Focal Point
[CLOSED] Auto Add Users to Groups in SSO

This topic can be found at:

July 29, 2018, 06:36 AM
Rao D
[CLOSED] Auto Add Users to Groups in SSO
Hi All,

We are trying to configure Single Sign On using OpenID option under the security section in the WebFOCUS Client Administration (we are using WebFOCUS 8203). The authentication is working fine and able to login to the WebFOCUS client using the userid/password created in the OpenID server. But, by default everyuser is able to see only the Public folder upon initial login. How to auto add the users Groups?

Earlier in another project I have implemented External security which I have configured in the Reporting Server with external DB and in this case I was able to see the map the external groups with the WebFOCUS groups. But, currently for SSO using OpenID I did not make any changes to the Reporting server side. Do I have to setup an adapter connection in the WebFOCUS Reporting server to the database using by OpenID server in order to get the groups and map them in the security center on the client side?

Please share any ideas.


This message has been edited. Last edited by: FP Mod Chuck,

WebFOCUS - ver8201
[ReportingServers: Windows 64bit;
Client: tomcat and IIS on windows 2012

July 29, 2018, 02:23 PM
FP Mod Chuck

I found this case on techsupport that says OpenID is no longer supported in version 8.2 due to security vulnerabilities.


You can reach out to them to find out more.

Thank you for using Focal Point!

Chuck Wolff - Focal Point Moderator
WebFOCUS 7x and 8x, Windows, Linux All output Formats
July 30, 2018, 01:07 PM
Hi Subbu

It never hurts to double check by opening a case with techsupport regarding the use of OpenID.
I see it still clearly documented in the 8203 security manual for Authentication but I didn't see anything about Authorization.

Sounds like your question is based a lot around that Authorization part.

You didn't say where your external group membership list is stored. Is it in a SQL based table someplace? or is it maybe in LDAP?

If it's in LDAP, I think you'd be better off (and actually it may be required) that you use the LDAP/AD for authentication too. So you'd quit using OpenID in that case.

But- if you're groups are in a SQL based table, you can read up on making a Custom SQL provider (via 'tutorials' on the WF Reporting server). you can read about how to set up a Custom SQL provider by getting out the 8203 WF Server Administration manual around page 60. You could set up a secondary provider there and test to see that you can log on and retrieve a list of groups from that custom provider that you will build.

If your groups are coming back on the WFRS (thats the reporting server), then I bet you can get the client to ask the WFRS for that list by way of a service account. External Authorization is described in the WebFOCUS security manual for 8203 starting around page 243 in the PDF. Look for "understanding External Authorization".

Somewhere in here, you'll also find the rules for AUTOADD that says to only AUTOADD if a user is a member of a MAPPED group.

So - in summary, if you have your groups in a SQL table, make a custom provider by using the WFRS admin console first just to make sure you can hit it. Then if you can, configure the client to use the list.

There's a setting that you can turn on tracing for in log4j.xml (com.ibilog) so you can see more info about how the logon is working (Page 248 in the security manual for 8203). I find that useful to enable whenever I'm experimenting with external providers.

I'll try to check back in on you. If you get stuck, just open a case with all your release info and describe where you Authentication / Authorization should come from.

If it's too tricky, IBI professional services might be able to write a custom servlet for you to help with this stuff. Feel free to reach out to your local IBI branch to talk over the issue too.

Toby Mills, CISSP
August 01, 2018, 07:44 AM
Rao D
Hi Toby

Thanks for the details. Yes, I did go through the IBI documents and security manuals and I am on same page with you to create a custom provider for authorization alone as they have the userinfo in Postgresql and there is no LDAP setup they use a openid setup for their existing application.


WebFOCUS - ver8201
[ReportingServers: Windows 64bit;
Client: tomcat and IIS on windows 2012