Post-authentication filter
After a user's identity is validated, Spotfire Server performs an additional check using the post-authentication filter.
- Block. When the post-authentication filter is set to Block, it blocks all users who are not already present in the Spotfire Server user directory. This is the default mode, and the appropriate mode to use with an LDAP user directory.
- Auto-create. When the post-authentication filter is set to Auto-create, it automatically creates new accounts for any user who logs in to the server for the first time. This mode is valid only when the user directory mode is set to Database.
The blocking mode is the default mode. When it is used with a user directory in LDAP/Active Directory mode, it automatically transforms to the domain name of the authenticated user to match the configured domain name style.
The auto-creating mode is typically applied when using an LDAP directory or X.509 certificates for authentication together with the User Directory set up in database mode. The Post-authentication filter will create users with their external domain names, even though the user directory is in database mode, unless the collapse domains configuration property is enabled. This makes it possible to later switch to LDAP or Windows NT mode. If the collapse domains configuration property is enabled, the users will be created within the internal SPOTFIRE domain and it will not be possible to later switch to LDAP or Windows NT mode.
It is also possible to use the Spotfire Server API to create a custom post-authentication filter to perform additional validation. This filter must be installed in the <server installation dir>/tomcat/custom-ext directory on all servers. It is enabled using the config-post-auth-filter command. If a custom filter is used, it will be combined with the built-in filter, meaning that the filters will work together.