BI Office. Web Authentication Model Guide Version 6

Similar documents
Webthority can provide single sign-on to web applications using one of the following authentication methods:

with Access Manager 51.1 What is Supported in This Release?

TIBCO LiveView Web Getting Started Guide

SAML-Based SSO Solution

Single Sign-On Showdown

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

Microsoft OWA 2007 IIS Integration

How to Configure Authentication and Access Control (AAA)

8.0 Help for Community Managers Release Notes System Requirements Administering Jive for Office... 6

BI Office. Kerberos and Delegation Version 6.5

AD FS v3. Deployment Guide

Click Studios. Passwordstate. Remote Session Launcher. Installation Instructions

Minimum requirements for Portal (on-premise version):

Phase I. Initialization. Research. Code Review. Troubleshooting. Login.aspx. M3THOD, LLC Project Documentation

Microsoft OWA 2013 IIS Integration

Table of Contents. Installing the AD FS Running the PowerShell Script 16. Troubleshooting log in issues 19

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

TTerm Connect Installation Guide

BUSINESS DEVELOPMENT SUITE MOBILE INSTALLATION GUIDE. Version 14R2

Kyubit Business Intelligence Installation and administration Kyubit, All rights reserved.

.NET SAML Consumer Value-Added (VAM) Deployment Guide

Clientless SSL VPN Remote Users

Microsoft Windows Server 2003 or Microsoft Windows Server 2008 Windows SharePoint Services 3.0 or Microsoft Office SharePoint Server 2007

ArcGIS Enterprise Administration

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Setup Guide for AD FS 3.0 on the Apprenda Platform

integreat4tfs Installation Guide

Early Data Analyzer Web User Guide

CONFIGURING SQL SERVER 2008 REPORTING SERVICES FOR REDHORSE CRM

Report Exec Dispatch System Specifications

VII. Corente Services SSL Client

Click Studios. Passwordstate. Installation Instructions

TIBCO LiveView Web Getting Started Guide

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

Microsoft Unified Access Gateway 2010

V4.1. CtxUniverse INSTALLATION GUIDE BY ADRIAN TURCAS. INFRALOGIC INC. #412c-1255 Phillips Square, H3B 3G1 MONTREAL, CANADA

Colectica Workflow Deployment

Identity Provider for SAP Single Sign-On and SAP Identity Management

Five9 Plus Adapter for Agent Desktop Toolkit

Kerio VPN Client. User Guide. Kerio Technologies

New World ERP-eSuite

GroupWise Architecture and Best Practices. WebAccess. Kiran Palagiri Team Lead GroupWise WebAccess

Cloud Access Manager Configuration Guide

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

BI Office. Release Notes 6.40

Sage 200c Professional. System Requirements and Prerequisites

Sage 200c Professional. System Requirements and Prerequisites

January 12, Prepared by Dina Borisov, Product manager Jetro Platforms. All rights reserved.

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

Windows Authentication for Velocity Web service Client

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Installation and Upgrade Guide. Front Office v9.0

Office 365 and Azure Active Directory Identities In-depth

Version Installation Guide. 1 Bocada Installation Guide

CaseMap Server Installation Guide

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

SAML-Based SSO Solution

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

CA SiteMinder Federation

NotifySCM Integration Overview

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Authlogics Forefront TMG and UAG Agent Integration Guide

Load Balancing VMware Workspace Portal/Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

Novell Access Manager

Okta Integration Guide for Web Access Management with F5 BIG-IP

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Pyramid 2018 Kerberos Guide Guidelines and best practices for how deploy Pyramid 2018 with Kerberos

UC for Enterprise (UCE) NEC Centralized Authentication Service (NEC CAS)

Important notice regarding accounts used for installation and configuration

WhosOn server help

Hypersocket SSO. Lee Painter HYPERSOCKET LIMITED Unit 1, Vision Business Centre, Firth Way, Nottingham, NG6 8GF, United Kingdom. Getting Started Guide

EMS FOR MICROSOFT OUTLOOK Installation Guide

Installation Guide for 3.1.x

Citrix XenApp / XenDesktop Setup Procedure For Q-Tel Workstation

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

CYAN SECURE WEB Installing on Windows

Blue Coat Security First Steps. Solution for Integrating Authentication using IWA BCAAA

Clientless SSL VPN End User Set-up

Two factor authentication for Microsoft Remote Desktop Web Access

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication


ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Getting Started with. Management Portal. Version

Installing and Configuring vcloud Connector

vfire Officer App Server Installation Guide Version 1.3

Authentication via Active Directory and LDAP

This guide details the deployment and initial configuration necessary to maximize the value of JetAdvantage Insights.

