Authenticating Users to Your Active Directory

Topics:

You can configure WebFOCUS Business User Edition to authenticate users against your corporate Active Directory. The WebFOCUS Business User Edition Client passes User sign-in credentials to the WebFOCUS Business User Edition Reporting Server, which in turn, validates them within an external source. WebFOCUS Business User Edition can authenticate users against external Active Directory or LDAP directories. Users are externally authenticated whenever they access WebFOCUS Business User Edition and when they access the Reporting Server Console.

The benefits of authenticating users to the Active Directory include:

Configuring Active Directory/LDAP Authentication

Topics:

How to:

To convert to external Active Directory or LDAP authentication, you must override the default setting of internal authentication in both the WebFOCUS Business User Edition Client and the Reporting Server, and establish a connection between the Reporting Server and LDAP provider that will support authentication activities.

Here is an overview of the configuration steps:

  1. Create a new WebFOCUS Business User Edition Manager account whose name matches an account in Active Directory.

    Since the default Manager account manager generally does not exist in the external source, it cannot be authenticated once external authentication has been successfully configured. The new Manager account that you create will exist both in WebFOCUS Business User Edition and in Active Directory so that you can use it for access to WebFOCUS Business User Edition once you have restarted it in its new authentication configuration.

  2. Configure the LDAP provider to authenticate users to Active Directory.
  3. Configure WebFOCUS Business User Edition to use the LDAP provider and restart the WebFOCUS Business User Edition services.

In the steps that follow, you will be required to provide credentials for two service accounts. The first is a WebFOCUS Business User Edition Reporting Server account, PTH\srvadmin, that is used by WebFOCUS Business User Edition to delegate authentication to the Reporting Server. The password for this account is pre-configured during installation to be the same as the password you supplied for the Manager account.

The second is an Active Directory account of your choice that is used by the Reporting Server to authenticate users and retrieve their full description and email information, which in turn is passed back to WebFOCUS Business User Edition to update the user account. This service account simply needs read access to Active Directory. Generally, any Active Directory account can be used for this purpose, but you must make sure its password is set to never expire.

Procedure: How to Create the Externally Authenticated Manager Account

  1. Sign in as a Manager.
  2. In the portal, on the Menu bar, click Administration, and then click Security Center.
  3. In the Security Center, under Users, click New User.
  4. Type the Active Directory ID of the person who will be the new Manager after Active Directory authentication is established, in the User Name field.

    You do not need to enter a description or email address because this information will be automatically updated during sign in based on information retrieved from Active Directory.

  5. Click Managers in the Create in Groups list.
  6. Click OK.

    An icon for the new user appears under Users and under Users in Group, when you click the Managers group.

Procedure: How to Establish LDAP as the Primary Security Provider on the Reporting Server

  1. Sign in as a Manager.
  2. In the portal, on the Menu bar, click Administration, and then click Reporting Server Console.
  3. In the Reporting Server Console, click the Access Control tab.

    The Navigation pane displays an expandable LDAP folder.

  4. Right-click the LDAP folder, and then click New.
  5. In the LDAP Security Provider Configuration page, accept the default name, LDAP01, or type a new descriptive name for the LDAP security provider in the LDAP_PROVIDER field.
  6. In the Connection Section, type the host name of your Active Directory server in the ldap_host field.

    In some cases, you can also enter the domain name of your organization, for example: ibi.com.

  7. Change the value in the LDAP port field only if your installation uses a different port number.

    Most installations use the default port number, 389.

  8. Click Explicit in the security list.

    The section expands and displays the fields, ldap_principal, and ldap_credentials.

  9. Type the name of a Service Account that has read access to the Active Directory, in the ldap_principal field.

    It is important that this account has a non-expiring password to avoid future disruptions.

  10. Type the password of the Service Account in the ldap_credentials field.
  11. Click Next.

    If you receive a message that the Discover LDAP server attributes failed, click OK, and then review and update the settings you entered up to this point.

    If all settings are correct, the page refreshes and displays additional headings. Fields in the User Search section contain values populated directly from the Reporting Server.

