How to configure OpenID connect authentication with Azure on the TIBCO Spotfire Server
Article ID: KB0075046
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | 7.8.0 and higher |
Description
This article describes the steps to configure OpenID connect authentication with Azure on the TIBCO Spotfire Server.
Issue/Introduction
Configuring OpenId connect authentication with Azure
Resolution
1) Log onto https://portal.azure.com Portal with your individual account and register an application by navigating to “Azure Active Directory” section of the portal (found in the left navigation bar).
2) Click “App registrations”-> New application Registration. This populates another page where you need to enter the fields name (your choice), application type (Webapp/API) and the "Redirect URI". For "Redirect UR", copy and paste the return endpoint URL from the TIBCO Spotfire Server Configuration Tool as set in Step 4
3) Enable custom Public Address in the TIBCO Spotfire Server configuration. In the "TIBCO Spotfire Server Configuration Tool", "Configuration" tab, select "Public Address". Set "Enable custom public address" to "Yes", and enter the "public address URL", of the form http[s]://<spotfire server>[:<port>]/ (Note: You do not need to mention the port address if it is default one i.e., "80")
4) Enable OpenID connect authentication in the TIBCO Spotfire Server configuration. In the "TIBCO Spotfire Server Configuration Tool", "Configuration" tab, select "OpenID Connect" page and set "Enable OpenID Connect" to "Yes", and enter the configured public address URL as the “Return endpoint”.
Return endpoint URL: http[s]://<spotfire server>[:<port>]/spotfire/auth/oidc/authenticate
5) Go back to Azure portal, click on the registered application and you should be able to see the fields Home Page URL as your return endpoint URL from the TIBCO Spotfire Server Configuration Tool, Application ID , Tenant ID and Object ID.
6) To obtain Client Secret. Click on the “Certificates & secrets”. This will populate a new page, then click on "New client secrets"and enter the fields description (Example: Test), duration (your choice) and then hit save. It will generate a key in the value field and ensure to copy it to clipboard before navigating away. Note: Once you logout from the portal, you may see the value of existing keys as hidden. If you want to change the key value in future, you can just create one following the same procedure.
7) Go back to "TIBCO Spotfire Server Configuration Tool", "Configuration" tab, select "Authentication" page and click on the Drop down menu to choose "Web Authentication (e.g.. OpenID Connect).
If you would like to enable forms authentication in addition to OpenID Connect authentication, please see the following KB article: 8) For the "User Directory" you can either go with "Database" or "LDAP". If you are using "Database" as user directory then it is recommended to use the "Auto-create" option for the post-authentication filter (so that successfully authenticated users are automatically created in the user directory database), as set here:
TIBCO Spotfire Server Configuration Tool > Configuration > Post Authentication Filter > Default filter mode: Auto-create
9) Go to "OpenID Connect" page, and click the "Add new provider" button. Specify a name and click OK. For each provider, specify the Discovery document URL, the Client ID and the Client secret as described below:
a). For Discovery Document URL: https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
Steps to get an Azure Active directory tenant {tenant} in Discovery Document URL
- You can find the tenant ID directly from the App you created. Go to "Azure Active Directory" >> "App Registrations" >> Select the app "Test">> This will display the tenant Id. Refer to step 5 for the screenshot reference.
- (or)
- Log into the Azure Portal with your individual account.
- Navigate to the “Azure Active Directory” section of the portal (found in the left nav bar).
- Click on “Properties”, you should automatically be signed in to the "Default Directory".
- You should be able to see “Directory ID” in the same page, which is {tenant} value in Discovery Document URL.
- Copy “Directory ID”.
- Paste in {tenant}.
b). Client Id is the “Application Id”.
c). Client Secret is the “Secret Key” generated by Microsoft Azure from the App.
10) Save the TIBCO Spotfire Server configuration to the database and restart the Spotfire Server.
Note: If you have issues logging in after these steps, please see the following related KB Article for a common issue:
- KB: 000035211 Users are not able to login to TIBCO Spotfire Server or Web Player when using Open ID Authentication with Azure Identity provider
- KB: 000042227 OpenID Connect authentication on TIBCO Spotfire server fails with the error "Signed JWT rejected: Another algorithm expected, or no matching key(s) found"
Additional Information
External: How to get an Azure Active Directory tenant
Doc: Configuring openID connect:
KB: 000035211 Users are not able to login to TIBCO Spotfire Server or Web Player when using Open ID Authentication with Azure Identity provider
KB : 000042227 OpenID Connect authentication on TIBCO Spotfire server fails with the error "Signed JWT rejected: Another algorithm expected, or no matching key(s) found"Feedback
Yes
No
Powered by
