Enable OIDC Authentication for MicroStrategy Library

This topic details how to enable OIDC authentication for MicroStrategy Library.

• Configure OIDC Authentication

• Library Admin Page Authentication

Configure OIDC Authentication

1. Open Workstation and connect to the Library environment using standard authentication with an admin privilege user.
2. Right-click on the connected environment and select Configure OIDC under Configure Enterprise Security.

3. In step 1, Select an identity provider from the drop down.

   

4. In step 2, click View configuration instruction to view a step-by-step configuration guide. Use the instructions to complete steps 2 and 3.

   If you need assistance from your administrator that is in charge of enterprise Identity and Access Management (IAM), click Request access from your administrator.

5. In step 4, configure User Claim Mapping to identify the IAM user identity and information.

   Primary User Identifier Enter the OIDC claim used to identify users. By default, the OIDC claim is email.

   Login Name Enter the OIDC claim for the login name. By default, the OIDC claim is email.

   Full name Enter the OIDC claim used for display users’ full names in MicroStrategy. By default, the OIDC claim attribute is name.

   Email Enter the OIDC claim used as the user's email in MicroStrategy. By default, the OIDC claim attribute is email.

   Select Import User at Login to allow all users in your AD to use their credentials to log in to MicroStrategy.

6. In step 5, click Test Configuration to test with the credentials that you provided above.

   Test configuration step is only available for OKTA and PingOne identity providers.

7. Click Save. In 2021 Update 2 or later, you see the message shown below. Workstation automatically creates a trusted relationship and enables OIDC authentication, along with standard authentication.

   

   If you are using an older build then you may need to manually create the trusted relationship and enable OIDC authentication mode on the Library admin page.

   http://<FQDN>:<port>/MicroStrategyLibrary/admin

Library Admin Page Authentication

In 2021 Update 2 or newer, the Library admin pages support basic and OIDC authentication when only OIDC authentication is enabled. The admin pages authentication is governed by the auth.admin.authMethod parameter in the WEB-INF/classes/config/configOverride.properties file. If the parameter is not mentioned in the file, you can add it as shown below.

There are two possible values for the auth.admin.authMethod parameter:

• auth.admin.authMethod = 1 (Default)

  The default value of the auth.admin.authMethod parameter is 1. This means the Library admin pages are protected by basic authentication.

• auth.admin.authMethod = 2

  The Library admin pages are protected by the OIDC admin groups mentioned in the OIDC configuration form. These admin groups are linked to the groups on the Identity Provider (IDP) side. Members that belong to the IDP admin groups can only access the admin pages. Users that do not belong to the admin group receive a 403 Forbidden error.

The administrator can change the parameter value as per the requirements. A Web application server restart is required for the changes to take effect.

The Library admin pages cannot be protected by the OIDC admin groups when multiple authentication modes are enabled.

Enable OIDC Logging

1. Access the machine in which MicroStrategy Library is installed/deployed and browse to <Library Folder Path>/WEB-INF/classes.

2. Locate and edit logback.xml.

3. Locate <logger name="org.springframework" level="ERROR"> and <logger name="com.microstrategy" level="ERROR". Remove any comment tags from both and change the value of level to "DEBUG".

   Copy

   <logger name="org.springframework" additivity="false" level="DEBUG">
   <appender-ref ref="SIFT" />
   </logger>
   
   <logger name="com.microstrategy" additivity="false" level="ERROR">
   <appender-ref ref="SIFT" />
   </logger>

4. Locate <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> and change the level to be "DEBUG".

   Copy

   <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
   <level>DEBUG</level>

5. Save and close logback.xml.

6. Restart the application server.

   Additional logging is added to MicroStrategyLibrary-{appName}.log. By default, this is named MicroStrategyLibrary-MicroStrategyLibrary.log. You can expect the log file to appear in a folder specified under the LOG_HOME property of logback.xml. For example, <property name="LOG_HOME" value="C:/Program Files (x86)/Common Files/MicroStrategy/Log" />.

7. Once the behavior you are investigating has been reproduced, edit logback.xml once again and change level="DEBUG" back to level="ERROR".