Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.

Join the TIBCO Community
TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.

  • From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
  • Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
  • Request access to the private WebFOCUS User Group (login required) to network with fellow members.

Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.


Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] IWA single sign on

Read-Only Read-Only Topic
Go
Search
Notify
Tools
[SOLVED] IWA single sign on
 Login/Join
 
Gold member
posted
Hi,

We are using DEFAULT connection with ConnectionID in Reporting server settings for a client to communicate to server. The purpose it was set up this way was to allow multiple service accounts for each domain on whose profiles the adapters are defined.

Now we are planning to move to IWA SSO model -
1) Changing to Trusted with pass UserID/Group option , I was able to use _site_profile variable in site.wfs in client to dynamically handle adapter connections based on the &IBIMR_domain folder name. For caster we still have the Execution ID profiles.

2) Question is will the external URL call still work when changed to IWA SSO. We have the external user ID's which are mapped internally to ldap AD accounts in company before the URL call comes to reporting server. So will the user just being member of an ldap group work?
The external reports are in Reporting Server and not content tree so guess if IWA SSO enabled and if reporting server fex will a URL to just execute with node name and fex name work?

Thanks,
Rajna

This message has been edited. Last edited by: FP Mod Chuck,


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
 
Posts: 72 | Location: Flowood , MS | Registered: May 11, 2011Report This Post
Master
posted Hide Post
What may be a better / easier way is to setup multiple data services on the reporting server say 1 per domain. and each data services has it own profile with only the connections that it needs in its profile. Then add the data services to the client admin console as a remote server and set the class to the data service, then you can assign the domain to that remote server. You can also set the path in the profile as well and any other setting you need for that data service. By doing this you can also control each application setting on the reporting server independantly give one application more or less agents, resources, etc...




Scott

 
Posts: 865 | Registered: May 24, 2004Report This Post
Gold member
posted Hide Post
Hi Scott,

We do have that kind of set up here, where for each Domain we have seperate Reporting server node with security setting as Service Account UserID/Password.

When changing to Trusted, the connectionID /Service account will no longer get passed . The Security center USERID/GROUP will get passed. Hence my question on what is the impacts on IWA SSO with Trusted mode on External user access. First question is Will IWA SSO need security in RS to be changed to Trusted OR will it work under Security as Service Account itself.

I agree we can put APP PATH on these service account profiles but currently the security center group profiles are not getting passed to Reporting server which allows more granular metadata management for eg: for InfoAssist we may need new security center group for a department where we may need to grant access for this group to a particular APP PATH in RS server.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
 
Posts: 72 | Location: Flowood , MS | Registered: May 11, 2011Report This Post
Gold member
posted Hide Post
Primary question from me - Will IWA SSO need security in RS to be changed to Trusted OR will it work under Security as Service Account itself

This message has been edited. Last edited by: Rajna Nannat,


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
 
Posts: 72 | Location: Flowood , MS | Registered: May 11, 2011Report This Post
Silver Member
posted Hide Post
You'll need to set the Reporting Server itself to Trusted if it isn't already (trust_ext=y in the Access Control settings tab). You can then set up your Service Accounts as the explicit ID's to use when making a connection to the data sources. This way, there's no need to add any other ID's to the reporting server for SSO. With your reporting server set to LDAP security, the client will pass the user ID over to the reporting server so it can authenticate users via an LDPA lookup to your AD groups. If you're mapping your internal WF groups to your external AD groups, then you've not only got authentication but authorization as well.


8.8.09 - z/Linux (WF, Report Caster, Report Library).
Iway FFS on MVS (HFS)
 
Posts: 36 | Location: Oklahoma City | Registered: December 05, 2006Report This Post
Gold member
posted Hide Post
Hi Craig,

Yes the reporting server is already set in Trusted ext=Y option.

When you say - 'You can then set up your Service Accounts as the explicit ID's to use when making a connection to the data sources' - yes we are using service accounts to connect to data sources. In admin console>remote services we have different nodes for each domains. Will the SSO still work with security in remote services set to use explicit rather than trusted?
Does both server and remote service need to be set to Trusted? or just server to trusted is enough and the explicit ID's in admin console > remote service will work?
Is SSO only useful for Internal Domain users and are you suggesting this method as we have external users also.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
 
Posts: 72 | Location: Flowood , MS | Registered: May 11, 2011Report This Post
Gold member
posted Hide Post
I think part of it is clear to me now. We have one server and Two client installations.

One client for Internal and other for external.

The Tomcat installations are in Client machines. So the Server.XML and SecuritySettings.xml changes in client installtions can be done in client box for internal and we can leave the external Client box nodes as it is to authenticate via Service accounts.

Will have to trail this and see.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
 
Posts: 72 | Location: Flowood , MS | Registered: May 11, 2011Report This Post
Silver Member
posted Hide Post
My suggestion was to accommodate SSO for internal users (with the reporting server security set to LDAP). Like you said, you'll have to see if your current setup will do what you want. Good luck!


8.8.09 - z/Linux (WF, Report Caster, Report Library).
Iway FFS on MVS (HFS)
 
Posts: 36 | Location: Oklahoma City | Registered: December 05, 2006Report This Post
Gold member
posted Hide Post
For external user reports , Is the use of service accounts only way to connect to server or is there any other recommended authentication methods. Currently all reports are in reporting server and using service accounts in RS to connect and execute reports. If we move to Content tree , what is the recommended way for external user authentication and how will authentication differ.

Thanks,
Rajna

This message has been edited. Last edited by: Rajna Nannat,


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
 
Posts: 72 | Location: Flowood , MS | Registered: May 11, 2011Report This Post
Virtuoso
posted Hide Post
Rajna

I would recommend "Trusted"


Thank you for using Focal Point!

Chuck Wolff - Focal Point Moderator
WebFOCUS 7x and 8x, Windows, Linux All output Formats
 
Posts: 2127 | Location: Customer Support | Registered: April 12, 2005Report This Post
Gold member
posted Hide Post
Thank you Chuck!

Can you share any doucmentation if available on how to authenticate external users to reports in content tree. Currently internal users are having LDAP form based authentication. For external users how can we map them to LDAP as custom form based authentication.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
 
Posts: 72 | Location: Flowood , MS | Registered: May 11, 2011Report This Post
Gold member
posted Hide Post
Hi Chuck,

Can you please also share few advantages of using Trusted authentication.

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
 
Posts: 72 | Location: Flowood , MS | Registered: May 11, 2011Report This Post
Gold member
posted Hide Post
I got the documentation from below site,

https://techsupport.informatio...custom_provider.html

Thanks,
Rajna


WebFOCUS 8.1.05
Windows
Excel, PDF, HTML
 
Posts: 72 | Location: Flowood , MS | Registered: May 11, 2011Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] IWA single sign on

Copyright © 1996-2020 Information Builders