Spotfire® Server and Environment - Installation and Administration

Configuring OpenID Connect

You can configure a default OpenID Connect web authentication provider using the configuration tool.

About this task

Before you begin

  • You have configured a public address URL. To do this, go to the Public Address page in the Spotfire Server configuration tool and enable the public address URL http[s]://<spotfire server>[:<port>]/.
  • You have registered a client at the OpenID provider with a return endpoint URL, and received a client ID and a client secret from the provider.
    Note: If the OpenID provider that you want to use supports OpenID Connect Dynamic Registration, you can register the client using the command-line command register-oidc-client. To use this option, perform the rest of the configuration first, because the metadata sent in the registration request depends on the configuration. See register-oidc-client for more information.
    • The registered client must support the Authorization Code Grant.
    • The registered client must have permission to request the scopes that the server is configured to request. By default, these scopes are openid, profile, and email, but the latter two can be removed and other scopes can be added.
For the default OpenID Connect web authentication providers, use the URL (starting with the configured public address URL): 
http[s]://<spotfire server>[:<port>]/spotfire/auth/oidc/authenticate
Note: When using web authentication, it is recommended to use HTTPS.
Note: It is recommended to use the Auto-create option for the post-authentication filter.

Procedure

  1. Open the Spotfire Server configuration tool. For information on launching the configuration tool, see Opening the configuration tool.
  2. In the configuration tool, select the Configuration tab.
  3. On the Configuration Start page, select the authentication method Web authentication.
    Note: If you want to combine web authentication with username and password authentication (for example, for backward compatibility with older Spotfire clients), you should select the BASIC authentication method.
  4. On the OpenID Connect page, next to Enable OpenID Connect, select Yes.
  5. Determine whether to Enable Third-Party Login Initiation.
  6. Determine whether to enable single logout (SLO) by changing Enable RP-Initiated Logout, Enable Back-Channel Logout and/or Enable Front-Channel Logout to Yes.
    See Single logout (SLO) for more information about the different options.

    Enabling SLO will give access to copying of the following fields:

    • End-Session Post Logout Redirect URI. This will be included as a parameter when redirecting to the provider when using RP-Initiated Logout. Must be registered with the provider to use the feature.
    • Back-Channel Logout URI. The URI to which the provider should send its logout request. Must be registered with the provider to use the feature.
    • Front-Channel Logout URI. The URI to which the provider should send the user's browser after logging out. Must be registered with the provider to use the feature.
  7. If Enable Front-Channel Logout is set to Yes, determine whether to enable Front-Channel Logout Session Required.
  8. To add and configure a new provider, click Add new provider.
  9. For each added provider, select Yes to enable the provider, and specify the Provider name (that will be displayed for users when selecting a provider).
  10. For each provider, specify the Discovery document URL, the Client ID and the Client secret, as received when registering a client at the provider.
  11. Save the configuration and restart the Spotfire Server.
Copyright © Cloud Software Group, Inc. All rights reserved.