As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.
Join the TIBCO Community TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.
From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
Request access to the private WebFOCUS User Group (login required) to network with fellow members.
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.
I am trying to implement single sign-on from an ASP application. The users inside the company can log in successfully, the problem is with remote users (outside of our domain). I tried using REMOTE_USER variable, but the remote users do not log in to their systems using our domain credentials. I need to somehow be able to pass the user's domain information from my ASP app to WebFOCUS (getting user's information with my ASP app is not the problem). I am using IIS with Jakarta. The ASP app and WebFOCUS client are on separate Windows boxes.
WebFOCUS version 762.
Hopefully someone has been successful at this approach.
Security is a very complicated subject because any recommendations may lead to potential overlooked issues, and what may work now may not work later. I would suggest that you contact IB for help, this way they can guide you in the right direction for success.
Do you mean running WebFOCUS with TRUSTED security on Windows? If so this is not supported inbound to a Windows Reporting Server. It may appear to work at times, but doesn't, as I found out .
There may well be other options open to you, but it does require a lot more information.
Is the information you require in the HTTP HEADER? Are you using MRE, that may have different issues? What are you trying to achieve from having the userid and domain?
IB are your best source of info, but you have to be very clear as to what you are trying to achieve to ensure the best solution.
Alan. WF 7.705/8.007
Posts: 1451 | Location: Portugal | Registered: February 07, 2007
My reporting server is actually DB2 iSeries, not Windows.
The issue is that when my users go to a report (ran through a direct url) they received the windows login prompt screen. The users can enter domain\User and password to access the reports, but most of them do not know how to do this and are not willing to do this every time they run a report. However, the users are logging in to an ASP application that captures their domain login and password. I am hoping there is a some way I can pass this on to WebFOCUS to avoid the login prompt.
I'm not that familiar with the internal processing of ASP and WebFOCUS, so I do not know if the information I require is in the HTTP HEADER. For my internal users I am using the REMOTE_USER variable (which is their domain login), but this is not an option with my remote users as their REMOTE_USER variable is likely their computer user name (like Mark instead of mar1234, which is in Active Directory).
We are not currently using MRE for these users, but it is a possibility in the future.
If the remote users aren't in the same domain and you are running the reporting server in OPSYS mode, then you will need to decide how to translate the external users into internal users.
When the server is in OPSYS mode it is expecting the user to have an account on the operating system that the reporting server is running on. This will most probably not be the case in your situation. You could create a report user on the Reporting Server and translate that from the external REMOTE_USER value, but if there is no trust between the domains (if you are using Windows) then you may be better off looking at one of the other security modes - LDAP or RDBMS.
If you haven't already you should read through the Security Manual (DN4500790.1107) to get a better idea of how the pieces fit together.
Cheers
Stuart
WebFOCUS 8.2.03 (8.2.06 in testing)
Posts: 253 | Location: Melbourne, Australia | Registered: February 07, 2007
Luckily we are not running the reporting server in OPSYS mode.
I'm assuming when you say that there is no trust between the domains you mean between our company domain and the outside users domain?
What do you guys think about reading a cookie value into the site.wfs file? I'm not sure how the client server security works. When a user navigates to a WebFOCUS url, does site.wfs get read before the server security is checked? If so then maybe I can get the user credentials some way and set the REMOTE_USER variable in the custom settings.
I will look in to LDAP and see if that is an option for us.
Originally posted by jelli4908: What do you guys think about reading a cookie value into the site.wfs file? I'm not sure how the client server security works. When a user navigates to a WebFOCUS url, does site.wfs get read before the server security is checked? If so then maybe I can get the user credentials some way and set the REMOTE_USER variable in the custom settings.
Probably not the best approach. You cannot affect the value of REMOTE_USER in a positive way in the site.wfs. That is to say you can change the value, but it will not do you any good. If you wish to use a cookie to become the value for REMOTE_USER, then you can construct something in java called a HttpServletRequestWrapper, where you can override the getRemoteUser() method to do what ever you like. However, I would not hang my hat on a cookie unless I had a second way (factor) of verifying the validity of that cookie.
Could you please explain why IWA will not work? That would be your easiest solution here.
"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott