Configure OpenId Connect with LDAP user directory

[Mallikarjun H]

We are currently trying to configure Open Id Connect and use the LDAP user directory instead of the Database.

We wanted to know if this is a workable option to configure.

We also do not have username claim coming from the Open Id , so we wanted to use the email as the user name claim. We modified the username attribute in the Ldap user directory configuration to use "userPrincipalName" as the attribute.

We updated the domain configuration to Collapse Domains as true, and Parse user and domain name option to false.

However we were not able to get the user login working.

As per the documentation it is preferred to use database as the user directory and select the auto-create option on the post authentication filter. Any specific reason on why it should be Database and not LDAP user directory

Wanted to know if we missing something or trying the wron way. Also, if we want to configureOpen Id Connect and use the LDAP user directory instead of the Database what all configuration changes have to be done

[Shandilya Peddi]

It is possible to configure OpenId Authentication with LDAP. The LDAP configuration part seems to be okay. Can you enable debug logging on Spotfire and check the server.log this might provide us some information on why the user cannot login.

Here is an article on how to enable both Forms Authentication along with OpenId, this might be helpful while testing.

https://support.tibco.com/s/article/How-to-enable-forms-authentication-in-addition-to-Web-authentication-OpenID-Connect-in-TIBCO-Spotfire-Server

Also check if you are able to login to spotfire using the Forms authenticaiton with email id as the username

[Gerco ten Kate]

I have succesfully configured an OpenId vs LDAP with Post-Authentication set to Block.
in LDAP configuration under Advanced you can see there is a Authentication attribute right below the username attribute.

When a user logs in with a upn or prefrerred_username claim from the OpenId token (someone.lastname@company.tld) it can be parsed.

For this to work we must make a few changes.

Configuration settings:
Domain settings "Parse user and domain name" must be set to NO

OpenId connect settings under advanced should either have Option 2 or option 3 selected. This will be your domain part.
guess: since you have set the parse user and domain name to No it will parse whatever is filled into username against the username field in the Spotfire System Database.

LDAP Advanced settings must be set with the attribute that can represent the upn or preferred_username (someone.lastname@company.tld) which is usually the userPrincipalName

This way you can still keep your LDAP set-up.

The username field is the one that will be validated so you will end up having someone.lastname@company.tld@ParsedOrSetDomainName

🤓Pro-tip: while at it, make sure your LDAP is set up for ldaps. A easy way to do so is using the keytool command to fetch the SSL certificate from the machine that hosts the certificate.

<spotfire_install_dir\version>\jdk\bin\keytool -printcert -sslserver yourADserver:636 -rfc | <spotfire_install_dir\version>\jdk\bin\keytool -importcert -noprompt -alias <ldapname>-ldaps -keystore "<spotfire_install_dir\version>\tomcat\certs\<yourDomain-ldaps>.jks" -storetype jks -storepass changeit

Other methods

Current versions of Spotfire support SCIM however, which requires a token for inbound connection and you can provision your users this way. This becomes especially handy when you don't have LDAP availability. It solves the issue where an end-user first must sign in before you can add this user to groups. Pre-provisioning like this is often times more desirable.

Another option is to make use of the Custom Post Authentication Filter one can build with JAVA and create your own login context to match your set-up.