Kaleido Organization and click the Settings tab at the top right portion of the screen. Click the Organizational Settings tab and click the + New Enterprise Org button.
- Supply an “Organization Name” for your Enterprise Org.
- Enter your “Amazon Cognito Domain” without the
- Enter your Cognito User Pool ID. You can retrieve this value by clicking the General Settings tab in the lefthand navigation panel within your Cognito User Pool.
- Enter the AWS region for your User Pool. This value is the prefix of the User Pool ID. For example,
- Enter the Application Client ID and Secret from your User Pool. These values can be retrieved by clicking the App clients tab in the lefthand navigation panel within your targeted Cognito User Pool.
- Click the Create button at the bottom of the screen once you have populated all of the mandatory fields.
- Take note of the Callback URL for your Enterprise Org. This value needs to be configured against your application client, allowing it to resolve with Kaleido upon the Identity Provider sign in. The next section details the steps necessary to configure the application client.
- Additionally take note of the new login URL for the Enterprise Org. This is the only route through which it can be accessed.
- Lastly, click the Add dropdown and select Organization Member. Input an email address that will map to your Cognito Identity Provider. The first user attempting to sign into the Enterprise Org MUST be registered.
NOTE: The Enterprise Org exists in “draft” stage until a successful login from a registered email address. Upon a successful login, the Enterprise Org will be detached from your standard Kaleido Org and exist under the ownership of the first logged in user. From that point the Enterprise Org is only accessible via its unique login URL and maintains no relationship with the original Kaleido Org. The next section demonstrates one potential approach via Google Sign-In for logging in and detaching the newly created org.
Configuring an External Identity Provider & Logging into your Enterprise Org
These steps outline the creation of an OAuth client using the Google Sign-In flow, and the configuration of an Identity Provider and Application Client within AWS Cognito. Note that Google is not the mandated Identity Provider. We simply use Google Sign-In as an example option because it provides a convenient schema for email attribute mapping. The email attribute is what Kaleido will ultimately verify the login attempt against. You can mirror this approach when configuring alternate Identity Providers.
- Visit the Integrating Google Sign-In developer site.
- Click the CONFIGURE A PROJECT button and supply a name for your project. Click Next
- Configure your OAuth Client by providing a product name to be shown on the user consent screen. Click Next
- Within your Cognito User Pool, click the Identity providers tab in the lefthand navigation panel and select Google.
- Input the Client ID and secret from the previous step into the appropriate fields. For the “Authorize scope” field, enumerate
profile email openidand click the Enable Google button to finish.
- Click the Attribute mapping tab at the bottom of the lefthand navigation panel and select Googleas the external identity provider to map attributes from.
- Expand the User pool attribute dropdown and select
- Next, click the App client settings and select Google as your Enabled Identity Provider.
- Add the callback URL from the Enterprise Org creation into the Callback URL(s) field
- In the Allowed OAuth Flows section enable the following:
Authorization code grant,
openid. Click the Save changes button at the bottom of the screen to configure the client.
- Now you’re ready to login. Follow the login URL for your new Enterprise Org. This will redirect you to Google Sign-In or whichever implementation you have selected.
- IMPORTANT: If using Google Sign-In, your first attempt will fail with the following error –
Error: redirect_uri_mismatch. Copy the supplied redirect URL in the body of the error message and access the configuration for the OAuth client. With Google Sign-In this can be done by accessing the developers API console. The pop-up window exposing your OAuth client ID/secret also contains a hyperlink to the console. Click the Credentials tab in the lefthand navigation and select the OAuth client ID that has been configured in Cognito. Paste the redirect URL in the Authorized redirect URLs field and click Save.
- Now refresh your enterprise login window. Supply the email/password combination (alternatively supply a username/password combination that resolves to a registered email on the Kaleido Enterprise Org) and proceed to log into the new org. Note that the user with the first successful login will become the owner of the org.