Sometimes the Spotfire clients access the Spotfire Server through a proxy or a load balancer. In some cases, the proxy or load balancer has already forced the client to authenticate itself. Some proxies or load balancers are capable of forwarding the name of the authenticated user to the Spotfire Server. By enabling the Delegate authentica-tion method on the Spotfire Server, it can automatically extract the identity of the cli-ent so that the clicli-ent doesn't have to authcli-enticate twice. Any proxy or load-balancer that can propagate the username so that it is available as a HTTP request attribute on the Spotfire Server is compatible.
The Delegate authentication method is a supplementary authentication method that can be used together with the main authentication method, but it can also be used as the main and only authentication method. Typical scenarios are:
When both the Spotfire Server cluster and its load balancer are configured for NTLM authentication.
When a load balancer is configured for X.509 Client Certificate authentication and propagates the usernames extracted from the certificates.
Use the config‐delegate‐auth command (page 153) to set up and enable the Delegate authentication method:
Enable Load Balancer Authentication
(required)
Specifies whether or not the Delegate authentication method should be enabled.
Request attribute name
(required)
The name of the HTTP request attribute that contains the name of the authenticated user. The default value is REMOTE_USER.
4.12 Impersonation
What Is Impersonation?
When the TIBCO Spotfire Servers are used in conjunction with one or more TIBCO Spotfire Web Player servers, which have been configured for certain authentication methods, for instance, NTLM, impersonation also needs to be enabled on the TIBCO Spotfire Servers for seamless login.
Impersonation means that the TIBCO Spotfire Web Player is responsible for authenti-cating users. Calls from the TIBCO Spotfire Web Player to the TIBCO Spotfire Server cluster will be made on behalf of the person authenticated. For example, consider the case when the TIBCO Spotfire Web Player server is configured for certificate authen-tication. This authentication method is done on the HTTPS network level and there is no password or token which can be conveyed to the TIBCO Spotfire Server cluster for login. Instead the TIBCO Spotfire Web Player server is trusted for impersonation. The TIBCO Spotfire Web Player server is allowed to make calls on behalf of any user without the ordinary authentication mechanism. This means the user will see his/her specific files in the library etc.
Allowed hostnames
(optional, but strongly recommended)
A comma-separated list of hostnames and/or IP addresses of the client computers that are permitted to login already authenticated users by passing the
usernames in the specified HTTP request attribute. If this argument is not specified, then all client computers are permitted to perform delegated authentication. As this is a potential security risk, it is strongly recommended to restrict the permissions to use this feature. Typically, this feature is locked down so that only proxies or
load-balancers are permitted to use it. A scenario where all client computers can be allowed to use this feature is when a custom Post Authentication Filter is also in use.
Then this filter would be responsible for performing the final authorization, for instance by validating additional HTTP headers.
Name filter expression
(optional)
A regular expression that can be used to filter the username extracted from the specified request attribute.
The value of the regular expression's first capturing group will be used as the new username. A typical scenario is to extract the username from a composite name containing both username and domain name. For instance, the regular expression \S\\(\S*) can be used to extract the username from a value in the format domain\
username.
Lower case conversion
(optional)
Specifies whether or not to convert the propagated username to lower case. The default is not to convert to lower case.
Enabling impersonation can pose a potential security issue, which is why this is dis-abled by default. To strengthen security there are a number of requirements that can be imposed on a call in order for it to be allowed to impersonate.
Enabling Impersonation
The call from a TIBCO Spotfire Web Player server to the TIBCO Spotfire Server clus-ter will always require authentication. This is done as a certain user which has been specified in the configuration of the TIBCO Spotfire Web Player server. The TIBCO Spotfire Server cluster can be configured to only allow certain users to be able to issue impersonation calls.
You can specify many users. If you do not specify any users, then any authenticated user can issue impersonate calls. The most common use is to specify the same user as configured on the TIBCO Spotfire Web Player server. See the TIBCO Spotfire Web Player: Installation and Configuration Manual for more information.
Specific requirements can also be made on the origin of an impersonate call. Typically, you would want to configure the TIBCO Spotfire Server cluster to only allow imper-sonation calls originating from the machines running a trusted TIBCO Spotfire Web Player server.
If one or more servers are listed in the Web Player Server field(s), then only calls orig-inating from these machines are allowed. Allowed machines can be specified in two ways: originating IP number or originating name. The originating IP number should be the IP number of the machine, and a specified originating name is resolved to one (or more) IP numbers using DNS. Only calls originating from one of the mentioned machines are valid for impersonation. If no information is provided in the Web Player Server field, then calls originating from any machine are valid for impersonation.
You can also require HTTPS. All the requirements you decide to set up must be met for the impersonation call to be allowed.
To enable impersonation:
Use the command config‐impersonation‐auth (page 154) to enable impersonation.