Authenticating Users to Your Active Directory

Topics:

You can configure WebFOCUS BUE to authenticate users against your corporate Active Directory. The WebFOCUS BUE Client passes User sign in credentials to the WebFOCUS BUE Reporting Server, which in turn, validates them within an external source. WebFOCUS BUE can authenticate users against external Active Directory or LDAP directories. Users are externally authenticated whenever they access WebFOCUS BUE and when they access the Reporting Server Console.

The benefits of authenticating users to the Active Directory include:

Configuring Active Directory/LDAP Authentication

Topics:

How to:

To convert to external Active Directory or LDAP authentication, you must override the default setting of internal authentication in both the BUE Client and the Reporting Server, and establish a connection between the Reporting Server and LDAP provider that will support authentication activities.

Here is an overview of the configuration steps:

  1. Create a new WebFOCUS BUE Manager account whose name matches an account in Active Directory.

    Since the default Manager account manager generally does not exist in the external source, it cannot be authenticated once external authentication has been successfully configured. The new Manager account that you create will exist in both WebFOCUS and in Active Directory so that you can use it for access to the BUE once you have restarted WebFOCUS in its new authentication configuration.

  2. Configure the BUE LDAP provider to authenticate users to Active Directory.
  3. Configure BUE to use the LDAP provider and restart the BUE services.

In the steps which follow, you will be required to provide credentials for two service accounts. The first is a BUE Reporting Server account, PTH\srvadmin, that is used by WebFOCUS BUE to delegate authentication to the Reporting Server. The password for this account is pre-configured during BUE installation to be the same as the password you supplied for the BUE Manager account.

The second is an Active Directory account of your choice that is used by the Reporting Server to authenticate users and retrieve their full description and email information, which in turn is passed back to the BUE to update the user account. This service account simply needs read access to Active Directory. Generally, any Active Directory account can be used for this purpose but you must make sure its password is set to never expire.

Procedure: How to Create the Externally Authenticated Manager Account

  1. Sign in to WebFOCUS BUE as a Manager.
  2. In the BUE Portal, on the Menu bar, click Administration, and then click Security Center.
  3. In the Security Center, under Users, click New User.
  4. Type the Active Directory ID of the person who will be the new Manager for the BUE after Active Directory authentication is established, in the User Name field.

    You do not need to enter a description or email address because this information will be automatically updated during sign in based on information retrieved by the BUE from Active Directory.

  5. Click Managers in the Create in Groups list.
  6. Click OK.

    An icon for the new user appears under Users and under Users in Group, when you click the Managers group.

Procedure: How to Establish LDAP as the Primary Security Provider on the Reporting Server

  1. Sign in to WebFOCUS BUE as a Manager.
  2. In the BUE Portal, on the Menu bar, click Administration, and then click Reporting Server Console.
  3. In the Reporting Server Console, click the Access Control tab.

    The Navigation pane displays an expandable LDAP folder.

  4. Right-click the LDAP folder, and then click New.
  5. In the LDAP Security Provider Configuration page, accept the default name, LDAP01, or type a new descriptive name for the LDAP security provider in the LDAP_PROVIDER field.
  6. In the Connection Section, type the host name of your Active Directory server in the ldap_host field.

    In some cases, you can also enter the domain name of your organization, for example: ibi.com.

  7. Change the value in the LDAP port field only if your installation uses a different port number.

    Most installations use the default port number, 389.

  8. Click Explicit in the security list.

    The section expands and displays the fields, ldap_principal, and ldap_credentials.

  9. Type the name of a Service Account that has read access to the Active Directory, in the ldap_principal field.

    It is important that this account has a non-expiring password to avoid disruption to the BUE.

  10. Type the password of the Service Account in the ldap_credentials field.
  11. Click Next.

    If you receive a message that the Discover LDAP server attributes failed, click OK, and then review and update the settings you entered up to this point.

    If all settings are correct, the page refreshes and displays additional headings. Fields in the User Search section contain values populated directly from the Reporting Server.

