Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only. Moving forward, myibi is our community platform to learn, share, and collaborate. We have the same Focal Point forum categories in myibi, so you can continue to have all new conversations there. If you need access to myibi, contact us at myibi@ibi.com and provide your corporate email address, company, and name.


Connect to myibi
Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     Trusted Authentication with ASP

Read-Only Read-Only Topic
Go
Search
Notify
Tools
Trusted Authentication with ASP
 Login/Join
 
Silver Member
posted
I am trying to implement single sign-on from an ASP application. The users inside the company can log in successfully, the problem is with remote users (outside of our domain). I tried using REMOTE_USER variable, but the remote users do not log in to their systems using our domain credentials. I need to somehow be able to pass the user's domain information from my ASP app to WebFOCUS (getting user's information with my ASP app is not the problem). I am using IIS with Jakarta. The ASP app and WebFOCUS client are on separate Windows boxes.

WebFOCUS version 762.

Hopefully someone has been successful at this approach.

Thanks in advance,
Josh


WebFOCUS 8.0.09
Windows, DB2 iSeries, ODBC
Output: Excel, HTML, PDF, AHTML
 
Posts: 37 | Registered: October 26, 2007Report This Post
Master
posted Hide Post
jelli4908

Security is a very complicated subject because any recommendations may lead to potential overlooked issues, and what may work now may not work later. I would suggest that you contact IB for help, this way they can guide you in the right direction for success.

Tex




Scott

 
Posts: 865 | Registered: May 24, 2004Report This Post
Silver Member
posted Hide Post
The funny thing is that IB asked me to look around the forum while they researched the issue.


WebFOCUS 8.0.09
Windows, DB2 iSeries, ODBC
Output: Excel, HTML, PDF, AHTML
 
Posts: 37 | Registered: October 26, 2007Report This Post
Virtuoso
posted Hide Post
Josh

As Tex said, this is v. complicated.

Do you mean running WebFOCUS with TRUSTED security on Windows? If so this is not supported inbound to a Windows Reporting Server. It may appear to work at times, but doesn't, as I found out Eeker .

There may well be other options open to you, but it does require a lot more information.

Is the information you require in the HTTP HEADER?
Are you using MRE, that may have different issues?
What are you trying to achieve from having the userid and domain?

IB are your best source of info, but you have to be very clear as to what you are trying to achieve to ensure the best solution.


Alan.
WF 7.705/8.007
 
Posts: 1451 | Location: Portugal | Registered: February 07, 2007Report This Post
Silver Member
posted Hide Post
My reporting server is actually DB2 iSeries, not Windows.

The issue is that when my users go to a report (ran through a direct url) they received the windows login prompt screen. The users can enter domain\User and password to access the reports, but most of them do not know how to do this and are not willing to do this every time they run a report. However, the users are logging in to an ASP application that captures their domain login and password. I am hoping there is a some way I can pass this on to WebFOCUS to avoid the login prompt.

I'm not that familiar with the internal processing of ASP and WebFOCUS, so I do not know if the information I require is in the HTTP HEADER. For my internal users I am using the REMOTE_USER variable (which is their domain login), but this is not an option with my remote users as their REMOTE_USER variable is likely their computer user name (like Mark instead of mar1234, which is in Active Directory).

We are not currently using MRE for these users, but it is a possibility in the future.

Thanks for you help!

Josh


WebFOCUS 8.0.09
Windows, DB2 iSeries, ODBC
Output: Excel, HTML, PDF, AHTML
 
Posts: 37 | Registered: October 26, 2007Report This Post
Guru
posted Hide Post
Josh,

If the remote users aren't in the same domain and you are running the reporting server in OPSYS mode, then you will need to decide how to translate the external users into internal users.

When the server is in OPSYS mode it is expecting the user to have an account on the operating system that the reporting server is running on. This will most probably not be the case in your situation. You could create a report user on the Reporting Server and translate that from the external REMOTE_USER value, but if there is no trust between the domains (if you are using Windows) then you may be better off looking at one of the other security modes - LDAP or RDBMS.

If you haven't already you should read through the Security Manual (DN4500790.1107) to get a better idea of how the pieces fit together.

Cheers

Stuart


WebFOCUS 8.2.03 (8.2.06 in testing)
 
Posts: 253 | Location: Melbourne, Australia | Registered: February 07, 2007Report This Post
Silver Member
posted Hide Post
Luckily we are not running the reporting server in OPSYS mode.

I'm assuming when you say that there is no trust between the domains you mean between our company domain and the outside users domain?

What do you guys think about reading a cookie value into the site.wfs file? I'm not sure how the client server security works. When a user navigates to a WebFOCUS url, does site.wfs get read before the server security is checked? If so then maybe I can get the user credentials some way and set the REMOTE_USER variable in the custom settings.

I will look in to LDAP and see if that is an option for us.

Thanks for the suggestion.
Josh


WebFOCUS 8.0.09
Windows, DB2 iSeries, ODBC
Output: Excel, HTML, PDF, AHTML
 
Posts: 37 | Registered: October 26, 2007Report This Post
Virtuoso
posted Hide Post
quote:
Originally posted by jelli4908:
What do you guys think about reading a cookie value into the site.wfs file? I'm not sure how the client server security works. When a user navigates to a WebFOCUS url, does site.wfs get read before the server security is checked? If so then maybe I can get the user credentials some way and set the REMOTE_USER variable in the custom settings.


Probably not the best approach. You cannot affect the value of REMOTE_USER in a positive way in the site.wfs. That is to say you can change the value, but it will not do you any good. If you wish to use a cookie to become the value for REMOTE_USER, then you can construct something in java called a HttpServletRequestWrapper, where you can override the getRemoteUser() method to do what ever you like. However, I would not hang my hat on a cookie unless I had a second way (factor) of verifying the validity of that cookie.

Could you please explain why IWA will not work? That would be your easiest solution here.


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
 
Posts: 1102 | Location: Toronto, Ontario | Registered: May 26, 2004Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     Trusted Authentication with ASP

Copyright © 1996-2020 Information Builders