Terms and Concepts

Before you begin to customize authentication and create a single sign-on environment for a MicroStrategy Web product, you should be familiar with the general terms and concepts below. You should also be familiar with how sessions are created, managed, and used for authentication in MicroStrategy Web.

• Authentication  

• Authorization

• Identity Management system  

• Portal Server application  

• Single sign-on (SSO)  

• Token  

• User mapping  

• Validation

A brief description of each of these terms and concepts is provided below.  

Authentication is any process which verifies that users are who they claim they are. Within a technology identity management system, this usually involves a user name and a password, but it can also include many other methods of demonstrating identity, such as a smart card, a retina scan, voice recognition, or finger prints.  

When a user connects to MicroStrategy Web, the MicroStrategy application either authenticates the user internally or delegates the user authentication to an external user repository and authentication mechanism to validate that the user is indeed who the user says he or she is.

• See Authentication Modes for details and a diagram depicting authentication options supported by MicroStrategy.  

• See Authentication Workflow for a description of the general process flow that occurs during authentication.  

Authorization is the process of determining whether a user, once identified (that is, authenticated), is permitted to have the requested resource. Typically, the MicroStrategy application performs the job of authorizing an authenticated user (that is, determining the specific features within MicroStrategy to which a user has access). Once a user has been authenticated, the MicroStrategy application then authorizes the user to access whatever features in MicroStrategy he or she has permission to use. This authorization is accomplished using the information in the MicroStrategy user repository.  

• See Restricting Access during Certain Times for a customization scenario that illustrates how to add custom authorization criteria.  

An Identity Management system is a custom or third-party authentication application that centralizes security management for all of a company's applications. This authentication approach provides a centralized mechanism and place for controlling security and tracking which applications are being accessed by users. An identity management application validates a user's identity, determines which company applications that user has permission to access, and then passes the authentication information on to the requested application, which uses it to establish a session for the user.  

Portal Server applicationsare enterprise management tools that provide the ability to visually consolidate pertinent information on one portal page. MicroStrategy Web authentication is generally integrated with portal authentication so that users log in only once, to the portal server, and are then able to access authorized MicroStrategy content without having to log in again.  

• See Implementing SSO with a Custom MicroStrategy Portlet for general information about how single sign-on can be accomplished when MicroStrategy Web content is accessed through a portlet in a portal page.
  

Single sign-on (SSO) is an authentication process that allows a user to log in to a system or application only once, and then be able to access other applications without being prompted to log in for each subsequent application. The initial application to which the user logs in is often a portal application or an identity management system.

• See the Single Sign-on Sample for more details and code to implement single sign-on.  

Atoken, in a MicroStrategy environment, is an ID code that can be assigned to a user and used to log in to a system. A user token is passed from an application to a trusted external mechanism that provides validation of the token and then passes that validation back to the application. Tokens provide another way for users to be authenticated to MicroStrategy— and thus provided with a single sign-on experience in MicroStrategy Web.

User mapping involves creating a relationship between two sets of user credentials— for example, between a userID/profile stored in a database and a userID/profile within MicroStrategy— so that one set of credentials can be used to retrieve or generate another set of credentials. User mapping is useful in situations in which you want a user to connect to MicroStrategy Web with a userID that is different from the one by which he is recognized in your external user repository. This can occur when MicroStrategy has been in place for some time before an external user repository is established. In this situation, a mapping must occur between the userID given by the user logging into the system and the different userID being used within the MicroStrategy context.  

• See Mapping Credentials using an External Repository for more details and code to implement this approach to single sign-on.  

Validationis a process in which a token or session ID offered by a user (that is, information that proves previous authentication of the user) is confirmed to be valid. An already-authenticated user is sometimes called a trusted user. Validation is performed by MicroStrategy on a user who is connecting to MicroStrategy and who has already been authenticated by an external authentication mechanism.