Skip to content

IVAAP OSDU Prerequisite Checklist



IVAAP
Prerequisites for OSDU Deployments




IVAAP 2025.1

Checklist

This checklist is a list of requirements needed to configure an operational IVAAP connected to an OSDU.

  • DNS
    IVAAP Host name must be properly configured in DNS.
  • HTTPS
    The IVAAP domain needs to have an HTTPS certificate or be otherwise terminated (e.g. load balancer + cloud vendor services). If available on the domain, IVAAP can be configured with a letsencrypt certificate in place of a static certificate from other providers.
  • OpenIDConnect (OIDC) Authentication (see details below)
    OSDU uses an OIDC WebApplication ‘authorization code flow’ compatible with the major cloud vendors and other 3rd party systems. When connected to OSDU, IVAAP only supports OpenID Connect (OIDC) code flow. IVAAP does not support OIDC implicit flow. As well, IVAAP does not support using a mixture of authentication protocols. For example, IVAAP-OSDU does not support using OIDC to a Cognito pool of users who use ActiveDirectory / Entra ID.
    • client ID
      can be found in the web console for your Identity Provider System ( e.g. Cognito , Azure Active Directory, etc)
    • client secret
      can be found in the web console for your Identity Provider System ( e.g. Cognito , Azure Active Directory, etc)
    • allowlist IVAAP endpoints
      can be allowlisted in the web console for your Identity Provider System, sometimes under ‘app client settings’
      • v2 callback url: https://<IVAAP_URL>/IVAAPServer/api/v2/callback
      • callback url: https://<IVAAP_URL>/
      • admin signout url: https://<IVAAP_URL>/admin/
      • viewer signout url: https://<IVAAP_URL>/dashboard/standard/ivaap.html
    • scope
      can be found in the web console for your Identity Provider System ( e.g. Cognito , Azure Active Directory, Entra ID, etc). Typically we just need ‘openid’ and ‘email’, but please inform us if there are any additional or different scopes used.
    • OIDC discovery endpoint
      An essential piece of OIDC Authentication, can be found in OSDU postman collection for a given platform, sometimes also called discovery ip or url but is a json response usually with .well_known as part of it
    • list of designated superadmin user(s)
      required and limited to domain configuration, these users are unable to use viewers/dashboards. These users can not be the same as the regular domain admins**
    • list of designated admin user(s)
      list of users (sign-in IDs typically emails) to be classified as Administrators in IVAAP. These users can not be the same as the super admins**
    • test user details
      a user SLB can use to test authentication / endpoints
    • unique authentication requirements
      we recognize there are some cases where additional HTTP headers are required to successfully call OSDU APIs. Please describe them to SLB beforehand if present
  • Base Url of OSDU Services
    the base url that is used for all osdu services. For instance the relation of the base url to the search service for AWS will be <Base Url>/api/search/v2/query
  • Valid responses from IVAAP Validation Postman collection
    Use the following link to access the postman IVAAP Validation Postman collection
  • Milestone version of OSDU
    the milestone version of osdu can be used to determine what OSDU services and features are available and what limitations are present
  • Data partition Id(s)
    the data partition id(s) are used to isolate osdu services and data. All access rights are determined by a data partition.
  • Azure Tenant Id(s) (If on Azure/ADME)
    *If the discovery url is generic/common (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) then the tenant id will be needed because some of the authentication URLs that IVAAP uses require the tenant id. For non-generic discovery urls, the tenant id will be a part of the discovery url (https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration)

Detailed Explanations

OSDU Authentication

OSDU deployments use OpenID Connect (OIDC) authentication, and as such the following requirements must be met.

  • OIDC Client for IVAAP
    • Single Page Application (SPA)
    • Code Grant type Authorization Flow
  • Allowlisted HTTPS callback endpoints
    OIDC requires a valid HTTPS backed endpoint for authentication callbacks. Therefore, the following child dependencies must be met
    • domain assigned to a public IP
    • ports 80/443 open (port 80 can be closed after initial setup)
    • a method of terminating HTTPS at this domain
      • valid certificates granted by TLS authorities
      • domain able to get LetsEncrypt certificates
      • wide-open load balancer / reverse proxy in front of the instance that supports HTTPS (eg Route53 domain + Acme Certificate Manager cert + Elastic Load Balancer from AWS)
  • OIDC credentials provided from auth provider
    • discovery IP
    • client ID
    • client secret
    • scope
  • \<IVAAP_URL> in sections above refers to the DNS/URL used to access IVAAP from clients browsers.
  • Test User Details
    • It’s best if SLB is given access to a test user in the OSDU platform’s identity provider (eg Cognito, Azure Active Directory (Entra ID), etc). The test user must have access to some sample data in order to validate the deployment.

OSDU Services

Each IVAAP OSDU data node uses the following OSDU services:

  • Search
    • Service used to perform metadata searches
      • Used in the IVAAP map search
      • Used to display most of the information in the IVAAP data tree
  • Dataset (AWS, Azure) or File (Azure, GCP, or IBM). Note recent versions have been moving from File to Dataset.
    • Service used to download data files (for example well log las files)
    • These data files are used to display the raw data for well logs, trajectories, seismic datasets, etc
      • These data files are used to display the raw data in IVAAP (for example well log curve data)
  • Storage
    • Service used to retrieve the original metadata records
      • Some data is not available in the search results, in these cases the storage service will be used to fetch the original metadata
  • Wellbore DDMS
    • Service used to retrieve bulk curve data associated with well logs and well trajectories
  • Seismic DDMS
    • Service used to retrieve seismic traces without needing access to the original seismic file