MicroStrategy ONE

Customizing Trusted Authentication

MicroStrategy Web provides out-of-the-box support for three identity management applications—CA SiteMinder, IBM Tivoli Access Manager, and Oracle Identity Manager—but you can use the Web Customization Editor to easily customize these trusted authentication providers. In addition, you can use the editor to add a new custom trusted authentication provider or to specify multiple header variables for any of these providers. You can also use PHP-based authentication for trusted authentication.

Regardless of whether you are using an out-of-the-box or custom trusted authentication provider, you must choose "Trusted authentication" as the only login mode to be used by MicroStrategy Web, and you must establish a trust relationship between MicroStrategy Web and Intelligence Server. In addition, if the trusted authentication provider uses an LDAP database for user authentication, you must configure Intelligence Server to synchronize MicroStrategy users with the LDAP user information.

 Setting up trusted authentication for SSO to MicroStrategy Web involves the following steps:

  1. Designating MicroStrategy Web as protected by a specific trusted authentication provider  

  2. Synchronizing MicroStrategy users with LDAP users if the trusted authentication provider uses an LDAP database  

  3. Configuring the HTTP server to authenticate MicroStrategy users via authentication by the trusted authentication provider  

  4. Establishing a trust relationship between MicroStrategy Web and Intelligence Server  

  5. Configuring MicroStrategy Web to use the trusted authentication provider  

For trusted authentication using a PHP-based authentication provider, there are some additional steps.

An explanation of each step is provided below. 

  1. Designating MicroStrategy Web as protected by a specific trusted authentication provider

    In order to redirect a user request for a MicroStrategy Web page to a trusted authentication provider, the HTTP server that receives the request must be aware that MicroStrategy Web is a protected application (that is, that access to MicroStrategy Web is protected by the trusted authentication provider, which acts as a gatekeeper to the MicroStrategy Web deployment). In an SSO environment, the HTTP server is configured so that it knows which applications are protected. The server checks each incoming request against this configuration information and diverts the request accordingly.
     

  2. Synchronizing MicroStrategy users with LDAP users if the trusted authentication provider uses an LDAP database

    If the trusted authentication provider uses an LDAP database for user authentication, you must configure the Intelligence Server as described below: 

    1. In MicroStrategy Desktop, log in to a project source as a user with administrative privileges. 

    2. From the Administration menu, select Server -> Configure MicroStrategy Intelligence Server

    3. On the MicroStrategy Intelligence Server Configuration Editor, do the following: 

      1. Expand LDAP and select Server.  On the LDAP - Server Editor, enter the name of the LDAP host and provide the Distinguished Name and password for the administrative user that will be used to log in to the LDAP database by the trusted provider during user authentication. 

      2. Expand Import and select Import/Synchronize. On the LDAP - Import - Import/Synchronize Editor, make sure that all of the check boxes are selected. 

      3. With Import still expanded, select Options. On the LDAP - Import - Options Editor, select the Synchronize user/group information with LDAP during trusted authentication check box. 

      4. Click OK to accept your changes and close the Intelligence Server Configuration Editor. 

    4. Close MicroStrategy Desktop.. 

  3. Configuring the HTTP server to authenticate MicroStrategy users via authentication by the trusted authentication provider

    When a user sends a request to MicroStrategy Web from a client machine, there must be a mechanism for determining whether the user is a valid MicroStrategy user. In an SSO environment using trusted authentication, an identity management application outside of MicroStrategy—referred to as a trusted authentication provider—performs the initial authentication to determine whether the user has valid credentials for accessing the MicroStrategy Web deployment. The HTTP server diverts the user request to the trusted authentication provider before it reaches MicroStrategy Web. The trusted authentication provider authenticates the user against its user repository, such as an LDAP database. If authentication by the trusted authentication provider succeeds, a trust token is passed to MicroStrategy Web. The information in the trust token is used by MicroStrategy Intelligence Server to attempt to retrieve valid MicroStrategy credentials and create a session through MicroStrategy Web. If valid credentials are not found, login to a MicroStrategy project is denied.
     

  4. Establishing a trust relationship between MicroStrategy Web and Intelligence Server

    In order to use trusted authentication, you must choose “Trusted Authentication Request” as the only login mode for MicroStrategy Web and establish a trust relationship between MicroStrategy Web and MicroStrategy Intelligence Server. You do this using MicroStrategy Web Administration settings. To accomplish this, do the following: 

    1. Open the MicroStrategy Web Administration application. 

    2. In the left-hand pane, choose WEB SERVER -> Intelligence Servers -> Servers

    3. In the right-hand pane, click the "Modify" icon (  ) under Properties for the Intelligence Server with which you want to establish the trust relationship. 

    4. Under Connection Properties on the Server Properties tab, click the Setup button for “Trust relationship between Web Server and MicroStrategy Intelligence Server”. 

    5. On the setup page, enter the User name and Password that will be used for the trusted relationship and click the Create Trust Relationship button.

      A checkmark will now appear next to “Trust relationship between Web Server and MicroStrategy Intelligence Server”, indicating that the relationship has been established.

    6. Click Save

    7. Close the MicroStrategy Web Administration application.
       

    5. You can confirm that the trust relationship has been established in MicroStrategy Desktop by doing the following:

    1. Navigate to Tools -> Project Source Manager and add a project source name for the Intelligence Server with which you established the trust relationship. 

    2. Under Folder List, right-click the project source and choose Configure MicroStrategy Intelligence Server. (You must be connected to the project source for this context menu option to be active.) 

    3. On theMicroStrategy Intelligence Server Configurationdialog, selectWeb Single Sign-on in the left-hand pane. Under “Trusted Web Application Registration” in the right-hand pane, confirm that the status of Intelligence Server with which you established a trust relationship is “Enabled”.

  5. Configuring MicroStrategy Web to use the trusted authentication provider
    If you use CA SiteMinder, which is the default out-of-the-box trusted authentication provider, you don’t need to configure anything. However, if you use IBM Tivoli Access Manager or Oracle Identity Manager (other out-of-the-box trusted providers) or a custom trusted provider, you need to configure MicroStrategy Web so that it can use that provider for authentication, as described below. 

    1. Open the MicroStrategy Web Administration application and do the following: 

      1. In the left-hand pane, choose WEB SERVER -> Intelligence Server -> Default properties

      2. In the right-hand pane, under Login, select “Trusted authentication request” to enable it. All other authentication modes must be disabled for this MicroStrategy Web deployment. 

      3. In the drop-down for Trusted Authentication Providers, do the following:

        • If you are using IBM Tivoli Access Manager or Oracle Identity Manager (the non-default out-of-the-box trusted authentication providers), choose Tivoli or Oblix as the trusted provider. 

        • If you are using a trusted authentication provider other than CA SiteMinder, IBM Tivoli Access Manager or Oracle Identity Manager (that is, a provider that is not supported out-of-the-box), choose Custom SSO as the trusted provider. 

      4. Click Save.
    2. Open the Web Customization Editor in Eclipse and specify the provider-specific header variable name that MicroStrategy Web will use to authenticate the user for login to a project. See Adding a New Trusted Authentication Provider for detailed instructions on how to do this.

The topics in this section provide a detailed description of how to perform each of these customizations.