External authentication
Spotfire clients may access Spotfire Server through an external authentication mechanism, usually a proxy or a load balancer.
When using an external authentication mechanism, Spotfire Server gets the external user name from an HTTP header or a cookie. Getting the external user name from an HTTP header or a cookie could potentially be a security risk and it is strongly recommended that you restrict the permissions to use this feature. It is also recommended to use the external authentication method only when using a load balancer or proxy.
- You can configure Spotfire Server to allow external authentication only when using a secure (TLS) connection.
- You can specify allowed hostnames and/or IP addresses of the client computers that are permitted to log in using external authentication. You can list allowed IP addresses and/or write regular expressions; if you specify both, Spotfire Server first checks in the list and then the regular expression.
In some cases, the proxy or load balancer has already forced the client to authenticate itself. Some proxies and load balancers are capable of forwarding the name of the authenticated user to Spotfire Server. By enabling external authentication on Spotfire Server, the server can extract the identity of the client so that the client does not have to authenticate twice. Any proxy or load balancer that can propagate the user name so that it is available in the HTTP request to the server as a request attribute, is compatible.
- When both the Spotfire Server cluster and its load balancer are configured for NTLM authentication.
- When the load balancer is configured for X.509 client certificate authentication and propagates the user names extracted from the certificates.
- When the load balancer is configured to use Security Assertion Markup Language, or SAML, through the use of a service provider (SP) such as Shibboleth. See Setting up an authenticating proxy in front of the Spotfire Server.
- When the load balancer requires the user to authenticate with username and password in a web form (for example SiteMinder). In this case, you must configure the load balancer to intercept and authenticate requests to, and only to, the path /spotfire/sf_security_check_external_auth.
- If clients are to always go through a load balancer to reach Spotfire Server, configure external as the main authentication method in the Authentication panel. In this case it is not possible to access a Spotfire Server directly. You must also specify a declared authentication method in the External Authentication panel.
- Even if a load balancer is used in front of a set of Spotfire Servers, accessing the server directly may be desired. If this is the case, configure another authentication mechanism (any mechanism is allowed) as the main authentication method, and configure external as a supplementary authentication method.
See Configuring external authentication for more information.
- Configuring external authentication
You can configure external authentication by using the configuration tool or the command line. - Setting up an authenticating proxy in front of the Spotfire Server
It is possible to use an authenticating reverse proxy (for example, an agent of some sort on the end-user computer, a Java servlet filter added to Tomcat, or something similar) in front of the Spotfire Server. A typical use case for this is to add support for Security Assertion Markup Language, or SAML, through the use of a service provider (SP) such as Shibboleth, usually running in an Apache web server.