Focal Point
[SOLVED] IWA single sign on

This topic can be found at:
https://forums.informationbuilders.com/eve/forums/a/tpc/f/7971057331/m/3367084096

July 05, 2018, 09:43 AM
Rajna Nannat
[SOLVED] IWA single sign on
Hi,

We are using DEFAULT connection with ConnectionID in Reporting server settings for a client to communicate to server. The purpose it was set up this way was to allow multiple service accounts for each domain on whose profiles the adapters are defined.

Now we are planning to move to IWA SSO model -
1) Changing to Trusted with pass UserID/Group option , I was able to use _site_profile variable in site.wfs in client to dynamically handle adapter connections based on the &IBIMR_domain folder name. For caster we still have the Execution ID profiles.

2) Question is will the external URL call still work when changed to IWA SSO. We have the external user ID's which are mapped internally to ldap AD accounts in company before the URL call comes to reporting server. So will the user just being member of an ldap group work?
The external reports are in Reporting Server and not content tree so guess if IWA SSO enabled and if reporting server fex will a URL to just execute with node name and fex name work?

Thanks,
Rajna

This message has been edited. Last edited by: FP Mod Chuck,


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
July 05, 2018, 12:13 PM
TexasStingray
What may be a better / easier way is to setup multiple data services on the reporting server say 1 per domain. and each data services has it own profile with only the connections that it needs in its profile. Then add the data services to the client admin console as a remote server and set the class to the data service, then you can assign the domain to that remote server. You can also set the path in the profile as well and any other setting you need for that data service. By doing this you can also control each application setting on the reporting server independantly give one application more or less agents, resources, etc...




Scott

Hi Scott,

We do have that kind of set up here, where for each Domain we have seperate Reporting server node with security setting as Service Account UserID/Password.

When changing to Trusted, the connectionID /Service account will no longer get passed . The Security center USERID/GROUP will get passed. Hence my question on what is the impacts on IWA SSO with Trusted mode on External user access. First question is Will IWA SSO need security in RS to be changed to Trusted OR will it work under Security as Service Account itself.

I agree we can put APP PATH on these service account profiles but currently the security center group profiles are not getting passed to Reporting server which allows more granular metadata management for eg: for InfoAssist we may need new security center group for a department where we may need to grant access for this group to a particular APP PATH in RS server.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
Primary question from me - Will IWA SSO need security in RS to be changed to Trusted OR will it work under Security as Service Account itself

This message has been edited. Last edited by: Rajna Nannat,


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
You'll need to set the Reporting Server itself to Trusted if it isn't already (trust_ext=y in the Access Control settings tab). You can then set up your Service Accounts as the explicit ID's to use when making a connection to the data sources. This way, there's no need to add any other ID's to the reporting server for SSO. With your reporting server set to LDAP security, the client will pass the user ID over to the reporting server so it can authenticate users via an LDPA lookup to your AD groups. If you're mapping your internal WF groups to your external AD groups, then you've not only got authentication but authorization as well.


8.8.09 - z/Linux (WF, Report Caster, Report Library).
Iway FFS on MVS (HFS)
Hi Craig,

Yes the reporting server is already set in Trusted ext=Y option.

When you say - 'You can then set up your Service Accounts as the explicit ID's to use when making a connection to the data sources' - yes we are using service accounts to connect to data sources. In admin console>remote services we have different nodes for each domains. Will the SSO still work with security in remote services set to use explicit rather than trusted?
Does both server and remote service need to be set to Trusted? or just server to trusted is enough and the explicit ID's in admin console > remote service will work?
Is SSO only useful for Internal Domain users and are you suggesting this method as we have external users also.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
I think part of it is clear to me now. We have one server and Two client installations.

One client for Internal and other for external.

The Tomcat installations are in Client machines. So the Server.XML and SecuritySettings.xml changes in client installtions can be done in client box for internal and we can leave the external Client box nodes as it is to authenticate via Service accounts.

Will have to trail this and see.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
My suggestion was to accommodate SSO for internal users (with the reporting server security set to LDAP). Like you said, you'll have to see if your current setup will do what you want. Good luck!


8.8.09 - z/Linux (WF, Report Caster, Report Library).
Iway FFS on MVS (HFS)
For external user reports , Is the use of service accounts only way to connect to server or is there any other recommended authentication methods. Currently all reports are in reporting server and using service accounts in RS to connect and execute reports. If we move to Content tree , what is the recommended way for external user authentication and how will authentication differ.

Thanks,
Rajna

This message has been edited. Last edited by: Rajna Nannat,


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
Rajna

I would recommend "Trusted"


Thank you for using Focal Point!

Chuck Wolff - Focal Point Moderator
WebFOCUS 7x and 8x, Windows, Linux All output Formats
Thank you Chuck!

Can you share any doucmentation if available on how to authenticate external users to reports in content tree. Currently internal users are having LDAP form based authentication. For external users how can we map them to LDAP as custom form based authentication.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
Hi Chuck,

Can you please also share few advantages of using Trusted authentication.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
I got the documentation from below site,

https://techsupport.informatio...custom_provider.html

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML