Customizing Authentication

A custom implementation of the External Security Module (ESM) lets you customize the MicroStrategy Web authentication process without modifying original source code and in a manner that is not affected by software upgrades. Authentication, in this context, refers specifically to the process of identifying which Intelligence Server user or session should be used for a sequence of MicroStrategy Web requests. When the user first interacts with a MicroStrategy Web page, the authentication process—if successful—results in the establishment of an Intelligence Server session. During subsequent requests, this process—if successful—results in either the validation of an existing Intelligence Server session or the creation of a new one, if the original session has expired or timed out.

Customizing authentication in MicroStrategy Web involves the following:

• Creating a custom ESM  

• Telling MicroStrategy Web to use this custom ESM

In the default MicroStrategy Web authentication process, the application invokes the default ESM, which simply presents the default log-in page to collect the user's credentials. The application then uses these credentials to try to validate or authenticate a user and create a session on Intelligence Server. In a custom MicroStrategy Web authentication process, the application invokes a custom ESM, which can perform a range of activities. A custom ESM can perform only a minor action such as user mapping and relegate all other authentication and session creation activities to MicroStrategy Web, or it can perform all of the credential gathering, authentication, and session creation activities normally taken care of by the application, as well as additional custom actions. It can also do something in between these extremes.

Custom authentication provides great flexibility—for what and how information is gathered, what operations take place, how sessions are handled, and how log-in credentials are used for authentication—but this flexibility brings with it responsibility. When a custom ESM does not delegate authentication and session creation to MicroStrategy Web, it is entirely responsible for authenticating users and managing how sessions are created, persisted, reused, and closed on Intelligence Server—operations that MicroStrategy Web normally takes care of by default.

The benefits of custom authentication often outweigh the extra coding requirements. For example, a custom log-in page can have an entirely different look and feel that reflects the appearance and needs of your specific environment. It can collect credentials different from those needed to log into MicroStrategy Web, and it can map these user-supplied credentials to the proper MicroStrategy credentials. A custom ESM can customize session handling. For example, it can specify that an existing session should be shared, or, if an Intelligence Server session has already been established, it can specify that the session should be reused rather than closed when a user logs out. It can include a custom time-out or keep-alive function that ends an idle user session more quickly than the default setting does. A custom ESM can also enforce other authorization criteria, in addition to the authorization that MicroStrategy performs by default. For example, it can limit the amount of interaction a user can have in a single session based on the number of HTTP requests.

While authentication refers to the process of validating a user, authorization refers to the process of checking the validity of each individual request. In the context of the MicroStrategy Web application, authorization means checking whether a given user is allowed to proceed with a specific HTTP request. MicroStrategy always performs its own authorization check, using the properties of the user object in the metadata, but a custom ESM can include additional authorization criteria that are applied on top of the criteria that MicroStrategy uses by default.The most common uses for a custom External Security Module include:

• Presenting a custom log-in page  

• Authenticating a user with credentials passed in and creating a session  

• Validating a user with a token passed in and creating a session  

• Authenticating a user with a session ID passed in and restoring a session  

• Mapping one set of user credentials to another set of credentials

• Managing sessions in a non-standard way  

• Applying additional authorization criteria  

• Gathering information about which users are accessing MicroStrategy Web