Spotfire clients may access Spotfire Server through an external authentication mecha-nism, a proxy or a load balancer.
When using an external authentication mechanism, Spotfire Server gets the external user name from an HTTP header or a cookie. To get the external user name from an HTTP header or a cookie could potentially be a security risk and it is strongly recom-mended to restrict the permissions to use this feature. It is also recomrecom-mended only to use the External Authentication Method when using a load balancer or proxy.
When configuring the External Authentication Method, you can add several con-straints:
It is possible to configure Spotfire Server to allow the External Authentication Method only when using a secure (SSL) connection.
It is possible to specify allowed hostnames and/or IP addresses of the client computers that are permitted to log in via the External Authentication Method.
You can list allowed IP's and/or write regular expressions, if you specify both, the TSS will first check in the list and then the regular expression.
In some cases, the proxy or load balancer has already forced the client to authenticate itself. Some proxies or load balancers are capable of forwarding the name of the authenticated user to Spotfire Server. By enabling the External authentication method on Spotfire Server, it can extract the identity of the client so that the client doesn't have to authenticate twice. Any proxy or load-balancer that can propagate the user name, so that it is available in the HTTP request to the server as a request attribute, is compati-ble.
Typical scenarios are:
When both Spotfire Server cluster and its load balancer are configured for NTLM authentication.
When a load balancer is configured for X.509 Client Certificate authentication and propagates the user names extracted from the certificates.
The External authentication method may be used as a supplementary authentication method that can be used together with the main authentication method, but it can also be used as the main and only authentication method.
If the external authentication method is to be used as the only authentication method, this shall also be specified in the Authentication Panel.
If clients are always supposed to go through a load balancer to reach Spotfire Server, configure external as the main authentication method. In this case it is not possible to access a Spotfire Server directly.
Even if a load balancer is used in front of a set of Spotfire Server instances, accessing the server directly may be desired. If this is the case, configure another authentication mechanism (any mechanism is allowed) as the main
authentication method and external as a supplementary authentication method.
Use the Configuration Tool or the config‐external‐auth command (page 207) to set up and enable the External authentication method:
Note: In Spotfire Server 6.0, the config-delegate-auth command was replaced by the config-external-auth command. Old scripts using config-delegate-auth will still work.
Enable External Authentication
(required)
Specifies whether or not the External authentication method should be enabled.
Source Attribute: Enter the name of the HTTP request attribute that contains the name of the authenticated user.
Header: Enter the name of the HTTP request header that contains the name of the authenticated user
Cookie: Enter the name of the HTTP request cookie that contains the name of the authenticated user.
Authentication Filter: Retrieves the user name from the getUserPrincipal() method of
javax.servlet.http.HttpServletRequest.
Require SSL Select yes for external authentication only to be available for SSL connections.
Allowed host
(hostname or IP address)
A list of hostnames and/or IP addresses of the client computers that are allowed to perform external authentication. If no allowed hosts are specified, all client computers are permitted to perform external authentication.
Allowed IP:s (regular expression) Add a regular expression that should match the IP addresses of remote hosts that are permitted to perform External authentication. The regular expression shall be written in the syntax supported by
java.util.regex.Pattern.
4.10 Impersonation
What Is Impersonation?
When Spotfire Servers are used in conjunction with one or more Spotfire Web Player servers, which have been configured for certain authentication methods, for instance NTLM, impersonation also needs to be enabled on Spotfire Servers for seamless login.
Impersonation means that the Spotfire Web Player is responsible for authenticating users. Calls from the Spotfire Web Player to Spotfire Server cluster will be made on behalf of the person authenticated. For example, consider the case when the Spotfire Web Player server is configured for certificate authentication. This authentication method is done on the HTTPS network level and there is no password or token which can be conveyed to Spotfire Server cluster for login. Instead the Spotfire Web Player server is trusted for impersonation. The Spotfire Web Player server is allowed to make calls on behalf of any user without the ordinary authentication mechanism. This means the user will see his/her specific files in the library etc.
Enabling impersonation can be a potential security issue, which is why this is disabled by default. To strengthen security there are a number of requirements that can be imposed on a call in order for it to be allowed to impersonate.
Enabling Impersonation
The call from a Spotfire Web Player server to Spotfire Server cluster will always require authentication. This is done as a certain user that has been specified in the con-figuration of the Spotfire Web Player server. Users that should be able to impersonate must be members of the Impersonator group. It is recommended that these users do not have additional privileges.
The Impersonator group can have many users, add the same user as configured on the Spotfire Web Player server. See the TIBCO Spotfire Web Player: Installation and Con-figuration Manual for more information.
Specific requirements can also be made on the origin of an impersonate call. Typically, you would want to configure Spotfire Server cluster to only allow impersonation calls originating from the machines running a trusted Spotfire Web Player server.
Name filter expression
(optional)
A regular expression that can be used to filter the user name extracted from the specified request attribute. The value of the regular expression's first capturing group will be used as the new user name.
Note: In previous releases this option was typically used for extracting the user name from a composite name containing both user name and domain name. Since Spotfire Server now requires the domain name as part of the user name, old configured filter expressions must be updated.
Lower case conversion
(optional)
Specifies whether or not to convert the propagated user name to lower case. The default is not to convert to lower case.
If one or more servers are listed in the Allowed hosts fields, only calls originating from these machines are allowed. Allowed machines can be specified in two ways:
originating IP number or originating name. The originating IP number should be the IP number of the machine, and a specified originating name is resolved to one (or more) IP numbers using DNS. Only calls originating from one of the mentioned machines are valid for impersonation. If no information is provided in the Web Player Server field, then calls originating from any machine are valid for impersonation.
You can also require HTTPS. All the requirements you decide to set up must be met for the impersonation call to be allowed.