Foresight Analytics Platform Authentication

Foresight Analytics Platform provides several authentication methods. Authentication method is selected depending on the required security measures during repository access setup.

User credentials can be checked on DBMS server and/or in Foresight Analytics Platform.

The following basic authentication types are available:

• Password. Default value. The user is authenticated by means of specifying user name and password explicitly.

• Integrated domain. The user is authenticated by means of specifying domain user name and password (the current OS account).

• Domain. The user is authenticated by means of specifying domain, user name and password explicitly.

Availability of basic authentication types depends on the DBMS in use:

DBMS type \ Authentication type	Password	Integrated domain	Domain
Oracle
Microsoft SQL Server 2008
Microsoft SQL Server 2012\2014\2016
Microsoft SQL Server (ODBC)
Teradata
PostgreSQL
SQLite
WEB Service

Designations:

- authentication type is available in Linux OS and Windows OS.

- authentication type is available only in Windows OS.

- authentication type is available.

There are additional authentication types besides the mentioned ones:

• Two-factor authentication. It is used together with any basic authentication type.

• Built-in authentication. It is used together only with password authentication.

The following authentication types are available in the web application besides the basic ones:

• External services. The OAuth 2.0 and OpenID Connect protocols are supported.

• Guest login.

Password Authentication

The user is authenticated using user name and password explicitly.

1. The user enters user name and password in the login dialog box of Foresight Analytics Platform:

2. Foresight Analytics Platform addresses DBMS by means of the given user name and password.

To use password authentication, set up password policy in the security manager.

Integrated Domain Authentication

Integrated domain authentication is similar to standard domain authentication, except the domain user, under whom the operating system is logged in, is used for authorization.

When working with Teradata DBMS, integrated domain authentication is always executed using Kerberos authentication. When working with PostrgreSQL DBMS, this mechanism can be activated optionally in additional parameters of repository connection.

To work according to Kerberos protocol, install MIT Kerberos on a client computer (not included into software package of Foresight Analytics Platform).

1. The user enters domain user name and password on the operating system login.

2. The operating system addresses the domain controller, the domain controller checks correctness of the specified data and returns the temporary ticket to the operating system.

3. The operating system sends the specified credentials and the temporary ticket to Foresight Analytics Platform. The login dialog box does not display the User Name and Password boxes:

4. Foresight Analytics Platform sends the specified credentials and the temporary ticket to the DBMS server.

5. DBMS addresses the domain controller, the domain controller checks correctness of the specified data and grants Foresight Analytics Platform permission to connect under the domain user by means of a temporary ticket.

To use integrated domain authentication, one should add domain users or groups in the security manager. When working in the web application, set up integrated domain authentication depending on the web server:

• If Apache2 web server is used, see the Setting Up Domain/Integrated Domain Authentication on Apache2 Web Server section.

• If ASP.NET web server is used, see the Setting Up Domain/Integrated Domain Authentication on ASP.NET web server section.

• If Java web server is used, see the Setting Up Domain/Integrated Domain Authentication on Java Web Server section.

Domain Authentication

The user is authenticated by means of specifying domain, user name and password explicitly. The following directory services are supported: Active Directory, OpenLDAP. For details about interaction between Foresight Analytics Platform and domain directory services, see the Working with Directory Services section. Domain authentication is always executed using Kerberos authentication on DBMS side.

Domain authentication is similar to password authentication for the end user, but it facilitates user administration on using domain controllers.

1. The user enters domain user name in the format: domain\name and password in the login dialog box of Foresight Analytics Platform:

2. Foresight Analytics Platform sends the specified credentials to the operating system.

3. The operating system addresses the domain controller, the domain controller checks correctness of the specified data and returns the temporary ticket to the operating system.

4. The operating system returns the temporary ticket to Foresight Analytics Platform.

5. Foresight Analytics Platform sends the specified credentials and the temporary ticket to the DBMS server.

6. DBMS addresses the domain controller, the domain controller checks correctness of the specified data and grants Foresight. Analytics Platform permission to connect under the domain user by means of a temporary ticket.

To use domain authentication, one should add domain users or groups in the security manager. When working in the web application, set up domain authentication depending on the web server:

• If Apache2 web server is used, see the Setting Up Domain/Integrated Domain Authentication on Apache2 Web Server section.

• If ASP.NET web server is used, see the Setting Up Domain/Integrated Domain Authentication on ASP.NET web server section.

• If Java web server is used, see the Setting Up Domain/Integrated Domain Authentication on Java Web Server section.

Two-Factor Authentication

The user is authenticated using any basic authentication type or user certificate.

1. The user executes basic authentication in Foresight Analytics Platform.

2. Foresight Analytics Platform addresses DBMS by means of the given user name and password.

3. The user grants Foresight Analytics Platform the certificate after executing a query and gets access to repository if the certificates match.

To use two-factor authentication, see the Setting Up Two-Factor Authentication section.

Integrated Authentication

User authentication and access to DBMS data is executed under the built-in administrator and is used together with password authentication type. User permissions are checked at the level of Foresight Analytics Platform. Administrator credentials are stored in encrypted form.

1. The user enters login and password to Foresight Analytics Platform.

2. Foresight Analytics Platform checks user permissions and addresses the DBMS by means of the built-in administrator user credentials.

To use built-in authentication, select the Use Built-in Authorization checkbox in the  security manager ands save built-in administrator credentials using the PP.Util utility.

External Services

NOTE. It is available only in the web application.

The user is authenticated by means of specifying an account of the services that support the OAuth 2.0 or OpenID Connect protocol. The OpenID Connect protocol is supported only by Google services.

DBMS connection is executed using technological account.

Technological account is an account used for communication with DBMS. For this account in the security manager one should create an appropriate user with the following privileges: System Login, Changing User Permissions, Distributing Roles, Changing Policy, Changing Security Label and Access Control List of Any Object. Browsing All Objects in the Navigator, Read and Write Permission for All Objects, Browse Access Protocol, Creating and Deleting Users, Applying User Permissions at DBMS Level, Login to Object Navigator. User credentials should be saved using the PP.Util utility.

1. The user selects the repository configured to work with an external service:

2. The user is redirected to an external authorization service where the user enters login and password.

3. The BI server is authorized on the external service and gets required information about the user.

4. The BI server addresses the DBMS by means of the previously saved technological account.

To use external services that support the OAuth or OpenID Connect protocol, see the Setting Up Authentication via External Services section.

Guest Login

NOTE. It is available only in the web application.

To get familiar with the web application, one can set up guest login. The user can log in without entering user credentials, using a previously created guest account. If the guest login is used, it is recommended to limit guest account permissions.

1. The user opens the guest link.

2. The BI server addresses DBMS by means of the previously entered guest account user name and password.

To use guest login, see the Setting Up Guest Login section.