#1 2019-01-07 07:30:13

Nayana
Member
Registered: 2018-11-15
Posts: 62

Single Sign On with the application

We are going to implement SSO with the application. From the application, the user authentication process will be as below.
1.    Client Access the application (Zuul Gateway)
2.    Access request will then be sent via gateway to OAuth
3.    OAuth will communicate with Company Active Directory
     a.    If the user is in Active Directory,
              i.    If it is authenticated from AD, a JWT token will be generated
             ii.    If it is not authenticated from AD, the user will be notified
     b.    If the user is not in Active Directory
              i.    User will be checked in Application Database (Users who are not in AD will be routed to application database)
                     1.    Application Database maintains separate user list (who are not in AD) with username and password
                     2.    If it is authenticated from AD, a JWT token will be generated
                     3.    If it is not authenticated from AD, the user will be notified

For accessing reports from Application interface, we have planned to use URL and route to ReportServer. Currently we are using ReportServer Community Edition 3.0.5. Here we have planned to use Username and APIKey (Using URL) to authenticate. Is this the only way to achieve similar to SSO using community Edition or do we have any other options available.

If we have Enterprise edition, is there any way to reuse the generated JWT token and how we can do it?


Thanks & Regards
Nayana

Offline

#2 2019-01-07 13:30:04

eduardo
Administrator
Registered: 2016-11-01
Posts: 1,004
Website

Re: Single Sign On with the application

Hi Nayana,

for SSO you need PAMs, which are based on scripting. So you need Enterprise Edition for this. Please check here: https://forum.reportserver.net/viewtopi … 4036#p4036 for an example using CAS SSO. We also used KeyCloak successfully, if you prefer this.

If you have community edition, you can use APIKeys as you proposed. But APIKeys are just used for executing reports. Not for entirely signing in. So the only thing a user will be able to do with an APIKey is to execute given reports.

Regards,
Eduardo

Offline

#3 2019-01-08 04:26:35

Nayana
Member
Registered: 2018-11-15
Posts: 62

Re: Single Sign On with the application

If you have any guide for KeyCloak process, kindly share with us.

When using Community Edition,
for passing the APIKey, is there any recommended process to extract relevant KPIKey for the logged in User? Do we need to query ReportServer Metadata (From Application end) for getting relevant APIKey for the logged in User and then pass that value to URL?
Please assist.

If APIKey is used, hope still the user is able to do adhoc-analysis (Self service reports)


Thanks & Regards
Nayana

Offline

#4 2019-01-08 08:37:45

eduardo
Administrator
Registered: 2016-11-01
Posts: 1,004
Website

Re: Single Sign On with the application

Hi Nayana,

for KeyCloak, please check here: https://www.keycloak.org/docs/3.3/secur … apter.html
You need a PAM for using KeyCloak to get the authenticated user logged in in reportserver. Again, you need Enterprise Edition for this. You can also use the Enterprise Evaluation Edition, since (almost) all enterprise functionality works here. The PAM for using KeyCloak is the same as with CAS SSO:

import javax.inject.Provider;
import javax.naming.AuthenticationException
import javax.naming.Context
import javax.naming.InvalidNameException
import javax.naming.NamingException
import javax.naming.directory.InitialDirContext
import javax.persistence.NoResultException
import javax.servlet.http.HttpServletRequest;
  
import net.datenwerke.rs.authenticator.client.login.dto.UserPasswordAuthToken
import net.datenwerke.rs.authenticator.client.login.pam.UserPasswordClientPAM
import net.datenwerke.rs.utils.crypto.PasswordHasher;
import net.datenwerke.security.client.login.AuthToken
import net.datenwerke.security.service.authenticator.AuthenticationResult
import net.datenwerke.security.service.authenticator.ReportServerPAM
import net.datenwerke.security.service.authenticator.hooks.PAMHook
import net.datenwerke.security.service.usermanager.UserManagerService
import net.datenwerke.security.service.usermanager.entities.User
  
import com.google.inject.Inject
  
  
final CasPAM casPam = GLOBALS.injector.getInstance(CasPAM.class);
GLOBALS.services.callbackRegistry.attachHook("CAS_PAM", PAMHook.class, new PAMHook(){
      
    public void beforeStaticPamConfig(LinkedHashSet<ReportServerPAM> pams){
        pams.add(casPam);
    }
    public void afterStaticPamConfig(LinkedHashSet<ReportServerPAM> pams){
          
    }
      
});
  
  
public class CasPAM implements ReportServerPAM {
      
    private UserManagerService userManagerService;
    private Provider<HttpServletRequest> httpRequest;
      
    @Inject
    public LdapPAM(
        UserManagerService userManagerService,
        Provider<HttpServletRequest> httpRequest) {
          
        this.userManagerService = userManagerService;
        this.httpRequest = httpRequest;
    }
      
    public AuthenticationResult authenticate(AuthToken[] tokens) {
        String username = httpRequest.get().getRemoteUser();
      System.out.println("#### " + username);
        //System.out.println("1: ###### " + httpRequest.get().getUserPrincipal().getName());
        //System.out.println("2: ###### " + httpRequest.get().getRemoteUser());
          
        User u = userManagerService.getUserByName(username);
        if(null != u){
            return new AuthenticationResult(true, u);
        }
          
        return new AuthenticationResult(false, null, false);
    }
      
    public String getClientModuleName() {
        return "";
    }
  
}

As stated in the URL, you have to change the web.xml file in order to redirect to the KeyCloak login page. An example of this is:

<security-constraint>
        <web-resource-collection>
            <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
 
        <user-data-constraint>
            <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
     
    <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>KeyCloak</realm-name>
    </login-config>
     
    <security-role>
        <role-name>*</role-name>
    </security-role>

Also stated in the URL, you have to add a context.xml file e.g.:

<Context path="/your-context-path">
    <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
</Context>

Your PAMS should be empty in the reportserver.properties configuration file, i.e. : rs.authenticator.pams =

Please check for more information here: https://forum.reportserver.net/viewtopi … 4036#p4036 and here: https://www.keycloak.org/docs/3.3/secur … apter.html

Regarding your second question:

for passing the APIKey, is there any recommended process to extract relevant KPIKey for the logged in User?

There is no logged in user! That's what you use the APIKey for: to "bypass" the logging process. So the APIKey should be a secure key. More information here: https://reportserver.net/en/guides/admi … a-the-URL/ , section "Embedding Reports Without Login". You have to save the APIKey for each user somewhere externally, and pass it to the URL when running a report. The user will be able to run/export a preconfigured report, e.g. to HTML, to PDF, to Excel, etc. But the report cannot be currently configured by this user without logging in.

Regards,
Eduardo

Offline

Board footer

Powered by FluxBB