Single Sign-On Implementation Considerations

There are a number of important considerations if you are planning to implement single sign-on for MicroStrategy Web users in your environment. Single sign-on (SSO) essentially involves the following:

• Using an external user repository for authenticating users  

• Using an external authority for performing authentication  (optional)  

• Authenticating or validating a user against the MicroStrategy Web product without requiring that users manually provide log-in credentials  

• Synchronizing any user changes between the external user repository and the MicroStrategy metadata

Before you implement single sign-on, you must analyze your environment. The following set of questions is designed to highlight areas and issues that you should look at when implementing single sign-on. You can use the list as a comprehensive questionnaire or simply as a summary of considerations. The questions are broken down into the following areas of consideration:

• Entry points to MicroStrategy Web

• User repository  

• Authentication  

• Authorization  

• User synchronization  

Entry points to MicroStrategy Web

There are a number of ways that users can connect to MicroStrategy Web. The method for achieving single sign-on in your environment will depend on how users connect to your MicroStrategy Web application.

1. How many of the following ways will your users be able to access MicroStrategy Web content and functionality?

   • directly through a browser

   • through a portal:

     • using an out-of-the-box MicroStrategy portlet

     • using a custom MicroStrategy portlet

   • through an identity management application

   • through a data visualization implementation

   • through a custom Web application

   • through a custom desktop application

User repository

Businesses that use MicroStrategy Web typically have a centralized location in which they store all user information. Some or all of the users in this user repository are MicroStrategy users.

2. Where is your user information stored?

   • Do you use MicroStrategy metadata as your user repository?   

   • If you do not use MicroStrategy metadata, which external source do you use as your user repository?

     • Windows domain

     • LDAP

     • Database

     • Flat file

     • Other

3. What set of users in your current user repository should be given access to MicroStrategy Web? 

4. How are the user profiles for this set of users created within the MicroStrategy metadata? 

5. What access controls and privileges do these users have within MicroStrategy? 

6. When users connect to MicroStrategy Web, are they already authenticated or does MicroStrategy need to authenticate the user? 

7. When an already authenticated user connects to MicroStrategy Web, what does MicroStrategy need to do to validate that he is an authenticated user? 

8. How can non-MicroStrategy users within the repository be prevented from getting access to MicroStrategy Web? 

9. Is there a one-to-one match between the MicroStrategy users in my repository and the users in my MicroStrategy Web application, or do I need to perform any user mapping?

Authentication

There are several mechanisms for programmatically passing the information needed to authenticate the user to MicroStrategy Web.  

10. What mechanism will you use for providing SSO authentication?

    • Windows domain

    • Portal application

    • Identity management application

11. How will you verify that users are who they say they are?

12. Is there an external user repository where users are currently stored? 

13. What authority is currently being used to authenticate users? 

    • Standard authentication

    • LDAP authentication

    • Database authentication

    • Windows NT authentication

    • Trusted authentication provider 

14. Do you use an identity management application—such as CA SiteMinder, IBM Tivoli, or Oracle Oblix—in your environment? 

15. Do you plan to implement custom authentication?

Authorization 

How will you determine whether a user, once identified, is permitted to have the requested resource? 

16. Is any authorization information stored in the external user repository? 

17. Do you need to add additional authorization criteria?

User synchronization 

In order for single sign-on to work, users must be kept in synchronization. You must account for changes that occur over time as new users are added or existing users move from one department to another, receive more or fewer access privileges, or leave the company. How will you ensure that user profiles in MicroStrategy always match the user profiles stored in your user repository? 

18. Will you manually synchronize user profiles? 

19. Will you automatically synchronize user profiles? 

20. Will you synchronize user profiles in batches?