ReportPlus Embedded Web SDK Guide

D9.2.2 AD FS via SAML2

Sage 200c Professional. System Requirements and Prerequisites

Installation Guide. Mobile Print for Business version 1.0. July 2014 Issue 1.0

Vodafone Secure Device Manager Administration User Guide

Microsoft IIS version 6 Integration

Transcription:

Web Authentication Model Guide Version 6 Copyright Pyramid Analytics 2010-2016

Contents 1. Web Authentication Model Overview... 3 A. Basic Authentication Models... 3 B. Windows Authentication Models... 4 C. Forms Authentication Models... 4 2. How Federated Forms Work... 5 D. Enabling Federated Forms Authentication... 5 E. Implementing Federated Forms Security... 6 3. Considerations for Load Balancers... 6 F. Persisting Cookies... 7 G. Processing SSL on Load Balancers with Federated Forms... 7 4. Installing Multiple Web Sites... 8 5. Manual Steps for Adding a Secondary Web Site... 8 2 Pyramid Analytics BI Office Version 6 Web Authentication Model Guide

1. Web Authentication Model Overview Basic Authentication Windows Authentication Forms Authentication (which comes in 2 variations: Direct and Federated ) A. Basic Authentication Models The user is prompted to enter credentials when they browse to the BI Office URL address. The credential prompt is supplied by Windows IIS and is authenticated against the local OS security or the Active Directory (see figure 1 below). The resulting security token, returned to IIS, is then passed on from the web application to BI office which in turn uses is directly against cube data sources without any further translation. The user name and password are passed from the client web browser to the server in clear text so Basic Authentication models are usually deployed with SSL certificates to encrypt the data packets across the network. Basic Authentication works through firewalls (ports 80 or 443) and universally works on all browsers on both PC s and MAC s. It s a mature, efficient and incredibly fast authentication method and is highly recommended for extranet deployments. In the figure 1 example below, the users could be authenticated using an EXTERNAL Active Directory sitting in a DMZ. Often, this is convenient when trying to keep external end users separate from internal users. Figure 1 Basic and Windows Authentication 3 Pyramid Analytics BI Office Version 6 Web Authentication Model Guide

B. Windows Authentication Models Windows Authentication provides a single sign on model for users of PC s connecting to the BI Office application. The user is NOT prompted when they browse to the BI Office URL address; instead their workstation credentials are used to authenticate against the website automatically. Like Basic, the authentication is handled by Windows IIS and is credentialed against the local OS secu rity or the Active Directory (as per figure 1 above). The resulting security token can be used directly against cube data sources without any further translation. Windows Authentication generally does NOT work through firewalls and only works on Internet Explorer, Firefox and Chrome browsers on PC s only. Because of these limitations, it is used in limited circumstances. It s a mature, efficient and incredibly fast authentication method and is only recommended for intranet deployments. In the figure 1 example above, the users could be authenticated using an INTERNAL Active Directory sitting in a DMZ or any other network segment. Apart from the need to manually login, Windows Authentication acts very similarly to Basic Authentication. C. Forms Authentication Models Unlike Windows and Basic Authentication, Forms authentication provides a customized entry point for users to websites and web applications that are not inherently managed by IIS. Typically, the user is forwarded to a login page where they are prompted to enter credentials. The credential prompt is supplied by the application itself and is authenticated inside client defined code. The authentication can be against any type of credentialing engine selected by the developers - including against an Active Directory or SQL Server data store. The resulting forms security token is used by the custom application but is CANNOT be used directly against cube data sources and therefore usually requires some type of translation. Further, the user name and password are passed fro m the client web browser to the server in clear text so Forms Authentication models are usually deployed with SSL certificates to encrypt the data packets across the network. Forms Authentication works through firewalls and universally works on all browsers on both PC s and MAC s. Because it provides for customized authentication frameworks, it is often used when an Active Directory cannot be used directly (or at all). Since forms authentication, is by definition, a customized application, there are numerous techniques and technologies that can be demonstrated. To make sure BI Office facilitates as many of these variations, the application provides 2 methods for Forms Authentication. A simple, in-built forms authentication model called Direct Forms and more complex model for interfacing with existing forms solutions called Federated Forms. Direct Forms if deployed, users are redirected to an in-built BI Office login page where users can enter their details. The authentication is applied directly against the Active Directory itself. To consume direct forms, users are simply redirected to the login.aspx page in the BI Office Application, where they must login before proceeding. Federated Forms is an automated mechanism for clients to redirect users from an alternative login framework to the BI Office Suite. In doing so, clients provide the impersonated Windows account that will be used for the given user. BI Office in turn provides a framework for the end user to auto-login into its application, delivering a virtual single-sign-on facility. Forms Authentication can be deployed by selecting Forms Authentication during the installation of the BI Office application. Use of federated forms, however, also requires clients to add new code to their custom forms login process. The code provides a conduit for BI Office to issue a browser based cookie with encrypted tokens that will allow the user s browser session to use the application without further prompt. Figure 2 below illustrates an example of federated forms authentication. 5 4 Pyramid Analytics BI Office Version 6 Web Authentication Model Guide

