When attempting to configure OpenID authentication with spotfire, you may find the browser is stuck in a loop, not able to log in to Spotfire. This issue may also exhibit itself, by the browser simply returning to the Spotfire login page.
These symptoms are especially true when using LDAP for the User Directory.
To resolve this issue, check the server.log for messages similar to this:
|
INFO 2024-04-11T17:14:23,508+0100 [unknown, #B-11, #202] server.security.PostAuthenticationFilterImpl: Denying access, the user principal 'john.smith@xyz.com' cannot be found in the User Directory |
If a similar error is seen in the logs, and you are also attempting to use LDAP for the User Directory, the issue is that usernames from LDAP do not match those that are being provided by OpenID.
For example, in a default LDAP configuration that uses Active Directory,samAccountName is used as the username attribute.
Supposing the samAccountName is jsmith and the LDAP root domain is abc.com This would result in a composite username of jsmith@abc.com
Since this does not match the OpenID provided username, john.smith@xyz.com the error would result, since this will not be found in the User Directory. This does not mean that OpenID is incorrectly configured. OpenID is correctly providing a username claim as specified in the Spotfire configuration.
To resolve this issue, the OpenID username claim must match the LDAP directory username.
1.) Most OpenID providers (e.g Azure, Okta) allow custom claims to be mapped. It would be necessary therefore to create a custom claim contains a username format the same as LDAP (e.g. jsmith). Once this claim has been created, it needs to be specified in the Spotfire configuration as the username claim. You may additionally need to add a custom scope for this to work.
It beyond the scope of Revvity Signals support to provide assistance in configuring custom claims. Please refer to your OpenID provider documentation.
2.) For the domain portion of the username, we need abc.com Our custom username will simply contain jsmith so we need to append on the same domain name as LDAP.
To resolve this, the domain portion can be set to a fixed value via the OpenID configuration.
Selecting Option 2, and using a fixed value of abc.com, would then result in a username of jsmith@abc.com which is precisely what is needed.
3.) The Post Authentication filter must be set to Block when using LDAP as the User Directory.
If usernames are not found in LDAP, access should be blocked.
Important: If the user directory is set to Database then the Post Authentication filter should not be set to block. Doing so could result in the same browsing looping issue. In this situation since it is desired that accounts are created in the database upon a first successful login, the correct setting is Auto create
Please refer to the following guide for more information on configuring OpenID.
Comments
0 comments
Article is closed for comments.