External authentication

Spotfire clients may access Spotfire Server through an external authentication mechanism, usually a proxy or a load balancer.

When using an external authentication mechanism, Spotfire Server gets the external user name from an HTTP header or a cookie. Getting the external user name from an HTTP header or a cookie could potentially be a security risk and it is strongly recommended that you restrict the permissions to use this feature. It is also recommended to use the external authentication method only when using a load balancer or proxy.

When configuring external authentication, you can add several constraints:

You can configure Spotfire Server to allow external authentication only when using a secure (TLS) connection.
You can specify allowed hostnames and/or IP addresses of the client computers that are permitted to log in using external authentication. You can list allowed IP addresses and/or write regular expressions; if you specify both, Spotfire Server first checks in the list and then the regular expression.

In some cases, the proxy or load balancer has already forced the client to authenticate itself. Some proxies and load balancers are capable of forwarding the name of the authenticated user to Spotfire Server. By enabling external authentication on Spotfire Server, the server can extract the identity of the client so that the client does not have to authenticate twice. Any proxy or load balancer that can propagate the user name so that it is available in the HTTP request to the server as a request attribute, is compatible.

Typical scenarios are:

When both the Spotfire Server cluster and its load balancer are configured for NTLM authentication.
When the load balancer is configured for X.509 client certificate authentication and propagates the user names extracted from the certificates.
When the load balancer requires the user to authenticate with username and password in a web form (for example SiteMinder). In this case, you must configure the load balancer to intercept and authenticate requests to, and only to, the path /spotfire/sf_security_check_external_auth.

External authentication may be used as a supplementary authentication method that can be used together with the main authentication method, but it can also be used as the main and only authentication method.

If clients are to always go through a load balancer to reach Spotfire Server, configure external as the main authentication method in the Authentication panel. In this case it is not possible to access a Spotfire Server directly. You must also specify a declared authentication method in the External Authentication panel.
Even if a load balancer is used in front of a set of Spotfire Servers, accessing the server directly may be desired. If this is the case, configure another authentication mechanism (any mechanism is allowed) as the main authentication method, and configure external as a supplementary authentication method.

See Configuring external authentication for more information.