Spotfire® Server and Environment - Installation and Administration

External directories and domains

You can configure Spotfire Server to integrate with external directories such as LDAP directories or Windows domains.

Spotfire Server keeps track of which domain every user belongs to. Users who are created by an administrator directly within Spotfire Server belong to the SPOTFIRE domain. When the user directory is configured for Database, this is the domain being used.

External users keep their domain name from the external directory, and the domain name is included as part of their user name throughout the Spotfire interface.

The supported external directories can have domain names in two forms:
  • DNS domain names, for example "research.example.com". A complete user name looks like this: someone@research.example.com.
  • NetBIOS domain names, for example "RESEARCH". A complete user name looks like this: RESEARCH\someone.
When configuring Spotfire Server, the desired domain name style must be set before the server is started for the first time. The domain name style to use is dependent on the combination of authentication method and user directory of your Spotfire implementation.
Note: Be careful when selecting a domain name style for your system; it will affect the information Spotfire Server stores within the Spotfire database. The domain name style can be changed using the switch-domain-name-style command if the user directory is in LDAP mode and is synchronizing with an Active Directory Server. For other user directory modes, there are no tools to alter that information if the domain name style later needs to be changed.

Below is a matrix showing which domain name style to use for different combinations of authentication method and user directory. Combinations that are not supported are marked " — ".

Spotfire Server will warn and even refuse to start if you try to set up an authentication method and a user directory with incompatible domain name styles. If you for some reason must go ahead with an officially incompatible configuration, you must set the allow incompatible domain name styles configuration property to make the server start at all. One way to handle this could be a custom post-authentication filter that creates a bridge between the two originally incompatible domain name styles. (The allow incompatible domain name styles option can be set using the config‐userdir command. For information about custom post-authentication filters, see Post-authentication filter.)

Table 1. Collapse domains configuration property enabled
User directory type
Authentication method Database LDAP/AD LDAP/other Windows NT
Username/Password - database NetBIOS(DNS)
Username/Password - LDAP/AD NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)
Username/Password - LDAP/other NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)
Username/Password - Windows NT NetBIOS(DNS)
NTLM NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)
Kerberos NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)
X.509 Client Certs. NetBIOS(DNS) NetBIOS(DNS) NetBIOS(DNS)

Unsupported combinations of authentication method and user directory are marked with "—" in the table.

Table 2. Collapse domains configuration property not enabled
User directory type
Authentication method Database LDAP/AD LDAP/other Windows NT
Username/Password - database NetBIOS, DNS
Username/Password - LDAP/AD NetBIOS, DNS NetBIOS, DNS #
Username/Password - LDAP/other NetBIOS, DNS # DNS
Username/Password - Windows NT NetBIOS, DNS
NTLM NetBIOS, DNS NetBIOS, DNS #
Kerberos NetBIOS, DNS NetBIOS, DNS DNS
X.509 Client Certs. NetBIOS, DNS NetBIOS, DNS DNS

Unsupported combinations of authentication method and user directory are marked with "—" in the table.

Combinations of authentication method and user directory marked with "# " in the table are not supported when the collapse domains option is disabled.
Note: NetBIOS is the recommended domain name style, but DNS will also work.
The domain tracking means that users might need to provide the domain names as part of their user names when logging in to Spotfire Server. For the Username/Password LDAP and Username/Password Windows NT authentication methods, the setting of the wildcard domain configuration property decides how the server maps a user to a domain during authentication. This can be configured in the configuration tool.
  • When the wildcard domain configuration property is enabled (default), Spotfire Server checks whether the user name contains a domain name, and if it does, that domain name is used.
  • If the wildcard is enabled but the user name does not contain a domain name, the server attempts to authenticate the user with the provided user name and password in every domain it knows about, until the combination of domain name, user name, and password results in a successful authentication, or until there are no more domain names to try.
  • If the wildcard domain property is turned off, the domain name must be specified by the user unless it belongs to the configured default domain.
Note: If the wildcard domain configuration property is enabled and two identically named users in different domains have the same password, there is a risk that the wrong account will be selected when one of these users logs in.

Thus, if security has a higher priority than user convenience, make sure to turn off the wildcard domain configuration property. There is also the risk that multiple authentication attempts will lock out the "correct" user.

Spotfire Server provides a configuration property, collapse-domains, that reverts to the behavior from previous releases. Enabling this means that the external domain of a user is essentially ignored. When the collapse domains configuration property is enabled, all external users and groups will be associated with the SPOTFIRE domain, regardless of which domain they belong to in the external directory. The collapse-domains configuration property can be set in the configuration tool or by using the config‐userdir command.

It is also possible to enable both the collapse-domains and wildcard-domain configuration properties simultaneously. Doing so will make all users belong to the internal SPOTFIRE domain, and no users will need to enter a domain name when logging in.
Note: If the collapse-domains configuration property is enabled, all users will belong to a single domain in Spotfire. If there are multiple users with the same account name in different external domains, they will effectively share the same account within Spotfire Server when the property is enabled.

If security has a higher priority than user convenience, do not enable the collapse domain configuration property.

Note: It is not recommended to change the collapse-domains configuration property after once having synchronized Spotfire Server with an external directory. This creates double accounts with different domain names for every synchronized user and group in the user directory. The new accounts do not inherit the permissions of the old accounts.