Stackspin includes a Single sign-on system. That means that you log in once, and then all the applications included in Stackspin will know who you are, without you having to enter a password again.
Stackspin includes a Dashboard to manage these single sign-on users. The Dashboard is the starting point for all Stackspin users. To use the Dashboard, log in to https://dashboard.stackspin.example.org. Here you can create, edit and delete users, as well as see all the applications that run on your Stackspin cluster.
Your first login can happen in one of two ways:
Use the email address that was used during setup.
The admin email address has an account already. If you have access to its mailbox, press “Sign in” in the browser and then press “Forget password?” to start a password recovery procedure.
If you do not have access to the administrator email address, ask your system administrator to run the following command on their “provisioning machine” and share the admin credentials with you:
$ python3 -m stackspin stackspin.example.org admin-credentials
Note: these are the setup credentials, they will not be updated when you change the admin user’s password.
Login and logout limitations
Our single sign-on system uses an authentication protocol called OpenID Connect. This works the same way as “Log in with Google” buttons you might be familiar with, but don’t worry: instead of contacting Google, it uses Stackspin’s internal user database.
Limitations on login
The Stackspin dashboard allows you to define user privileges in two levels: “Admin” or “User”. When admin privileges are given to a user for a specific application, the user needs to log out and into that application again. Some applications, like WordPress and Zulip, have specific limitations. These are listed on the Applications page.
Limitations on logout
Users can log out by using the “Logout” button in any application. However, when they do so, they are only logged out of that specific application and the single sign-on system. So if users want to log out of Zulip as well as WordPress, they need to go to both applications, and click the logout button there. “Single sign-off” – logging out of all applications at once – will be implemented in a future version of Stackspin.
Limitations on user management
It is important to realize that although Stackspin has a central user management system, the applications included in stackspin also have their own user management systems. Users created inside applications are not synchronized to the single sign-on system. For that reason, we recommend you always create new users inside the Dashboard.
After logging in, you will see an overview of all the installed applications. The “Launch app” button on this screen will bring you to the application’s screen. If see a login screen, use the “log in with Stackspin” button to log in with your current user. You will not have to enter credentials, because you are already logged in via the Dashboard.
The Dashboard also features a “Users” tab, where you can manage the Stackspin users. At the moment, all users will be able to log into all applications on your cluster with the “Log in with Stackspin” button. More fine grained control will be added in the future.
To create a new user, click the “Add new user” button. You need to specify the user’s (full) name under “Name” and a valid email address under “Email”.
Once you have created the user, they will not be automatically notified - please contact individual users and let them know they can finish their account setup by opening any Stackspin-related URL and clicking the “Forget password?” button on the “Login with Stackspin” screen. This will let them set up their password for the first time, and their account will be active from that moment.
The Dashboard currently allows all users to manage the other users. In the (near) future, only users with “admin” privileges will be allowed to add, edit and remove other users.
Only add users for people that you trust.
To edit a user’s name or email address, or delete a user, press the “Configure” button on the right side in the user table.
If you want to delete several users, you can select them in the Users overview, using the select buttons on the left side. Then press the “Delete” button on the top right of the table.
A note on deleting users
Deleting users from the Dashboard makes sure they can’t log into applications anymore. However, the dashboard cannot control the user’s data inside other applications.
To completely remove users from all the applications, you will need to remove them from inside the application’s admin settings as well. Refer to the documentation of the specific application to see how that should be done.
If you only remove a user from the dashboard, but not from the application, it is possible that this user keeps access to the application through sessions inside application clients (for example the Zulip or Nextcloud desktop clients). These sessions can also typically be ended through the application’s admin interface.