2. How Federated Forms Work Use the BI Office federated forms authentication solution when you want to enable users from outside of a domain to use BI Office web application without creating a unique Active Directory user for each user; or when you have an external users database that you want to authenticate against instead of using the Active Directory authentication. The solution requires very minimal development to integrate in to your own authentication process (see next section). Figure 2 Federated Forms Flow D. Enabling Federated Forms Authentication 1) The user logins into your application with your custom credentials. 2) Your forms will check the user against your user store (in this case a SQL database). 3) If the credentials pass, the system returns a mapped Active Directory user account proxy that will be impersonated for the original user account. a) You will need to map each external user account to an internal AD user account proxy. The proxy is used to authenticate against SSAS for querying, metadata and accessing BI Office content. b) In its simplest form, all users can be mapped using a single account effectively exposing cubes without security. At the other extreme, each external account can be mapped one-to-one with a proxy account to deploy fully secured cubes. And anything in between. 4) Your forms code then connects to the BI Office Service to generate the security token and cookie. (See next section for details on this coding exercise). The cookie generation requires user proxy details: a) Username b) Password c) Domain d) Cookie domain 5) The BI Office Service returns the encrypted cookie 6) The cookie is added to the end user s browser session cookie collection 7) When the user browses to the BI Office entry page, the cookie is retrieved and checked for a security token. If the token is missing, they are redirected to the base login page provided during product installation. 8) BI Office will now use the credentials in the cookie to query the system. 5 Pyramid Analytics BI Office Version 6 Web Authentication Model Guide

E. Implementing Federated Forms Security The installation of the BI Office federated forms solution involves using the BI Office Web Services. The Web Services are installed with the BI Office. Use the following code snippet in conjunction with the explanation below: 1 var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportCredentialOnly); 2 if (ishttps) binding.security.mode = BasicHttpSecurityMode.Transport; 3 binding.security.transport.clientcredentialtype = HttpClientCredentialType.Basic; 4 var url = "http://subdomain.mydomain.com/admin/extservices/pyramidservice.svc"; 5 var proxy = new PyramidServiceClient(binding, new EndpointAddress(url)); 6 proxy.clientcredentials.username.username = @"Domain\User"; 7 proxy.clientcredentials.username.password = "Password"; 8 var cookie = proxy.getcookie(userdomain, username, userpassword, webdomain,-1,customdata); 9 Response.Cookies.Add(cookie); 10 Response.Redirect("mypage.aspx", false); 1) Adding the External web services service reference to your "Visual Studio" forms project a) The external services are under the [Pyramid Website]/admin/ExtServices/PyramidService.svc b) In your code, add the following lines of code, once the user has been authenticated. You may also need to scope the external service reference in your code page (with using ). 2) Set up service BasicHttpBinding (lines 1 to 3) a) For HTTPS use : BasicHttpSecurityMode.Transport b) For HTTP use: BasicHttpSecurityMode.TransportCredentialOnly 3) Connect to BI Office services using the service URL../admin/ExtServices/PyramidService.svc (lines 4 and 5) 4) Provide credentials for an Active Directory account to connect to the service. The account must be a user that can login into the system. It is DOES NOT have to be the account that will be used for querying the cubes. (lines 6 and 7) 5) Next we generate the security token for a given user. The response is a cookie which must be added to the user s cookie collection. (line 8) a) To avoid cross-domain issues, the cookie must be added to the same web domain that houses both the main client application and the BI Office application. b) The function call requires the following details of the user that will be impersonated: domain, username and password. The prevailing web domain is also required. Currently, the expiration value is ignored, and should be set to -1. c) If the application is licensed for anonymous viewers the optional customdata field can be set to provide access to custom data switches in the data model queries and security settings. 6) Now add the cookie to the user's session and then redirect the forms as normal to the appropriate landing page. If using red irect, use the false flag to ensure the cookie is written to the user s browser. (lines 9 and 10) 3. Considerations for Load Balancers Load Balancers introduce more complexity to the web authentication setup. Below are some implementation guidelines There are few headaches for Basic and Windows Authentication - since most systems are able to bounce authentication tokens between web servers. o o Forms authentication relies on encrypted cookies which pose a challenge in certain load balanced web farms. If using either forms model (direct or federated), developers will typically need to persist cookies on the client, to ensure the cookie is able to move from one web server node to the next as the load balancers spread the web requests across multiple servers. This problem becomes even more acute if administrators have chosen to offload SSL processing from the web servers to the load balancing framework. This step can often be avoided if administrators have an alternative strategy for persistence implemented on the load balancing framework. (Techniques for persisting cookies is presented below). If cookies are persisted, developers should provide a mechanism for users to logout of the application. In doing so, they can then manually delete all persisted cookies maintaining authentication integrity. This is not an issue if cookies are NOT persisted (the default setting in the BI Office framework). 6 Pyramid Analytics BI Office Version 6 Web Authentication Model Guide