  12. Click the Trusted Connection section heading.
  13. In the Trusted Connection section, click y in the trust_ext list.
  14. Click Test User Authentication.
  15. Type the Active Directory User ID and Password of the person that you previously identified as the new Manager, and then click Continue.

    If you receive a message that the connection or password failed, review and update your settings if necessary, and try again.

    If the password succeeded, continue with the next step.

  16. Click Save.
  17. In the Activate Providers page, in the LDAP entry that is identified by LDAP01, or by the descriptive name you typed in the LDAP_PROVIDER field, click Primary in the Status list.

    The Status of the LDAP entry changes to Primary, and the Status of the PTH<internal> Security provider entry changes to Secondary automatically.

  18. Click Save Provider's Status.

    The screen refreshes and displays the Change Effective Security Provider page.

  19. Click Apply and Restart Server.

    When the confirmation dialog box opens, click OK.

    The Reporting Server Console refreshes and displays the Applications tab.

  20. Click the Access Control tab.
  21. Review the new LDAP Security Provider and its Primary status.
  22. Close the Reporting Server Console.

Procedure: How to Enable External Security in the WebFOCUS Client

  1. Sign in as a Manager.
  2. In the portal, on the Menu bar, click Administration, and then click Administration Console.
  3. In the Administration Console, click the Security tab.
  4. Under the Security Configuration folder, click External.
  5. On the External page, select the Enable External Security check box.

    The External page displays the settings currently assigned to the Reporting Server.

  6. Type PTH\srvadmin in the Server Administrator ID field.

    This is a Reporting Server administrator account that was installed automatically during the installation.

  7. Type the password for this account in the Password field.

    The password was assigned during installation, and is initially set to the same value that you entered for the Manager account during installation.

    Note: The placement of this ID and its associated Password in the Server Administrator ID field enables the Client to present them to the Reporting Server when sending User authentication requests.

  8. Click Connect to verify the credentials you provided.
  9. Leave User Authorization set to Internal and ignore the Account Creation on Sign In settings. WebFOCUS Business User Edition does not support changes to these options.
  10. Select the Synchronize User Information with Authentication Provider check box.
  11. Click Save.

    When the confirmation dialog box opens, click OK.

  12. In the Administration Console menu, click Close.
  13. Sign out of WebFOCUS Business User Edition.
  14. Stop and restart the web application to make these changes take effect. To do so:

    If this installation is based on the Windows operating system, stop and restart the WebFOCUS Business User Edition Application Server service in the Services Window.

    If this installation is based on the Linux operating system, navigate to the tomcat/bin directory and run the shutdown.sh and startup.sh utilities.

  15. When the Web Application restarts, sign in again using the Active Directory User ID and Password of the new Manager that you identified at the beginning of the configuration.

    The user description on the Menu bar in the portal, and the Email Address of this account now reflect the values retrieved from the Active Directory.

Creating User Accounts When WebFOCUS Business User Edition is Configured for Active Directory Authentication

Now that you have configured WebFOCUS Business User Edition to authenticate users to Active Directory, you can create user accounts and assign them to the appropriate groups. This can be done in two ways:

Security Center. To use the Security Center to create and assign accounts to groups, create accounts the normal way and assign them to the desired groups. However, since you are configured for Active Directory authentication you do not need to assign passwords for these users, and you do not need to populate the Description and Email fields for them. As you have seen, this information will be automatically retrieved from Active Directory as each user signs in.

Import Users. To use the Import Users feature, simply define a CSV file containing one row for each user account. You can use the getting_started_sample_users.csv file located in the installation directory as a template. You can leave the password, user description and email values blank, but you need to preserve the same number of commas in the file to properly delimit all the required fields. You can adjust the group membership data in the CSV for each user account to suit your requirements, or you can leave it blank and assign users in the Security Center. The file should contain only data rows with the required number of commas on each row and contain no blank lines. For example:

user1, , , ,ACTIVE,

user2, , , ,ACTIVE,Getting_Started/Developers;Retail_Samples/AdvancedUsers

WebFOCUS

Feedback