Enabling Kerberos authentication

For a device running the mobile app to properly negotiate the SSO Kerberos authentication, you must configure your mobile device to use Kerberos. You can accomplish this task by creating and installing a configuration profile. You must edit the configuration profile to fit your environment.

The configuration profile for specifying Kerberos authentication is contained in an XML file that has the file extension .mobileconfig.

Prerequisites

  • TIBCO Spotfire® for Apple iOS version 2.5.x or higher.
  • TIBCO Spotfire® Web Player 5.0 or higher, or TIBCO Spotfire® Server 7.5 or higher, configured to use Kerberos with Delegation.
  • Apple iOS version 7.0 or higher.

Procedure

  1. Copy the XML in the sample sso.mobileconfig file and save it to a file on your local computer.
  2. Edit the file, changing the values in the tags as follows.
    Key Description
    Name Required. Change to the name of the configuration. The default is Kerberos Config.
    PrincipalName Change to the user name to use when logging in. The default is test_user.
    Realm Required. Change to the domain realm specified when you set up Kerberos on the Web Player service. The default is GSLAB.LOCAL.
    Note: The domain realm specified must be upper case.
    URLPrefixMatches Required. Change from the sample web addresses to the web address of the Web Player server the mobile app connects to. You can specify multiple web addresses by adding a separate line for each new web address entry. The web address should be the Web Player Server web address.
    Note: Do not add /SpotfireWeb or /spotfire (or your virtual directory name) to the end of the web address.
    PayloadOrganization Required. Change to the name of the organization you want to use. The default is ORGANIZATION.
  3. Optional: If you want to be able to access Spotfire analytics through the Safari browser on your iOS device, add the following string to the AppIdentifierMatches array.
    <string>com.apple.mobilesafari</string>

    The entire section should read as follows.

    <key>AppIdentifierMatches</key>  
               <array>
                 <!-- The line below allows the TIBCO Spotfire® for Apple iOS App to use the profile -->
                 <string>com.tibco.spotfire.SpotfireForIPad</string>
                <!-- Uncomment the line below if you want to allow Safari to also use the profile -->
                <!-- <string>com.apple.mobilesafari</string> -->
               </array>
  4. Saved the edited configuration file.
  5. Install this edited .mobileconfig profile file on your mobile device.
    This is most easily done by attaching the sso.mobileconfig file to an e-mail and sending it to an account that the mobile device user(s) can access. When you tap on the attachment in the email on the mobile device, you are prompted to install the configuration profile.
    Note: If you get an Invalid Profile error when you attempt to install the file, then the file contains a configuration error that you must fix. Confirm that all values your provided are properly filled in and formatted, and that you did not accidentally change, add, or delete any XML tags.

Result

The mobile device is now configured for single-sign on using Kerberos.

What to do next

To test the configuration, restart your device. Open the Analytics app on your mobile device. If you have not already done so, add the library server with the Kerberos authentication you configured. When you add the library server in the app, it does not matter what you specify for Username and Password, because these values are not used when your mobile device authenticates using Kerberos. You can leave these fields empty.