How to enable Kerberos authentication with the TIBCO Spotfire for Apple iOS app
Article ID: KB0082250
Updated On:
| Products | Versions |
|---|---|
| Spotfire for iOS | 2.9.x |
Description
This article provides the steps necessary to allow the TIBCO Spotfire for Apple iOS app to access to the Library using Kerberos authentication with Constrained Delegation.
Issue/Introduction
How to enable Kerberos authentication with the TIBCO Spotfire for iOS app, using Constrained Delegation
Environment
Product: TIBCO Spotfire for Apple iOS
Version: 2.5.x and higher
OS: iOS 10.0 and higher
Authentication: Kerberos with Constrained Delegation
Resolution
In order for the TIBCO Spotfire for Apple iOS app to properly negotiate Kerberos authentication, you need to configure your mobile device to use Kerberos. This can be done using a configuration file. Attached is an example of a configuration file (Filename: "sso.mobileconfig") that can be edited to fit your environment.
1) Edit the attached configuration file (Filename: "sso.mobileconfig") on your local computer:
- Change 'Name' from "CONFIGURATION NAME" to whatever name you want to give the configuration.
<key>Name</key>
<string>CONFIGURATION NAME</string>
- Change 'PrincipalName' from "USERNAME" to the username that is to be used when logging in.
<key>PrincipalName</key>
<string>USERNAME</string>
- Change 'Realm' from "REALM" to the domain realm specified when setting up Kerberos on the Web Player (make sure the REALM is in upper case. Example: REALM.SAMPLE1.COM).
<key>Realm</key>
<string>REALM</string>
- Change 'URLPrefixMatches' from "URL" to the URL of the Spotfire Server the iPad Analytics app is connecting to. This is case-sensitive, should be in all lower-case.
Multiple URLs can be specified by adding a separate line for each new "<string>URL</string>" entry.
This should be the Spotfire Server URL, in the format of http://spotfireserver:port/spotfire
<key>URLPrefixMatches</key>
<array>
<string>URL</string>
</array>
- Change 'PayloadOrganization' from "ORGANISATION" to the name you want to use.
<key>PayloadOrganization</key>
<string>ORGANISATION</string>
Optional:
If you want to be able to access your Web Player through the Safari browser on your iPad them make the following change:
- Add a second line to the 'AppIdentifierMatches' section as shown below:
Original:
<key>AppIdentifierMatches</key>
<array>
<string>com.tibco.spotfire.SpotfireForIPad</string>
</array>
Modified:
<key>AppIdentifierMatches</key>
<array>
<string>com.tibco.spotfire.SpotfireForIPad</string>
<string>com.apple.mobilesafari</string>
</array>
- Save the edited configuration file.
2) Install this edited mobileconfig profile on your iPad device. This is most easily done by attaching the sso.mobileconfig file to an e-mail and sending it to an account that can be accessed from the iPad. When the attachment is opened on the iPad, you will be prompted to install the configuration profile.
3) Open the iPad Analytics app and tap on "+Add Library" in the main menu, if you have not already done so. Add the URL to your Spotfire Server as it appears in the sso.mobileconfig file. It does not matter what you specify in the Username and Password fields, as these values will not be used when using SSO.
4) If you wish to modify/update the profile on the iPad device, tap on Settings, then go into General and scroll down to Profiles. You can then select this profile and delete it. Once it has been deleted, you can install a new .mobileconfig file with updated configuration settings.
Once these steps have been completed, you should be able to use your iPad Analytics app to access your Web Player server using Kerberos with Constrained Delegation.
If you are unable to install the sso.mobileconfig file as a profile on your mobile device it is recommended that you contact Apple Support for more information:
https://support.apple.com/
1) Edit the attached configuration file (Filename: "sso.mobileconfig") on your local computer:
- Change 'Name' from "CONFIGURATION NAME" to whatever name you want to give the configuration.
<key>Name</key>
<string>CONFIGURATION NAME</string>
- Change 'PrincipalName' from "USERNAME" to the username that is to be used when logging in.
<key>PrincipalName</key>
<string>USERNAME</string>
- Change 'Realm' from "REALM" to the domain realm specified when setting up Kerberos on the Web Player (make sure the REALM is in upper case. Example: REALM.SAMPLE1.COM).
<key>Realm</key>
<string>REALM</string>
- Change 'URLPrefixMatches' from "URL" to the URL of the Spotfire Server the iPad Analytics app is connecting to. This is case-sensitive, should be in all lower-case.
Multiple URLs can be specified by adding a separate line for each new "<string>URL</string>" entry.
This should be the Spotfire Server URL, in the format of http://spotfireserver:port/spotfire
<key>URLPrefixMatches</key>
<array>
<string>URL</string>
</array>
- Change 'PayloadOrganization' from "ORGANISATION" to the name you want to use.
<key>PayloadOrganization</key>
<string>ORGANISATION</string>
Optional:
If you want to be able to access your Web Player through the Safari browser on your iPad them make the following change:
- Add a second line to the 'AppIdentifierMatches' section as shown below:
Original:
<key>AppIdentifierMatches</key>
<array>
<string>com.tibco.spotfire.SpotfireForIPad</string>
</array>
Modified:
<key>AppIdentifierMatches</key>
<array>
<string>com.tibco.spotfire.SpotfireForIPad</string>
<string>com.apple.mobilesafari</string>
</array>
- Save the edited configuration file.
2) Install this edited mobileconfig profile on your iPad device. This is most easily done by attaching the sso.mobileconfig file to an e-mail and sending it to an account that can be accessed from the iPad. When the attachment is opened on the iPad, you will be prompted to install the configuration profile.
3) Open the iPad Analytics app and tap on "+Add Library" in the main menu, if you have not already done so. Add the URL to your Spotfire Server as it appears in the sso.mobileconfig file. It does not matter what you specify in the Username and Password fields, as these values will not be used when using SSO.
4) If you wish to modify/update the profile on the iPad device, tap on Settings, then go into General and scroll down to Profiles. You can then select this profile and delete it. Once it has been deleted, you can install a new .mobileconfig file with updated configuration settings.
Once these steps have been completed, you should be able to use your iPad Analytics app to access your Web Player server using Kerberos with Constrained Delegation.
If you are unable to install the sso.mobileconfig file as a profile on your mobile device it is recommended that you contact Apple Support for more information:
https://support.apple.com/
Additional Information
Apple developers page: https://developer.apple.com/library/ios/featuredarticles/iphoneconfigurationprofileref/introduction/introduction.html
Attachments
Feedback
Yes
No
Powered by