  12. Click the Trusted Connection section heading.
  13. In the Trusted Connection section, click y in the trust_ext list.
  14. Click Test User Authentication.
  15. Type the Active Directory User ID and Password of the person that you previously identified as the new BUE Manager, and then click Continue.

    If you receive a message that the connection or password failed, review and update your settings if necessary, and try again.

    If the password succeeded, continue with the next step.

  16. Click Save.
  17. In the Activate Providers page, in the LDAP entry that is identified by LDAP01, or by the descriptive name you typed in the LDAP_PROVIDER field, click Primary in the Status list.

    The Status of the LDAP entry changes to Primary, and the Status of the PTH<internal> Security provider entry changes to Secondary automatically.

  18. Click Save Provider's Status.

    The screen refreshes and displays the Change Effective Security Provider page.

  19. Click Apply and Restart Server.

    When the confirmation dialog box opens, click OK.

    The Reporting Server Console refreshes and displays the Applications tab.

  20. Click the Access Control tab.
  21. Review the new LDAP Security Provider and its Primary status.
  22. Close the Reporting Server Console.

Procedure: How to Enable External Security in the WebFOCUS Client

  1. Sign in to WebFOCUS BUE as a Manager.
  2. In the BUE Portal, on the Menu bar, click Administration, and then click Administration Console.
  3. In the Administration Console, click the Security tab.
  4. Under the Security Configuration folder, click External.
  5. On the External page, select the Enable External Security check box.

    The External page displays the settings currently assigned to the Reporting Server.

  6. Type PTH\srvadmin in the Server Administrator ID field.

    This is a Reporting Server administrator account that was installed automatically during the BUE installation.

  7. Type the password for this account in the Password field.

    The password was assigned during BUE installation, and is initially set to the same value that you entered for the manager account during installation.

    Note: The placement of this ID and its associated Password in the Server Administrator ID field enables the Client to present them to the Reporting Server when sending User authentication requests.

  8. Click Connect to verify the credentials you provided.
  9. Leave User Authorization set to Internal and ignore the Account Creation on Sign In settings. The BUE does not support changes to these options.
  10. Select the Synchronize User Information with Authentication Provider check box.
  11. Click Save.

    When the confirmation dialog box opens, click OK.

  12. In the Administration Console menu, click Close.
  13. Sign out of WebFOCUS BUE.
  14. Stop and restart the Web Application to make these changes take effect. To do so:

    If this installation of the BUE is based on the Windows operating system, stop and restart the WebFOCUS BUE 82 Application Server service in the Services Window.

    If this installation of the BUE is based on the Linux operating system, navigate to drive/ibi/WebFOCUS_BUE82/tomcat/bin and run the shutdown.sh and startup.sh utilities.

  15. When the Web Application restarts, sign in again using the Active Directory User ID and Password of the new BUE Manager that you identified at the beginning of the configuration.

    The user description on the Menu Bar in the BUE Portal, and the Email Address of this account now reflect the values retrieved by the BUE from the Active Directory.

Creating BUE User Accounts When Configured for Active Directory Authentication

Now that you have configured BUE to authenticate users to Active Directory, you can create BUE accounts and assign them to the appropriate groups. This can be done in two ways:

Security Center. To use the Security Center to create and assign accounts to groups, create accounts the normal way including assigning them to the desired groups. However, since you are configured for Active Directory authentication you do not need to assign passwords for these users and you do not need to populate the Description and Email fields for them. As you have seen, this information will be automatically retrieved from Active Directory as each user signs in.

Import Users. To use the Import Users feature, simply define a CSV file containing one row for each user account. You can use the following file located in your BUE installation directory getting_started_sample_users.csv as a template. You can leave the password, user description and email values blank but you need to preserve the same number commas in the file to properly delimit all the required fields. You can adjust the group membership data in the CSV for each user account to suit your requirements or you can leave it blank and assign users in Security Center. The file should contain only data rows with the required number of commas on each row and contain no blank lines. Here is an example:

user1, , , ,ACTIVE,

user2, , , ,ACTIVE,Getting_Started/Developers;Retail_Samples/AdvancedUsers

WebFOCUS

Feedback