This article describes how to configure TIBCO Spotfire to work with Microsoft Entra ID or Azure OpenID provider.
Create an app registration in Azure
The first step is to create a Spotfire "app registration" in Microsoft Entra ID or Azure AD. Assistance with this is beyond the scope of Revvity Signals support, however, as a general guide, this is done in Entra ID / Azure Active Directory admin center (https://aad.portal.azure.com).
A client credential for the application needs to be created:
Also, a "web" redirect URL needs to be created. This will be based on the URL used by end users to access the Spotfire application:
Configure Spotfire Server OpenID Connect authentication
Once the above steps have been completed, the relevant details can be added on the OpenID Connect configuration page in Spotfire Server Configuration Tool. First, add a new provider and fill out the details for Discovery document URL, Client ID and Client secret:
Choosing sensible values for user and domain
By default, the Username claim is set to sub, which may not be a useful, human readable value. To counter this, a custom claim known as upn can be added to the Spotfire app in Entra ID / Azure AD, which will contain a user principal in a format "user@domain.com".
This can be done on the Token configuration page in Entra / Azure. Click on "Add optional claim" link for ID token, and select UPN as the token:
This can then be added in Spotfire Server Configuration Tool, in OpenID Connect tab, under Advanced properties:
Next, user's "Domain" property needs to be set. There are three options available:
1. Use a value from Domain claim, which is the default option (for Entra/Azure, it is set to iss claim).
2. Use a static, domain name value.
3. Parse domain from the Username claim.
Which one is chosen depends on the User Directory configuration in Spotfire (see below).
Setting the User Directory
Spotfire user directory can be managed in two ways - using Spotfire Server's metadata database or integrating with an existing LDAP infrastructure. The latter is preferable for the following reasons:
- User accounts are managed in one place only, since all user account data is stored in LDAP directory.
- Groups can be synchronized and managed from LDAP directory, rather than created manually in Spotfire Server.
- If a user leaves the company, or their account is locked in LDAP, this will be reflected in Spotfire. This will not happen with the user directory is set to Spotfire Server database.
Using Spotfire Server's database for User Directory
In Spotfire Server Configuration Tool, under Post-Authentication Filter, set Default filter mode to "Auto-create". This means that new, authenticated users, which have not been seen before by Spotfire Server, will be added to the Spotfire Server's user directory (in its database).
Groups must be manually created and user account management is done in Spotfire Server, including disabling of accounts.
Using LDAP for User Directory
In Spotfire Server Configuration Tool, under Post-Authentication Filter, set Default filter mode to "Block". This means that any users not found in LDAP will be rejected, and their logins will fail.
When LDAP is used as User Directory, a successful login can occur only when the username, obtained from Entra ID / Azure OpenID claim, matches precisely the Username attribute in LDAP configuration.
So, as described in the earlier section, this is where choosing a sensible Username claim becomes more relevant. This may need to be combined with the Domain setting, in Spotfire configuration, to obtain the desired result:
Example 1
The Username claim obtained from Entra ID / Azure AD is "jsmith", and the Username attribute in the LDAP configuration is upn, which gives a value of "jsmith@mycompany.corp".
In this situation, select "use a static domain name" option in OpenID configuration (Option 2) of "mycompany.corp". The Username claim, plus this static domain value, gives a composite name of "jsmith@mycompany.corp", which will match the Username attribute in LDAP directory.
Example 2
The Username claim obtained from Entra ID / Azure AD is "jsmith@mycompany.corp".
Select "parse the username claim" option in OpenID configuration (option 3) to obtain the domain. If LDAP configuration uses samAccountName as the Username attribute, then combining it with domain setting (from Domain configuration tab), creates a composite name of "jsmith@mycompany.corp".