Spotfire Server: How to manage User Licenses and Group memberships when using OpenID Connect authentication

Product: Spotfire Server
Versions: 7.8 and higher

Summary:
This article explains how to assign users to groups using custom PostAuthenticationFilters in order to manage user licenses in Spotfire Server.

Details:
When using OpenID Connect authentication, there is no easy way to create/manage Groups or Users and their licenses like it is normally done with LDAP authentication. When OpenID users login, they are added to the Everyone group by default and, thus, they end up without any pre-defined licenses assigned. To set user licenses and permissions, new users need to be manually added to required groups by Administrator.

Resolution:
For this purpose, one can develop a Custom PostAuthenticationFilter to set up group memberships using the Spotfire UserDirectory API. The Post Authentication filter is called each time a user is logged in, so in your Custom PostAuthenticationFilter code you can check if the user is part of respective groups and add them if they are not already added.

For an example implementation of a Custom PostAuthenticationFilter, see the following Wiki post in the Spotfire Community:

• Configure Custom PostAuthentication Filter in TIBCO Spotfire® Server