We are going to use OKTA to authenticate but our Dashboards ...

[Debra Waybright]

We are going to use OKTA to authenticate but our Dashboards are still on the EDASERVE (WF 8203). OKTA wants users to authenticate in WebFocus BI Portal so links directly to those dashboards give an error if you dont authenticate first.

Im wondering if anyone else has moved to OKTA recently and figured out a clean way to still allow users who just go to a link for a dashboard to still do that without opening the BI Portal first. It might be a setting in OKTA or WebFocus that we just arent aware of.

Appreciate any help!

Thanks,

Deb

[Toby Mills]

Hi Deb

What does your URL look like when someone is trying to run a report off your EDASERVE reporting server Just wondering if you have a port number in there or anything.

Does the communication go from a webserver (lets say IIS) then to Tomcat (your application server) an then the client redirects the request to EDASERVE

Like this

Web Server

Web Application Server (the WF client runs here)

EDASERVE

If it works like that, seems like you could get IIS to do the authentication, then tell WebFOCUS (via securitysettings.xml) to know that the user is preauthenticated.

The last step of reaching the WFRS would need you to make sure your connection from the client to the WFRS is set for a Trusted connection.

Let us know the flow of communication to reach EDASERVE. A sample URL will tell me a lot.

Thanks

[Debra Waybright]

@toby.mills Thanks for reaching out! Our URL looks like this: https://webfocus.brotherhoodmutual.com/approot/enterprise/daily_overview.htm

I think you got the communication path correct. We do use Tomcat as our application server. I think the issue is that the link lives in Confluence so the user clicks on the link from a Confluence page to go directly there. If I open the WebFocus BI Portal and then go to where the link is and click on it, it works because Im already authenticated via the BI Portal.

Is there a setting on the webserver that could intercept and authenticate with OKTA when the dashboard link is clicked from Confluence

Thanks!

[Toby Mills]

Hi Deb

Its hard for me to answer directly without a lot more research. I did read that OKTA can use SAML or OAUTH Connect or Kerberos (NTLM) to authenticate with - and WebFOCUS can use all those.

At a very high level, your goal is to get your Web Server to do the Authentication using one of the methods above, and then you set up WebFOCUS to know that it trusts the Web Servers authentication (for WF, this would be preauthentication). So Authentication for your webserver, and then setup preauth on WebFOCUS.

I dont know if your users are entirely internal people who use Active Directory to authenticate or if you are exclusively using OKTA for the authentication / authorization.

I saw that I could make my own OKTA account and then I could build out a way to authenticate with that to show you, but thatd take me some time and I really cant do that work on my corporate machines that Im on right now.

You can PM me and I can see about getting more info from you.

Also - this would be a great question for Professional Services (I guess its TIBCO PS now). Theyre likely already are doing this for somebody. And it looks like it wont be too hard to do. No custom coding and so forth.

OKTA has some javascript libraries you can put in your launch page that let the user authenticate, but itll likely be smoother if we find a way to authenticate the user as soon as they hit the webapp (regardless of what page they start with).

Links I looked at so I dont lose them:

OKTA Integrated Windows Authentication Troubleshooting

Add OKTA Authentication to any Web Page in 10 minutes

Enabling Single Sign On with Okta using SAML

Authentication on IIS - okta Help Center

Im sure thats all clear as mud, but the general idea is to leverage the OpenID Connect or SAML to do your authentication (I think). Not sure about Authorization (what can a user do once they get in). Wed have to talk about that also.

[Debra Waybright]

Toby,

thank you so much for this. Im actually not the one setting this up, just the power user doing the testing. So I will pass all this along. I appreciate your willingness to work with me. Thank you for the reminder about Professional Services. I kinda forgot about them!

Again, thanks so much for your assistance. I will update this post when we figure out what we need to do.

[Debra Waybright]

Im going to close this post. After a discussion with Tibco support this morning on a tangential issue we have some more work to do on our security set up in general.

Thanks every one for the shared info!

Deb