STS Consumer service
In Danish municipalities, the organizational structure, including organizational units (OU) and their hierarchy, as well as employee information (such as name, phone, email), is managed in the supporting system named Fælleskommunalt Organisationssystem. WorkZone uses the data from Organisationssystem to maintain organizational and employee data in WorkZone. The STS Consumer service is a WorkZone integration that retrieves data from Orgnisationssystem via a KMD service called STS-Bridge and creates or updates OUs and the OU hierarchy in WorkZone. The integration does not include maintenance of employee data.
The integration consists of a cron job that runs every 24 hours and performs two key operations:
-
Retrieves organizational units (OU) from STS-Bridge, including their parent-child relationships, and updates the SourceOU table in the WorkZone database.
-
Retrieves employees' organizational unit details from STS-Bridge and updates the SourceEmployee table in the WorkZone database accordingly.
Multitenant app registration
-
Follow steps 1 and 2 in Set up third-party integrations in Azure.
-
Give your application a meaningful name as it will be linked to a system user in WorkZone (See step 7).
-
Make sure to note the Directory (Tenant) Id, Application (Client) ID and Client Secret from the previous step.
-
Go to Entra ID > App Registration and select your app.
-
Click the app name/link next to Managed Application in local directory.
-
Copy the Object ID (Enterprise Application Object ID) and note it down for later use.
-
Update the WorkZone users in the database with the corresponding Object ID using the following commands:
update users set oid='{Object ID}' where user_name ='STSORGUSER';
Adding secrets
You need to create secrets using the values that you noted down in step 3 of the Multitenant app registration registration process. The secrets must be assigned to a predefined secret key. Below is the mapping of secret keys to their corresponding required values:
| Secret key | Secret value owner |
|---|---|
|
WORKZONE-AZURE-SYS-TENANTID |
The Directory (Tenant) ID corresponding to the STS Consumer service, see Multitenant app registration (step 3). |
|
WORKZONE-AZURE-SYS-STSORGUSER-CLIENTID |
The Application (Client) ID the STS Consumer service, see Multitenant app registrationMultitenant app registration (step 3). |
|
WORKZONE-AZURE-SYS-STSORGUSER-CLIENTSECRET |
The Client Secret for the STS Consumer service, see Multitenant app registration (step 3). |
Customer specific secrets (azure-aks-key-vault)
The STS Consumer service requires access to external services for synchronizing organizational units and the employee's organizational unit. The necessary access information is customer-specific and must be provided by the customer. The customer needs to provide a Client ID and a Client Secret to access STS-Bridge. Client ID and Client Secret must be assigned to the following predefined secret keys:
-
WORKZONE-KOMSERVICE-STSBRIDGE-CLIENTID
-
WORKZONE-KOMSERVICE-STSBRIDGE-CLIENTSECRET
Environment variables and Helm chart variables
The table below lists the variables and corresponding values that specific to the STS Consumer service.
| Variable | Test value |
Production value |
|---|---|---|
| sts_identity_url | https://identity.kmd.dk/adfs/oauth2/token/ | https://identity.kmd.dk/adfs/oauth2/token/ |
| sts_issuer | b2clogin.com | b2clogin.com |
| sts_scope | urn:sts-bridge-api.test/Access | urn:sts-bridge-api.prod/Access |
| sts_base_url | https://kmd-stsbridge-test2-webapp.azurewebsites.net/ |
https://kmd-stsbridge-prod2-webapp.azurewebsites.net/ |
Configure CVR number
You need to set up the CVR number of the specific municipality in WorkZone Configurator,
-
In WorkZone Configurator, go to Organization > System owner.
-
Enter the CVR number of the specific municipality and the corresponding municipality code.
See System owner.
Required endpoint access
The following endpoints must be accessible on deployment environment to access external services:
-
https://identity.kmd.dk/adfs/oauth2/token
-
https://kmd-stsbridge-prod2-webapp.azurewebsites.net - (Production environment)
-
https://kmd-stsbridge-test1-webapp.azurewebsites.net - (Test environment)