As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only. Moving forward, myibi is our community platform to learn, share, and collaborate. We have the same Focal Point forum categories in myibi, so you can continue to have all new conversations there. If you need access to myibi, contact us at firstname.lastname@example.org and provide your corporate email address, company, and name.
I am trying to implement single sign-on from an ASP application. The users inside the company can log in successfully, the problem is with remote users (outside of our domain). I tried using REMOTE_USER variable, but the remote users do not log in to their systems using our domain credentials. I need to somehow be able to pass the user's domain information from my ASP app to WebFOCUS (getting user's information with my ASP app is not the problem). I am using IIS with Jakarta. The ASP app and WebFOCUS client are on separate Windows boxes.
WebFOCUS version 762.
Hopefully someone has been successful at this approach.
Security is a very complicated subject because any recommendations may lead to potential overlooked issues, and what may work now may not work later. I would suggest that you contact IB for help, this way they can guide you in the right direction for success.
My reporting server is actually DB2 iSeries, not Windows.
The issue is that when my users go to a report (ran through a direct url) they received the windows login prompt screen. The users can enter domain\User and password to access the reports, but most of them do not know how to do this and are not willing to do this every time they run a report. However, the users are logging in to an ASP application that captures their domain login and password. I am hoping there is a some way I can pass this on to WebFOCUS to avoid the login prompt.
I'm not that familiar with the internal processing of ASP and WebFOCUS, so I do not know if the information I require is in the HTTP HEADER. For my internal users I am using the REMOTE_USER variable (which is their domain login), but this is not an option with my remote users as their REMOTE_USER variable is likely their computer user name (like Mark instead of mar1234, which is in Active Directory).
We are not currently using MRE for these users, but it is a possibility in the future.
If the remote users aren't in the same domain and you are running the reporting server in OPSYS mode, then you will need to decide how to translate the external users into internal users.
When the server is in OPSYS mode it is expecting the user to have an account on the operating system that the reporting server is running on. This will most probably not be the case in your situation. You could create a report user on the Reporting Server and translate that from the external REMOTE_USER value, but if there is no trust between the domains (if you are using Windows) then you may be better off looking at one of the other security modes - LDAP or RDBMS.
Luckily we are not running the reporting server in OPSYS mode.
I'm assuming when you say that there is no trust between the domains you mean between our company domain and the outside users domain?
What do you guys think about reading a cookie value into the site.wfs file? I'm not sure how the client server security works. When a user navigates to a WebFOCUS url, does site.wfs get read before the server security is checked? If so then maybe I can get the user credentials some way and set the REMOTE_USER variable in the custom settings.
I will look in to LDAP and see if that is an option for us.
Originally posted by jelli4908: What do you guys think about reading a cookie value into the site.wfs file? I'm not sure how the client server security works. When a user navigates to a WebFOCUS url, does site.wfs get read before the server security is checked? If so then maybe I can get the user credentials some way and set the REMOTE_USER variable in the custom settings.
Probably not the best approach. You cannot affect the value of REMOTE_USER in a positive way in the site.wfs. That is to say you can change the value, but it will not do you any good. If you wish to use a cookie to become the value for REMOTE_USER, then you can construct something in java called a HttpServletRequestWrapper, where you can override the getRemoteUser() method to do what ever you like. However, I would not hang my hat on a cookie unless I had a second way (factor) of verifying the validity of that cookie.
Could you please explain why IWA will not work? That would be your easiest solution here.
"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott