Our dashboard uses OpenID Connect to authenticate users. I h...

[Guest]

Hi Rob

Its been a while since I looked at OpenID. I thought we still supported this, but found a note about us changing from OpenID to OpenID Connect in 8.2.02:

 

As of Release 8.2 Version 02, WebFOCUS discontinued support for the OpenID pre-authentication method, and replaced it with support for the newer version of this method, OpenID Connect. As a result of this change, we recommend that all customers who use OpenID pre-authentication replace it with OpenID Connect or another method of secure pre-authentication.

 

So Id recommend reading in the security manual about Open ID Connect. Just search for open id connect in the security manual.

Configuring Pre-Authentication With OpenID Connect

Ive not done this other than testing a few years ago in 8105m. I think we somehow used Gmail as our identity provider and authenticated that way.

I think we need to know more about your setup.

Sounds like you typically check a persons user ID and password using Open ID already. Where do you send those requests like Gmail in my example or do you have Open ID hooked up to ADFS or some other cloud provider

Once you make sure a user ID and password is valid, how will you then decide about Authorization (which groups a user belongs to) Will you do all the mapping inside of WebFOCUS, or is there an external source of this info you might use For example, you could keep the user and group info in a SQL Server table. Very common is the Active Directory route also.

I use a custom written filter provided by IBI (written in java) that authenticates by way of a Token. Then we use a Custom SQL Provider to map users to Groups to use in Rules (thats a set of SQL Server tables).

So where does your userid/pw check happen and where do you get info about which groups a user belongs to

Thanks!

Toby

[Toby Mills]

As an add on to this discussion for anybody else looking into understanding the flow of an Open ID request, I found this website to be interesting.

OpenID Connect Playground

I was able to step through the communication using their example and see how the process goes.

I found it handy just to know how its supposed to go.

To use it, I hit the Start button and then chose to sign in using my Gmail ID. After authenticating using the Gmail app on my phone, it let me go on. I got a code, then turned the code into a token, then verified things (really I just followed along with their direction).

Might help if you want to understand the flow.

[Robert Kottelenberg]

WebFOCIS is setup to use OpenID Connect. We are using Azure Active Directory to authenticate users. We map roles from Azure AD to webfocus groups in the Security Center.

This works fine when accessing the dashboard in a browser. The user is shown the login prompts as needed.

We have a custom .NET application that I am showing the dashboard in as well. It also uses Azure AD for authentication and authorization. When showing the dashboard, I would like to pass a tokencookiewhatever so that the user does not have to login to the dashboard as well.

The wfsec_8207 doc says:

 

The best way to accomplish this sort of integration is through the deployment of a custom Java

servlet filter inside the WebFOCUS web application. Information Builders Professional Services

can develop a custom solution based on the IBIServletFilter. Alternatively, if your users access

WebFOCUS through IIS, you can install an HTTP module using ASP.NET into IIS.

 

(We are using IIS on windows server, so the second option would work as well).

I was wondering if anyone had code or guidelines they can share so I could try writing it myself, before engaging with Professional Services.

[Toby Mills]

Thanks Robert -that helps.

Sounds like everything works like you want already, you just need a preauthentication of some sort to avoid the sign in. I appreciate all the extra info.

I think you should read up on examples of Trusted Ticket.

This works in the same way as the Token based approach you quoted, but it doesnt need custom support from Professional Services since its now baked in as an offering from IBI. Its the next step for us. I havent done it yet since Im not a .net guy, but I have read through the java code IBI supplied to my current customer. And Ive had to install / support that authentication as were upgrading. Its kind of a hassle because it is a custom thing you have to mess with each time you move around.

So - the preference from a colleague who knows a lot about this (and is still at IBI), was for me to do Trusted Ticket to replace our custom java filter.

 

Besides what the security manual tells us about this, there are more details buried (embedded - pardon the pun) in another manual:

Embedded Business Intelligence Users Guide

See Implementing Single Sign-On on page 15

and

Visual Basic .NET Example on page 348.

I have not got my .NET guy to try this yet so I cant give you more help, but I think with the right manuals in hand, youll likely be able to make progress.

Maybe someone else can help with more info, but at least youve got a starting point with this.

Hope that helps! Sorry I havent done this yet to help you get through it with specifics.

[Robert Kottelenberg]

Our dashboard uses OpenID Connect to authenticate users.

I have a custom desktop application that authenticates with the same OpenID service. I am trying to implement single sign on so our users dont have to authenticate twice.

I am looking at the Configuring Pre-Authentication With Custom Single Sign On (SSO) Solutions in Chapter 4 of the wfsec doc. Has anyone got this working and do you have code you could share on how you got the filter working Or some guidelines I can use to implement the customer java servlet to enable the single sign on

Thanks,

Rob

[Robert Kottelenberg]

Thanks for the info Toby. I will check it out