5.4. Authentication

5.4.1. LDAP Authentication

The MQC authentication can be integrated with an existing LDAP directory and delegates the actual authentication responsibility to configured LDAP servers.

For more information on this topic please check: https://docs.tibco.com/pub/spotfire_server/10.4.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-88F57426-44C3-4FA5-BD49-ED8A849200E3.html

The best practice is to create two groups in LDAP directory, one as “MQC Editor” and other as “MQC User”, and add related users to them. The result is, that only users with valid accounts in the LDAP directory can log in to MQC.

5.4.1.1. Configuring LDAP

If the LDAP directory server has been set up to communicate over TLS, it is strongly recommended to establish a secure connection between the MQC server and the LDAP directory. If you have a self-signed certificate, set MQC Server to trust this:

  • Export the certificate to a file and copy it to the MQC server in the path: <installation dir>\jdk\lib\security.

  • Run the following command as Administrator mode in that path: ....\bin\keytool -import -file certificate.crt -keystore cacerts -alias spotfire_ldaps

  • When prompted, enter changeit as password.

  • Verify that the certificate has been successfully added by the following command: ....\bin\keytool -list -keystore cacerts -alias spotfire_ldaps.

  • When prompted, enter changeit as password.

Open the configuration tool on spotfire server and follow steps to set up LDAP:

  1. On the Configuration tab, select BASIC LDAP for Authentication field. The User directory field also switches to LDAP.

    ../../_images/MQC_LDAPConfig_1.png

    Figure 5.1 Set up LDAP in configuration tool.

  2. In the left panel of the page, click Authentication: LDAP, then click New and set a name for configuration.

    ../../_images/MQC_LDAPConfig_2.png

    Figure 5.2 Create new LDAP configuration.

  3. Fill in the fields of the configuration as follows:

    • Next to Enable for, check both the Authentication and User directory. Through this setting, MQC server stores the user account in the database, and at each login, MQC verifies the password through the LDAP directory.

    • Fill LDAP username and LDAP password fields with the user name and password of an LDAP service account with read access to Active Directory.

    • Click the LDAP Server URL text box and enter the URL in the form ldap://server/port:, for example, ldap://myserver.example.com:389.

      If the TLS protocol is used to connect to the LDAP server, enter the URL in the form: ldaps://server/:port, for example, ldaps://myserver.example.com:636.

    • Click the Context names text box and enter the contexts you want to synchronize.

    • The Synchronization schedule field has default values that cause a daily synchronization between the MQC database and the LDAP directory and at each restart of the MQC server. by pressing the Add button you can add a new synchronization option.

    ../../_images/MQC_LDAPConfig_3.png

    Figure 5.3 Fill Basic Settings.

    • This step should be performed when you create a specific group(s) in the LDAP directory to access MQC:

      • Under Group Synchronization, select Yes for Group Synchronization and Filter Users by Groups fields.

      • Click the Groups text box and enter the groups that should have access to MQC, for example CN=MQC-Show-Access,OU=groups,DC=mesroot,DC=com.

    ../../_images/MQC_LDAPConfig_4.png

    Figure 5.4 Fill Group Synchronization.

  4. Click Test connection to verify your entries.

  5. Click Save configuration.

  6. Restart spotfire service.

  7. Log in to the MQC server as an admin user, select the Users & Groups menu and add users/groups from the LDAP directory to the MQC editor or MQC user group.

    To reset to the default authentication type, open the configuration tool and select BASIC Database in the Authentication field. The User Directory field also changes to Database, save the changes and restart the Spotfire service.

5.4.2. OpenID Connect Authentication

OpenID Connect (OIDC) allows a Single Sign On end user authentication to the MQC server without the necessity to manually add users (and their credentials) to the server.

5.4.2.1. Enable OAuth provider

Use a third party application like GitLab as OpenID Connect identity provider. Please, follow the instructions from the documentation of your selected application, to enable the OpenID Connect.

As Redirect URL use the Return Endpoint URL that can be copied from the OpenID Connect section in the server configuration tool (see Configure OpenID Connect on the MQC server). Typically, this URL starts with the configured public address URL of your MQC server:

http[s]://<mqc server>[:<port>]/spotfire/auth/oidc/authenticate

Additionally, add the following scopes to your provider application:

  • openid

  • profile

  • email

5.4.2.2. Configure OpenID Connect on the MQC server

Login to the MQC server and open the configuration tool by double click on C:\MQC\Server14.0\tomcat\spotfire-bin\uiconfig.bat. You need the tool password, which was defined during the intial installation/configuration (see Bootstrap including database connection settings (Windows)).

../../_images/MQC_Server_Authentication_OpenIdConnectDialog.png

Figure 5.5 Add a new OpenID Connect provider via the Configuration Tool.

As shown in Figure 5.5, go to the Configuration tab and there select the OpenID Connect section.

Here you can also find the Return Endpoint URL, which has to be added as Redirect URL in your OpenID Connect provider (see Enable OAuth provider).

Select Yes to enable OpenID Connect authentication. Then, click on Add new provider and choose a name for your OpenID Connect provider.

Specify the Discovery document URL, the Client ID and the Client secret, as received when registering a client at the provider.

The Discovery document URL returns a JSON listing of for example the OpenID/OAuth endpoints, supported scopes, public keys used to sign the tokens, and other details.

If you use GitLab as OpenID Connect provider, the correct settings can be fetched from https://gitlab.com/.well-known/openid-configuration.

Afterwards, save the configuration and restart the server.

5.4.2.3. Configure Post Authentication Filter

A user account is created on the MQC Server when a user logs in for the first time with OpenID.

For this to work the Default filter mode has to be set to “Auto-create” in the Post Autentification Filter section.

For automatic role assignment, a custom filter is needed.

MQC provides a CustomPostAuthentificationFilter that assigns the “MQC Users” role to all new users. To configure this filter, input “mes.mqc.server.CustomPostAuthenticationFilter” as the Custom filter class, then download and copy the mqcCustomPostAuthenticationFilter.jar file to C:\MQC\Server14.0\tomcat\custom-ext

../../_images/MQC_Server_Authentication_PostAuthentificationFilter.png

Figure 5.6 Post Configuration Filter with Auto-create and the MQC custom filter.

For more information, of how to create your own custom post authentification filter, see:

https://community.spotfire.com/articles/spotfire/configure-custom-postauthentication-filter-spotfire-server/