Setting up an authenticating proxy in front of the Spotfire Server

It is possible to use an authenticating reverse proxy (for example, an agent of some sort on the end-user computer, a Java servlet filter added to Tomcat, or something similar) in front of the Spotfire Server. A typical use case for this is to add support for Security Assertion Markup Language, or SAML, through the use of a service provider (SP) such as Shibboleth, usually running in an Apache web server.

The proxy can be configured to intercept and authenticate requests to /spotfire/sf_security_check_external_auth. It can do so by returning a login page or by redirecting to some other location. However, once the user is authenticated, the proxy must redirect back to /spotfire/sf_security_check_external_auth and let the request go through to the Spotfire Server. All other requests must be allowed to pass to the Spotfire Server, even if unauthenticated. If authentication is needed, then the Spotfire Server will redirect to /spotfire/sf_security_check_external_auth in a way that is compatible with all types of clients.

The established user identity may be transferred to the Spotfire Server in an HTTP request header or similar.

Note: It is important that the reverse proxy ensures that any such headers sent by clients are either rejected or validated.

For this to work, the Spotfire Server must be configured to use External Authentication with Web Authentication as the declared authentication method. The header or similar to use for authentication must match the way the reverse proxy is configured. A PostAuthenticationFilter can be implemented, if further processing is required. See Configuring external authentication for more information.