Jump to content
  • How to enable Kerberos authentication with the Spotfire® for Apple iPad


    Introduction

    Yes, you CAN configure TIBCO Spotfire® Analytics for Apple iOS to use Single Sign On (SSO) Kerberos authentication! This article walks you through the steps necessary to access Spotfire analytics through the app installed on your iPad or iPhone with a single-sign-on.

    Environment requirements

    • TIBCO Spotfire® Analytics for Apple iOS of latest version.
    • TIBCO Spotfire® Web Player 10.x or higher, configured to use Kerberos with Constrained Delegation.
    • Apple iOS version 10.0 or higher.

    Configuring the iPad/iPhone

    For Spotfire Analytics for Apple iOS to properly negotiate the SSO Kerberos authentication, you must configure your device to use Kerberos. You can accomplish this task by creating and installing a configuration profile. You must edit the configuration profile to fit your environment.

    The configuration profile is contained in an XML file that has the file extension .mobileconfig.  App developers might recognize the profile from the Apple developer documentation.  I have borrowed an example XML file, the contents of which you can find at the bottom of this post.

    1. Copy the XML at the end of this article and save it to a file on your local computer. 
    2. Edit the file, changing the value in the tag as follows:
       
      Key Default String Description
      Name Kerberos Config Required. Change to the name of the configuration.
      PrincipalName test_user Required. Change to the user name to use when logging in.
      Realm GSLAB.LOCAL Required. Change to the domain realm specified when you set up Kerberos on the Web Player service.

      Note Must be upper case.
      GUID (Sample GUID) You do not need to change the GUID field.
      URLPrefixMatches An array of sample URLs Required. Change from the sample URLs to the URL of the Web Player server the TIBCO Spotfire for Apple iPad connects to. You can specify multiple URLs by adding a separate line for each new URL entry. 

      The URL should be the Web Player Server URL. Do not add /SpotfireWeb (or your virtual directory name) to the end of the URL.
      PayloadOrganization ORGANIZATION Required. Change to the name of the organization you want to use.

       
    3. OPTIONAL SETTING. If you want to be able to access Spotfire analytics through the Safari browser on your device, add the following string to the AppIdentifierMatches array.
       com.apple.mobilesafari 
       

      The entire section should read as follows.

           AppIdentifierMatches
           com.tibco.spotfire.SpotfireForIPad
           com.apple.mobilesafari 
       
    4. Save the edited configuration file.
       
    5. Install this edited .mobileconfig profile file on your device. This is most easily done by attaching the sso.mobileconfig file to an e-mail and sending it to an account that the iPad/iPhone user(s) can access. When you tap on the attachment in the email on the device, you are prompted to install the configuration profile.

      Note  If you get an Invalid Profile error when you attempt to install the file, then the file contains a configuration error that you must fix. Confirm that all values your provided are properly filled in and formatted, and that you did not accidentally change, add, or delete any XML tags. 

    6. Open the App and select Add Library if you have not already done so. It does not matter what you specify in the Username and Password fields, because these values are not used when your device authenticates using SSO.
       
    7. To modify or update the profile, follow these steps on the device.
      1. Tap Settings, and then select General.
      2. Scroll down to Profiles
      3. Select this profile and delete it.
      4. After it has been deleted, you can install a new .mobileconfig file with updated configuration settings.

    After you have completed these steps, you should be able to use TIBCO Spotfire® Analytics for iOS to access your Spotfire analytics using Kerberos with Delegation.  A sample sso.mobileconfig file is attached as a file to this article.  It has a .txt extension so it will need to be edited and renamed.

    Sample sso.mobileconfig

          PayloadContent      
            
              PayloadDisplayName
                 SSO Settings
              PayloadType
                 com.apple.sso
              PayloadVersion
                 1
              PayloadUUID
                 9F7C78AC-41F6-4474-8608-1EC41B6551B1
              PayloadIdentifier
                 analytics.spotfire.sso
              Name
                 GSLAB IPAD SSO
              Kerberos
                 
                      PrincipalName
                       test_user
                    Realm
                       GSLAB.LOCAL
                    URLPrefixMatches
                      
                          https://kerbenabledapp.mycompany.com
                          http://nonstandardapp.mycompany.com:16089
                      
                   AppIdentifierMatches
                      
                        com.apple.mobilesafari
                          com.tibco.spotfire.SpotfireForIPad                                      
         
          PayloadDisplayName
             KerberosConfigProfile
          PayloadIdentifier
             local.TEST.ssoconfig
          PayloadOrganization
             ORGANIZATION
          PayloadRemovalDisallowed
             
          PayloadType
             Configuration
          PayloadUUID
             8C7EFCB0-B8C4-40EE-B3F6-CA1A8FZ83I457
          PayloadVersion
             1
     

    sso.mobileconfig.txt

     

     


    User Feedback

    Recommended Comments

    There are no comments to display.


×
×
  • Create New...