Login fails when accessing TIBCO Spotfire server url with URl that isn't configured as public address if OIDC is used.

Login fails when accessing TIBCO Spotfire server url with URl that isn't configured as public address if OIDC is used.

book

Article ID: KB0071562

calendar_today

Updated On:

Products

Spotfire Server

Description

If users wants to access URL with IP/DNS name of the Spotfire server especially when OpenID connect is set, login fails with error message "Could not log in. Verify the server address or contact your administrator. Go to login page". For example, you may have following configured at spotfire server end:

Public Address        : https://tibco.com/
Return Endpoint      : https://tibco.com/spotfire/auth/oidc/authenticate
DNS configured       : https://tb.com/
IP address                : https://12.10.18.24/

IDP end:

Configured Redirect/Reply URl:
  • https://tibco.com/spotfire/auth/oidc/authenticate
  • https://12.10.18.24/spotfire/auth/oidc/authenticate
  • https://tb.com/spotfire/auth/oidc/authenticate
Even though all the required endpoints are configured at IDP end( Azure or Google or Okta etc), login still fails.

Issue/Introduction

This articles describes about how Spotfire server url can be accessed with IP/DNS name or any url that is not configured as public address.

Resolution

This is an expected behavior and to get it to work, we need to set security.oidc.calculate-return-endpoint to true, and make sure that the Host header is set properly by the reverse-proxy if there is one.

If this configuration property is set to true then the Spotfire Server will, for the purpose of OIDC authentication at least, ignore the configured public address and instead try to determine it based on the request. 

Here are the instructions:

1. Export currently used configuration from the Spotfire database. 
2. To export, either login to uiconfig.bat file (uiconfig.sh on Linux) which is located in the <Installation dir>\tomcat\spotfire-bin directory  OR  execute CLI command export-config  
3. Open exported server configuration from given location in text or xml editor and search for <oidc> tag.
4. Add the line <calculate-return-endpoint>true</calculate-return-endpoint> tag as below:
<configuration>
  ...
  <security>
    ...
    <oidc>
      <enabled>true</enabled>
      <calculate-return-endpoint>true</calculate-return-endpoint>
      <providers>
      ...
      </providers>
    </oidc>
    ...
  </security>
  ...
</configuration>
5. Save the changes and import the configuration back to the database, either using uiconfig tool or use import-config command
6. Restart the Spotfire Server
7. After successful server startup message in catalina logs, try opening the Spotfire Server url in browser 

Additional Information

Doc: export-config Doc: import-config Doc: Manually editing the server configuration in an XML or text editor