You can configure WebFOCUS Business User Edition to authenticate users against your corporate Active Directory. The WebFOCUS Business User Edition Client passes User sign-in credentials to the WebFOCUS Business User Edition Reporting Server, which in turn, validates them within an external source. WebFOCUS Business User Edition can authenticate users against external Active Directory or LDAP directories. Users are externally authenticated whenever they access WebFOCUS Business User Edition and when they access the Reporting Server Console.
The benefits of authenticating users to the Active Directory include:
To convert to external Active Directory or LDAP authentication, you must override the default setting of internal authentication in both the WebFOCUS Business User Edition Client and the Reporting Server, and establish a connection between the Reporting Server and LDAP provider that will support authentication activities.
Here is an overview of the configuration steps:
Since the default Manager account manager generally does not exist in the external source, it cannot be authenticated once external authentication has been successfully configured. The new Manager account that you create will exist both in WebFOCUS Business User Edition and in Active Directory so that you can use it for access to WebFOCUS Business User Edition once you have restarted it in its new authentication configuration.
In the steps that follow, you will be required to provide credentials for two service accounts. The first is a WebFOCUS Business User Edition Reporting Server account, PTH\srvadmin, that is used by WebFOCUS Business User Edition to delegate authentication to the Reporting Server. The password for this account is pre-configured during installation to be the same as the password you supplied for the Manager account.
The second is an Active Directory account of your choice that is used by the Reporting Server to authenticate users and retrieve their full description and email information, which in turn is passed back to WebFOCUS Business User Edition to update the user account. This service account simply needs read access to Active Directory. Generally, any Active Directory account can be used for this purpose, but you must make sure its password is set to never expire.
You do not need to enter a description or email address because this information will be automatically updated during sign in based on information retrieved from Active Directory.
An icon for the new user appears under Users and under Users in Group, when you click the Managers group.
The Navigation pane displays an expandable LDAP folder.
In some cases, you can also enter the domain name of your organization, for example: ibi.com.
Most installations use the default port number, 389.
The section expands and displays the fields, ldap_principal, and ldap_credentials.
It is important that this account has a non-expiring password to avoid future disruptions.
If you receive a message that the Discover LDAP server attributes failed, click OK, and then review and update the settings you entered up to this point.
If all settings are correct, the page refreshes and displays additional headings. Fields in the User Search section contain values populated directly from the Reporting Server.
If you receive a message that the connection or password failed, review and update your settings if necessary, and try again.
If the password succeeded, continue with the next step.
The Status of the LDAP entry changes to Primary, and the Status of the PTH<internal> Security provider entry changes to Secondary automatically.
The screen refreshes and displays the Change Effective Security Provider page.
When the confirmation dialog box opens, click OK.
The Reporting Server Console refreshes and displays the Applications tab.
The External page displays the settings currently assigned to the Reporting Server.
This is a Reporting Server administrator account that was installed automatically during the installation.
The password was assigned during installation, and is initially set to the same value that you entered for the Manager account during installation.
Note: The placement of this ID and its associated Password in the Server Administrator ID field enables the Client to present them to the Reporting Server when sending User authentication requests.
When the confirmation dialog box opens, click OK.
If this installation is based on the Windows operating system, stop and restart the WebFOCUS Business User Edition Application Server service in the Services Window.
If this installation is based on the Linux operating system, navigate to the tomcat/bin directory and run the shutdown.sh and startup.sh utilities.
The user description on the Menu bar in the portal, and the Email Address of this account now reflect the values retrieved from the Active Directory.
Now that you have configured WebFOCUS Business User Edition to authenticate users to Active Directory, you can create user accounts and assign them to the appropriate groups. This can be done in two ways:
Security Center. To use the Security Center to create and assign accounts to groups, create accounts the normal way and assign them to the desired groups. However, since you are configured for Active Directory authentication you do not need to assign passwords for these users, and you do not need to populate the Description and Email fields for them. As you have seen, this information will be automatically retrieved from Active Directory as each user signs in.
Import Users. To use the Import Users feature, simply define a CSV file containing one row for each user account. You can use the getting_started_sample_users.csv file located in the installation directory as a template. You can leave the password, user description and email values blank, but you need to preserve the same number of commas in the file to properly delimit all the required fields. You can adjust the group membership data in the CSV for each user account to suit your requirements, or you can leave it blank and assign users in the Security Center. The file should contain only data rows with the required number of commas on each row and contain no blank lines. For example:
user1, , , ,ACTIVE,
user2, , , ,ACTIVE,Getting_Started/Developers;Retail_Samples/AdvancedUsers