Setting up an authenticating reverse proxy in front of the Spotfire Server

You can use an authenticating reverse proxy in front of the Spotfire Server. A typical use case for this is to add support for Security Assertion Markup Language, or SAML, through the use of a service provider (SP) such as Shibboleth, usually running in an Apache web server.

You can configure the proxy to intercept and authenticate requests to /spotfire/sf_security_check_external_auth. It can return a login page, or it can redirect to some other location. However, after the user is authenticated, the proxy must redirect back to /spotfire/sf_security_check_external_auth and let the request go through to the Spotfire Server. All other requests must be allowed to pass to the Spotfire Server, even if unauthenticated. If authentication is needed, then the Spotfire Server redirects to /spotfire/sf_security_check_external_auth in a way that is compatible with all types of clients.

The established user identity can be transferred to the Spotfire Server in an HTTP request header or similar.

Important: The reverse proxy must ensure that any such headers sent by clients are either rejected or validated.

For the reverse proxy to work, you must configure Spotfire Server to use External Authentication with Web Authentication as the declared authentication method. The header or similar to use for authentication must match the way the reverse proxy is configured. You can implement a PostAuthenticationFilter if further processing is required. For more information, see Configuring external authentication.