| XLCubed is now FluenceXL. The new wiki can be found here: https://help.fluencexl.com/ |
Difference between revisions of "Single sign-on"
(→XLCubedWeb Config) |
(→XLCubedWeb Config) |
||
| Line 87: | Line 87: | ||
** ''Redirect'' - Identity provider initiated. This is the most common option. When XLCubedWeb is accessed directly users will be sent to the providers login page, they can optionally access XLCubedWeb directly from the providers portal. | ** ''Redirect'' - Identity provider initiated. This is the most common option. When XLCubedWeb is accessed directly users will be sent to the providers login page, they can optionally access XLCubedWeb directly from the providers portal. | ||
** ''Postback'' - Service provider initiated. XLCubedWeb must the first point of access and it will send an AuthN request to the identity provider. If encryption is required on this request you must download the signing certificate, import it and provide the password under the "Advanced" tab of the XLCubedWeb config tool. | ** ''Postback'' - Service provider initiated. XLCubedWeb must the first point of access and it will send an AuthN request to the identity provider. If encryption is required on this request you must download the signing certificate, import it and provide the password under the "Advanced" tab of the XLCubedWeb config tool. | ||
| − | *'Custom auth procedure' see the next section | + | *''Custom auth procedure'' see the next section |
| − | *' | + | *''Enable scheduler access'' see the specific section about scheduling |
==SQL-based user to role mapping== | ==SQL-based user to role mapping== | ||
Revision as of 16:52, 6 February 2019
From Version 9.2.29 you can setup XLCubedWeb to use an SAML 2.0 compliant Identity provider service to handle user authentication.
Contents
[hide]Requirements
You will need the following:
- Enterprise XLCubedWeb
- A SQL-based Repository in "Role" mode
- An identity provider service that supports SAML 2.0 (for example, Okta, PingIdentity etc.)
- Some identity providers will require that the XLCubedWeb website is running as HTTPS
- Contacted support@xlcubed.com to enable the feature
Setup
Provider setup
You will need to create a new application or service provider. Use the following details where:
servername = Your xlcubedweb server address, for example http://someserver/xlcubedweb, this needs to match what the users would type into a web browser of the Excel publication screen
xlcubedurl = servername/webform/auth.aspx, for example http://someserver/xlcubedweb/webform/auth.aspx
The following is a list of possible information you will need to provide:
| Field | Value |
|---|---|
| Single sign On URL | xlcubedurl |
| Recipient URL | xlcubedurl |
| Destination URL | xlcubedurl |
| SP Entity ID | XLCubedWeb |
| Audience URI | XLCubedWeb |
| Audience Restriction | XLCubedWeb |
Attributes
The NameID attribute will be used as the key for users to store user-specific information such as "My Reports", recent reports, bookmarks, workbook aspects etc. Any format should be fine.
The following optional attributes can also be included:
| Attribute | Description | Example |
|---|---|---|
| DisplayName | The text to display when the user is listed | Joe Bloggs |
| The email address of the user, would be used when emailing alerts, for example | joe.bloggs@xlcubed.com | |
| EffectiveUser | User-id for connections that support this option. See "Datasources" section for more information | cubeuser |
| EffectiveRole | Comma-delimited list of Cube Roles to use for this user. See "Datasources" section for more information | Accounts, Management |
| MemberOf | Comma-delimited list of SIDs or active-directory group paths the user belongs to, this is used to determine which XLCubed Roles the user belongs to | S-1-5-21-1085031214 |
| Roles | Comma-delimited list of XLCubedWeb Roles the user belongs to, this controls which folders and reports they can see and what level of access they have | Authenticated Users, Upper Management |
XLCubedWeb Setup
This guide assumes you already have XLCubedWeb running using a SQL-based repository using the "Role" model. The authentication currently used doesn't matter at this stage.
Provider metadata
You will first need to export the Application/Service metadata from the provider service, this includes information such as the URLs XLCubedWeb will access to authenticate as well as any signing certificates needed for the request.
XLCubedWeb Config
Switch the authentication type to "Customer provider":
Click configure:
Browser and import the Provider Metadata xml file.
You then have some other options to consider:
- Redirect vs Postback - this is provider specific the most common is "Redirect".
- Redirect - Identity provider initiated. This is the most common option. When XLCubedWeb is accessed directly users will be sent to the providers login page, they can optionally access XLCubedWeb directly from the providers portal.
- Postback - Service provider initiated. XLCubedWeb must the first point of access and it will send an AuthN request to the identity provider. If encryption is required on this request you must download the signing certificate, import it and provide the password under the "Advanced" tab of the XLCubedWeb config tool.
- Custom auth procedure see the next section
- Enable scheduler access see the specific section about scheduling
