Single sign-on with an identity provider (OAuth2) for connectors

Note: The functionality described in this article is not available in TIBCO Cloud™ Spotfire environments.  

Some data connectors support using your own identity provider, such as Okta, Keycloak, or Google, for authentication. With such connectors you can provide a convenient log-in experience for users when they use a data connection or external library, without the hassle of having to remember separate database credentials. If you use the same identity provider for authentication in your Spotfire environment, you can even enable a full single sign-on experience.

This article explains how to configure your Spotfire environment so that users can log in with an identity provider when they access data with connectors.

Prerequisites

• The following connectors support single sign-on with an identity provider:

• Microsoft SQL Server

• TIBCO® Data Virtualization

• Your identity provider uses one of the following protocols:

• OAuth2

• OpenID Connect

• You have configured the external system that you want to access data from to use your identity provider for authentication.

• You have registered client applications for Spotfire with your identity provider, one confidential and one public. The public client application is required for the Spotfire installed client, and the confidential client is required for Spotfire Server and Spotfire web clients.

Is my identity provider supported?

Spotfire’s support for authentication with an identity provider is built to be generic, and it is not tailored to any specific identity provider solution. An important prerequisite is that the identity provider is supported by the external data source.

The following are details about the Spotfire implementation, to help you understand the requirements and limitations on your identity provider:

• The identity provider must expose an OAuth2 or OpenID Connect authorization server, and Spotfire uses the Authorization Code Grant Flow to get an access token from the authorization server.

• Spotfire does not support adding custom headers in the authorization request

• Spotfire does not support adding custom query parameters in the authorization request

Configuring Spotfire to use an identity provider for connectors

To be able to use an identity provider to log in to an external system from Spotfire, you must add the details about your identity provider.

There are 2 places in the Spotfire configuration where you must add your identity provider information; in the OpenID Connect settings on the Spotfire Server, where you use your confidential client application details, and in the preference OAuth2IdentityProviders in the Administration Manager, where you use your public client application details. For use with data connectors, it is important that you configure both, so that you can log in and access your data both in the Spotfire web client and in the Spotfire installed client.

In broad strokes, you must perform the following steps to complete the configuration:

1. Collect information about your identity provider, and your client applications for Spotfire.

2. Add your identity provider on your Spotfire Server, with your confidential client application details.

3. Add your identity provider to the OAuth2IdentityProviders preference, with the public client application details.

4. Use your identity provider for authentication in data connections and/or external libraries.

Collecting information about your identity provider

Before you start, collect the following information about your identity provider:

• What protocol does it use; OpenID Connect or OAuth2?

• The issuer identifier URL.

• Details about the client applications you have registered for Spotfire with your identity provider; client ID and client secret (if applicable).  

• The scopes for the permissions required for accessing data in the external system.

Depending on your identity provider, additional details might be required. For information about all the available settings, see the reference documentation about the OAuth2IdentityProviders preference in the Administration Manager User’s Guide.

Adding your identity provider on your Spotfire Server

To be able to use single sign-on, and also to be able to use your data connections in Spotfire web clients, you must add your identity provider and the confidential client application information to the Spotfire Server. Depending on your use case, you have two options:

• To use the identity provider for authentication on the Spotfire Server and for data access with connectors, add the identity provider to the OpenID Connect settings on the Spotfire Server. See Configuring OpenID Connect.

• To use the identity provider for authentication only for data access with connectors, add the identity provider on the Spotfire Server with the config-oauth-client command.

Adding your identity provider to the Oauth2IdentityProviders preference

1. Start Spotfire Analyst, and log in as a user with administrator privileges.

2. On the menu bar, select Tools > Administration manager….

3. In the Administration Manager dialog, on the Preferences tab, click to select the user group you want to edit preferences for.

4. On the Preferences tab, click Edit.

5. In the Edit Preferences dialog, navigate to the preference Application > OAuth2Preferences > OAuth2IdentityProviders.

6. To edit the OAuth2IdentityProviders preference, select the preference and click the edit button [...].

7. In the String Collection Editor dialog, add your identity provider and the public client details as a JSON object.
   Important: Only use the public client application from your identity provider here, and not the confidential client application.
   You can add your details to the sample below, which contains commonly used settings:

   [  
    {
       type: "<OAuth2 or OpenId>",
       displayName: "<My Identity Provider>",
       issuer: "<https:\\issuer1.example.com>",
       publicClient: {
         id: "<Client name or ID>",
        redirectUrl: "<redirect-url>",
        redirectPorts: "<port-number>"
         },
       defaultScope: "<myScope>"
     }
   ]

8. To save your changes, click OK.

Note: For more information about all the possible settings, see the reference documentation about the OAuth2IdentityProviders preference in the Administration Manager User’s Guide.

Using your identity provider in data connections and external libraries

Creating a data connection with your identity provider for authentication

To use your identity provider for authentication in a data connection, create a new data connection or connection data source and select the authentication method Identity provider (OAuth2). You can select your identity provider (listed with its display name from the OAuth2IdentityProviders preference) in the Identity providers drop-down menu.

Using your identity provider for authentication with an external library

Some connectors support both authentication with an identity provider and configuring an external library. In such cases, you can use identity providers that you have added to Spotfire for logging in to the external library.

When you set up an external library in the External library configurations, add the following settings:

authenticationMethod = “OAuth2”

issuer = “[Issuer URL of your Identity Provider]”

For more information, see Configuring the TIBCO Data Virtualization Integration.