External directories and domains

You can configure Spotfire Server to integrate with external directories such as LDAP directories or Windows domains.

Spotfire Server keeps track of which domain every user belongs to. Users who are created by an administrator directly within Spotfire Server belong to the SPOTFIRE domain. When the user directory is configured for Database, this is the domain being used.

External users keep their domain name from the external directory, and the domain name appears as part of their user name throughout the Spotfire interface.

The supported external directories can have domain names in two forms:
  • DNS domain names, for example "research.example.com". A complete user name looks like this: someone@research.example.com.
  • NetBIOS domain names, for example "RESEARCH". A complete user name looks like this: RESEARCH\someone.
When configuring Spotfire Server, the desired domain name style must be set before the server is started for the first time. The domain name style to use is dependent on the combination of authentication method and user directory of your Spotfire implementation.
Note: Be careful when selecting a domain name style for your system; it will affect what information Spotfire Server stores within the Spotfire database. The domain name style can be changed using the switch-domain-name-style command if the user directory is in LDAP mode and is synchronizing with an Active Directory Server. For other user directory modes, there are no tools to alter that information if the domain name style later needs to be changed.

Below is a matrix showing which domain name style to use for different combinations of authentication method and user directory. Combinations that are not supported are marked " — ".

Spotfire Server will warn and even refuse to start if you try to set up an authentication method and a user directory with incompatible domain name styles. If you for some reason need to go ahead with an officially incompatible configuration, you will need to set the allow incompatible domain name styles configuration property to make the server start at all. One way to handle this could be a custom post-authentication filter that creates a bridge between the two originally incompatible domain name styles. (The allow incompatible domain name styles option can be set using the config‐userdir command. For information about custom post-authentication filters, see Post-authentication filter.)

Collapse Domains Configuration Property Enabled
User directory type
Authentication method Database LPAD/AD LDAP/other Windows NT
Basic database NetBIOS(DNS)
Basic/LDAP/AD NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)
Basic/LDAP/other NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)
Basic/Windows NT NetBIOS(DNS)
NTLM NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)
Kerberos NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)
X.509 Client Certs. NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)

— Unsupported combination of authentication method and user directory.

Collapse Domains Configuration Property Not Enabled
User directory type
Authentication method Database LPAD/AD LDAP/other Windows NT
Basic database NetBIOS, DNS
Basic/LDAP/AD NetBIOS, DNS NetBIOS, DNS #
Basic/LDAP/other NetBIOS, DNS # DNS
Basic/Windows NT NetBIOS, DNS
NTLM NetBIOS, DNS NetBIOS, DNS #
Kerberos NetBIOS, DNS NetBIOS, DNS DNS
X.509 Client Certs. NetBIOS, DNS NetBIOS, DNS DNS
Note: NetBIOS is the recommended domain name style, but DNS will also work.

— Unsupported combination of authentication method and user directory.

# For this combination of authentication method and user directory, enable the collapse domains option.

A consequence of the new domain tracking is that users may have to provide the domain names as part of their user names when logging in to Spotfire Server. For the Basic/LDAP and Basic/Windows NT authentication methods, the setting of the wildcard domain configuration property decides how the server maps a user to a domain during authentication. When the wildcard domain configuration property is enabled (this is the default), Spotfire Server checks whether the user name contains a domain name, and if it does, that domain name is used. If not, the server attempts to authenticate the user with the provided user name and password in every domain it knows about, until the combination of domain name, user name, and password results in a successful authentication, or until there are no more domain names to try. If the wildcard domain configuration property is turned off, the domain name must be specified by the user unless it belongs to the configured default domain. This can be configured in the configuration tool.
Note: If the wildcard domain configuration property is enabled and two identically named users in different domains have the same password, there is a risk that the wrong account will be selected when one of these users logs in. Thus, if security has a higher priority than user convenience, make sure to turn off the wildcard domain configuration property. There is also the risk that multiple authentication attempts will lock out the "correct" user.

Spotfire Server provides a configuration property that reverts to the behavior from previous releases. The configuration property is called collapse-domains and enabling this means that the external domain of a user is essentially ignored, and that different users with the same user name, but in different domains, will share an account on Spotfire Server. When the collapse domains configuration property is enabled, all external users and groups will be associated with the SPOTFIRE domain, regardless of which domain they belong to in the external directory.

If you want to keep running Spotfire Server without ever caring about domain names, enable both the collapse-domains and wildcard-domain configuration properties. Doing so will ensure that all users belong to the internal SPOTFIRE domain, and no users will have to enter a domain name when logging in. (The collapse-domains configuration property can be set in the configuration tool or by using the config‐userdir command).
Note: All users will belong to one domain when the collapse-domains configuration property is enabled. If there are multiple users with the same account name in different external domains, they will now effectively share the same account within Spotfire Server. If security has a higher priority than user convenience, make sure not to enable the collapse domain configuration property.
Note: It is not recommended to change the collapse-domains configuration property after once having synchronized Spotfire Server with an external directory. This creates double accounts with different domain names for every synchronized user and group in the user directory. The new accounts do not inherit the permissions of the old accounts.