External Authentication

In this section:

In external authentication, a sign-in page is presented to users, who then type a user ID and password. The WebFOCUS Client passes these credentials to the WebFOCUS Server, which in turn validates them with an external source, such as Active Directory, LDAP directories, information in a custom RDBMS table, and web services. Users are authenticated externally both when they access the WebFOCUS Client, and when they access the Server browser interface directly.

Note: WebFOCUS does not currently support user password change through the WebFOCUS Server. Clear the Enable Password Change check box, located on the Advanced page of the Security tab, when configuring external authentication.

Understanding Active Directory and LDAP Authentication

How to:

WebFOCUS can authenticate users to Active Directory and to LDAP directories by authenticating users to the WebFOCUS Server, and then using the WebFOCUS Server LDAP security provider to validate user credentials to the external directory.

Optionally, WebFOCUS can update the user account information in the WebFOCUS Repository with the email and description from the external directory.

Procedure: How to Configure Active Directory and LDAP Authentication

Before you begin, complete the prerequisites for External Authentication. For more information, see Configuring Pre-Authentication, External Authentication or External Authorization.

We also recommend that you use the Export command to save backup copies of the Security Settings configuration files before making changes to the Authentication page.

  1. On the WebFOCUS Server, configure LDAP as the primary security provider and PTH as a secondary security provider.

    For more information, see Configuring a Security Provider on the TIBCO WebFOCUS Server.

  2. Sign in as an administrator, and open the Administration Console.
  3. In the Administration Console, on the Security tab, under the Security Configuration folder, click External.
  4. Select the Enable External Security check box.

    The External page displays the settings currently assigned to the WebFOCUS Reporting Server.

  5. Type pth\srvadmin in the Server Administrator ID field.
  6. Type the password assigned to the Security User in the Password field.

    The password for this account is pre-configured during the installation process to be the same as the password you supplied for the original administrator account.

  7. Click Connect.

    A confirmation dialog box opens, click OK.

  8. In the User Authorization Group, click the Internal option.
  9. In the Account Creation on Sign In list, click Off.
  10. To update WebFOCUS accounts with the AD or LDAP user description and email during authentication, select the Synchronize User Information with Authentication Provider check box.
    1. To retrieve updated user description and email information from the authentication provider, accept the default selection of the option, With Authentication Provider.
    2. To retrieve updated user description and email information from the authorization provider, click the option, With Authorization Provider.

    When your updates are complete your page will resemble the following image.

    The External Security page configured for LDAP authentication.
  11. In the Administration Console Menu bar, click Close.
  12. In the Security Configuration section, click Save.
  13. When you receive the confirmation message, click OK.
  14. When you receive the message to reload the web application, click OK.
  15. Sign out of your current session.
  16. Stop and restart the WebFOCUS Reporting Server.
  17. Sign in as an administrator, and test the new configuration.

Configuring Authentication by Information in an RDBMS Table

How to:

WebFOCUS can authenticate users against data in an RDBS table by using a CUSTOM security provider on the WebFOCUS Server. The CUSTOM provider uses a custom FOCUS procedure to perform the authentication. It is recommended that you store a hash of the user password in the RDBMS table and calculate the hash in your custom FOCUS procedure at run time before making the authentication comparison.

Optionally, user account information in the Repository can be updated with the email and description from the database.

Procedure: How to Configure Authentication by Information in an RDBMS Table

Before you begin, complete the prerequisites for External Authentication. For more information, see Configuring Pre-Authentication, External Authentication or External Authorization.

We also recommend that you use the Export command to save backup copies of the Security Settings configuration files before making changes to the Authentication page.

  1. On the WebFOCUS Server, configure a custom security provider as the primary provider and PTH as a secondary provider.
  2. Sign in as an administrator, and open the Administration Console.
  3. Click the Security tab, and on the Security page, under the Security Configuration folder, click External.
  4. Select the Enable External Security check box.

    The External page displays the settings currently assigned to the WebFOCUS Reporting Server.

  5. Type a WebFOCUS Server Administrator account service user name in the Server Administrator ID field, using the format ProviderName/serviceUserName,

    where:

    ProviderName

    Is the name of the RDBMS.

    serviceUserName

    Is the UserID for the RDBMS.

  6. Type the password assigned to the Security User in the Password field.
  7. Click Connect.

    A confirmation dialog box opens, click OK.

  8. In the User Authorization Group, click the Internal option.

    If you are using the RDBMS to override other authorization methods, such as AD or LDAP, click the Internal and External option, and click the name of the RDBMS provider that will deliver authorization in the Group provider Override list.

  9. In the Account Creation on Sign In list, click Off.
  10. To update WebFOCUS accounts with the RDBMS user description and email during authentication, select the Synchronize User Information with Authentication Provider check box.

    When your updates are complete your page will resemble the following image.

    External security settings with the syncronize user authentication selected
  11. Sign out of your current session.
  12. Stop and restart the application server.
  13. Sign in again using an RDBMS User ID and Password.

    If you are able to sign in, the external authentication configuration was successful.