F. Persisting Cookies Direct Forms In the BI Office web.config file, set the value property for FormsPersistence to a value above 0. This is the amount of time to persist the cookie, in seconds. Federated Forms Add the following line of code after line 8 in the code snippet above (persisting the cookie by x minutes) cookie.expires = DateTime.Now.AddMinutes(x); G. Processing SSL on Load Balancers with Federated Forms This model is somewhat complex, as the external facing websites are processed via SSL / HTTPS, while the internal web framework continues to operate under HTTP. Since federated forms require a connection to BI Office s external services, there are several considerations to be made here: If the external forms application is OUTSIDE of the BI Office load balanced framework, the web service address supplied in line 4 above can, in most situations, continue to be addressed to an HTTPS address. If the external forms application is INSIDE the same framework as the BI Office application, we recommend setting up an internal URL address for the service that uses HTTP. This will prevent the call from leaving the framework, and re-entering via the HTTPS URL on the load balancers. In this scenario, the BI Office external services framework is addressed by the forms application without going through the load balancers. 7 Pyramid Analytics BI Office Version 6 Web Authentication Model Guide

4. Installing Multiple Web Sites The new BI Office has the ability to use multiple websites, each implementing its own authentication method. For example you can use one internal site with windows authentication and one external with basic or federated forms authentication. The following explains how to install multiple websites: Install BI Office Version 5, single or multi, for help with the installation you can go to Install guide, it has a detailed explanation for all the possible ways to install BI Office. When running a multi installation, make sure to install Web Site is on two different servers. Connect both sites to the same database. Following these steps will allow you to have multiple websites. 5. Manual Steps for Adding a Secondary Web Site 1) Create a copy of the website source folder (C:\Program Files\Pyramid Analytics\BI Office 5\websites\paBio and pabioadmin). 2) Manually create another web site in IIS referencing it to the copied folders C:\Program Files\Pyramid Analytics\BI Office 5\websites\pabio\ > for Client, and C:\Program Files\Pyramid Analytics\BI Office 5\websites\pabioAdmin\ > for Admin. 3) Set the appropriate authentication method for the new website in IIS (For an explanation on how to configure for each authentication type, go to Installation Guide > Authentication Issues. 4) Add DNS reference to the web site, or add it to the host file. 5) Go to BI Office Admin console > Click on Servers tab and then Add New Web Site. a) Select Service Type > Client or Admin. Fill the Required fields b) You will need to repeat the process twice, once for Client and once for Admin. c) Copy the Instance Name for the next step (See image below). 6) Then go to C:\Program Files\Pyramid Analytics\BI Office 5\websites\. Paste the copied Instance Name to the ServiceName value inside Web.config. 8 Pyramid Analytics BI Office Version 6 Web Authentication Model Guide

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback