External authentication with windows logon user

[Chuang Tse Wang]

Hi Community,

Recently, I have A/R to construct a confidential dashboard with spotfire, but users, they don't like to do login again while browsing library. After some struggles, I found out the document about configuration of External authentication. then I can find nothing more about how to do...

What need I to do if I select to enable external authentication with header name REMOTE_USER with spotfire server config tool?

Some keywords HTTP, Request and Header name appear on document, is any scenario or hint for the workaround?

[Tejas Devadkar]

Hello Chaung,

Maybe there are some other easy and better options than External authentication. But this totally depends on "why" are you looking to set it up. May I understand your purpose to implement External Authentication?

Are your Spotfire dashboards embedded into other external web applications and you are looking for seamless authentication? OR Is it just that the users don't want to manually enter the login credentials in the Spotfire clients(Web player/Analyst?

thanks,

[Tejas Devadkar]

Anyway, ill summerise about External Authentication

External auth is generally used when Spotfire dashboards are embedded into external web applications to avoid logging in 2 times one for the external website and then into Spotifre). But there are other ways as well that you could evaluate and if it works for you before moving to External Auth.

Generally, Username supplied from the HTTP header/cookie is passed to the Spotfire server which then validates it against the user_DB or the LDAP as per the selection on the server. If that specific principle name is a valid one then it does a successful authentication.

The documentation on external authentication says almost all about what can be done in Spotfire Configuration Tool. 

You enable the cookie, header restricts the hosts and passes it to the Spotfire server for logging in, and if you want to JAVA code a Custom Authenticator if the out of box functionality isn't sufficient and for added security.

https://docs.tibco.com/pub/spotfire_server/11.4.1/doc/html/TIB_sfire_server_tsas_adm[…]ication.html?scroll=GUID-0E4154FC-97AE-43D4-8EBF-A9BD9380D83C

https://docs.tibco.com/pub/spotfire_server/11.4.1/doc/html/TIB_sfire_server_and_environment_security/servsecurity/topics/apis_and_extension_points.html

For testing, you can enable external authentication and provide a header name and make a request to Spotfire. Please find the link to a Chrome extension using which you may use to test the workflow: https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj?hl=en

Cookie Manager Firefox extension to test using a Cookie workflow.

https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/

hope this helps.

[Chuang Tse Wang]

Hi Tejas,

​

​

​

Thanks for your ​comprehensive answers.

​

For low-code design, I choose to offer library ​browsing with LDAP authentication and grant role to soecific users this time. We l've often implement Spotfire JS API to embed library into mvc.asp, but it's too complex to sustain whole while troubleshootings.

​

​

​

As your explanation, the EXTERNAL authentication is only suitable for embedded case. Got it, and I need to persuade my users and teach them how to keep their logon Info. in their client site. It might be a simplest way to cover this situation.

​

​Best regards,

​

Chuang Tse.​

[Tejas Devadkar]

Hello Chuang,

thanks for elaborating. A few suggestions that I have for you.

If you have embedded the Spotifre site into some other web application and you want to avoid multiple login events then you may evaluate some below options.

(If authentication is needed for the library/reports, then)

1>>If you have a Kerberized environment throughout your org then ideally it should be a seamless experience. You can set Kerberos auth at the Spotfire server too.

https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/kerberos_authentication.html 

2>>Second option would be if you are using OAuth2(OpenID) for authentication and if you have the same Identity Provider on both the apps (external web app and on the Spotfire server) then only logging into the external session should suffice.

https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/configuring_openid_connect.html

.

.

3>>Third option, you can make use of the "External Authentication" in Spotfire and store the username used to login to the web Portal in a cookie or header and pass it to the Spotfire server to authenticate against Spotfire and get a seamless experience.  

Optional: in the External Auth you may implement the CustomAuthenticator Sptfire JAVA server API , you can write the logic for more advanced security. (custom authentications)

External Authentication :

https://docs.tibco.com/pub/spotfire_server/latest/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/external_authentication.html 

Server API reference:

https://docs.tibco.com/pub/sfire_dev/area/doc/api/TIB_sfire_server_Server_Platform_API_Reference/com/spotfire/server/security/CustomAuthenticator.html 

You may use MOD_Header and Cookie manager browser extensions to test External Auths.

(Optional, however, recommended: You may implement CustomAuthentictor in JAVA and build a JAR file to deploy the code to the server if its required at all for added security )

If you decide to code your authenticator:

https://support.tibco.com/s/article/How-to-compile-Java-code-that-uses-the-Spotfire-server-API-com-spotfire-server

4>> You may also implement a "Custom Web Authenticator" if it's required (in case the auth mechanism could not be implemented by any in-built options into Spotifre to work seamlessly with your external app) according to your environment.

https://docs.tibco.com/pub/sfire_dev/area/doc/api/TIB_sfire_server_Server_API_Reference/com/spotfire/server/security/CustomWebAuthenticator.html

Note: The 3rd and the 4th options may need a development effort to write a JAVA code to implement the Spotfire Server API's.

Hope this help.

[Chuang Tse Wang]

Hi Tejas,

​

Thanks for your guidance omnibearing .

OK, I picked up the Mashup API again and encountered 2 issues

1. Same site cookie

At dev Spotfire server

1.1. No any cookie tag at configuration xml-view tab,

only Firefox's workable. (Both GetJavaScriptApi.ashx & js-api/loader.js)

"Status not OK. ERROR: Third party cookies must be allowed for domain"

"http://hostname/spotfire/js-api/proxy.html?e816b10"

above 2 related error messages shown on Chrome console.

1.2. set cookied Lax, None, Unset. No any browsers worked. I got HTTP code 403.

X-XSS-Protection: 1; mode=block

At prod Spotfire server

1.3. set cookied Lax, all browsers are shown login page, but it cannot be logged in.

I got below error message on chrome console while pressing the login button

Blocked autofocusing on a <input> element in a cross-origin subframe.

, and this when key-in username & pwd.

Uncaught SyntaxError: "[object Object]" is not valid JSON

  at JSON.parse (<anonymous>)

  at ri (<anonymous>:1301:5555)

2. The logon page is still shown, if I add the request & response header on this embedded webpage. The details,

Server configuration:

External Authentication YES

Declared authentication method NTLM

Type Header

Header name REMOTE_USER

I implement to add header in c# asp.net the traditional way

(code-behind)

      Response.Headers.Add("REMOTE_USER", "xxxxxxx");

      Request.Headers.Add("REMOTE_USER", "xxxxxxxx");

Best Regards,

Chuang Tse.