STS Agent service

The STS Agent service transfers case and document data from WorkZone to the STS Bridge.

To deploy the STS Agent service, complete the following steps:

  1. Multitenant app registration (Customer)

  2. Update WorkZone users in the database (Hosting partner)

  3. Adding secrets (Hosting partner)

  4. Customer specific secrets (azure-aks-key-vault) (Customer and Hosting partner)

  5. Environment variables and Helm chart variables (Hosting partner)

  6. Configure CVR number (Customer)

  7. Required endpoint access (Hosting partner)

This page describes the deployment process for customers who use a hosting partner to run WorkZone in the cloud. Some of the steps in the process require input or configuration from the customer. To indicate who is responsible for completing a specific part of the deployment process, each section is marked with either Hosting partner or Customer. If your organization hosts WorkZone in its own data center, you must complete all the steps of the deployment process.

Multitenant app registration (Customer)

The STS Agent service requires access to WorkZone OData. To enable the access, you need to create an app registration an app registration. Follow the steps:

  1. Follow steps 1 and 2 in Set up third-party integrations in Azure.

  2. Give your application a meaningful name as it will be linked to a system user in WorkZone. See Update WorkZone users in the database (Hosting partner).

  3. Make sure to note the Directory (Tenant) Id, Application (Client) ID and Client Secret from the previous step.

  4. Go to Entra ID > App Registration and select your app.

  5. Click the app name/link next to Managed Application in local directory.

  6. Copy the Object ID (Enterprise Application Object ID) and note it down for later use.

Update WorkZone users in the database (Hosting partner)

You need to update WorkZone users in the database with corresponding Object ID. See step 6 under Multitenant app registration (Customer).

Example:

update users set oid='{Object ID}' where user_name ='STSUSER';

Adding secrets (Hosting partner)

You need to create secrets using the values that you noted down in step 3 of the Multitenant app registration (Customer) registration process. The secrets must be assigned to a predefined secret key. Below is the mapping of secret keys to their corresponding required values:

Secret key Secret value owner

WORKZONE-AZURESYS-TENANTID

The Directory (Tenant) ID corresponding to the STS Agent service.

WORKZONE_AZURE_SYS_STSUSER_CLIENTID

The Application (Client) ID for the STS Agent service).

WORKZONE_AZURE_SYS_STSUSER_CLIENTSECRET

The Client Secret for the STS Agent service service.

Customer specific secrets (azure-aks-key-vault) (Customer and Hosting partner)

STS Consumer service requires access to external services for synchronizing organizational units and employees. The necessary access information is customer-specific and must be provided by the customer. The customer must provide a Client ID and Client Secret to access the STS-Bridge system. The Client ID and Client Secret must be assigned to the following predefined secret keys:

  • WORKZONE-KOMSERVICE-STSBRIDGE-CLIENTID

  • WORKZONE-KOMSERVICE-STSBRIDGE-CLIENTSECRET

Environment variables and Helm chart variables (Hosting partner)

The table below lists the variables and corresponding values that specific to the STS Agent service.

Variable Test value

Production value
sts_identity_url https://identity.kmd.dk/adfs/oauth2/token/ https://identity.kmd.dk/adfs/oauth2/token/
sts_issuer b2clogin.com b2clogin.com
sts_scope urn:sts-bridge-api.test/Access urn:sts-bridge-api.prod/Access
sts_base_url https://kmd-stsbridge-test2-webapp.azurewebsites.net/

https://kmd-stsbridge-prod2-webapp.azurewebsites.net/

Configure CVR number (Customer)

You need to set up the CVR number of the specific municipality in WorkZone Configurator,

  1. In WorkZone Configurator, go to Organization > System owner.

  2. Enter the CVR number of the specific municipality and the corresponding municipality code.

See System owner.

Required endpoint access (Hosting partner)

The following endpoints must be accessible on deployment environment to access external services:

  • https://identity.kmd.dk/adfs/oauth2/token

  • https://kmd-stsbridge-prod2-webapp.azurewebsites.net - (Production environment)

  • https://kmd-stsbridge-test1-webapp.azurewebsites.net - (Test environment)