In this article:
Foresight Analytics Platform Authentication
Foresight Analytics Platform provides several authentication methods. Authentication method is selected depending on the required security measures during repository access setup.
User credentials can be checked on DBMS server and/or in Foresight Analytics Platform.
The following basic authentication types are available:
Password. Default value. The user is authenticated by means of specifying user name and password explicitly.
Integrated domain. The user is authenticated by means of specifying domain user name and password (the current OS account).
Domain. The user is authenticated by means of specifying domain, user name and password explicitly.
Availability of basic authentication types depends on the DBMS in use:
| DBMS type \ Authentication type | Password | Integrated domain | Domain |
| Oracle |  |
 |
|
| Microsoft SQL Server | |
|
|
| Microsoft SQL Server (ODBC) | |
|
|
| PostgreSQL | |
|
|
| SQLite |  |
|
|
| WEB Service | |
|
|
Designations:
- authentication type is available in Linux OS and Windows OS.
- authentication type is available only in Windows OS.
- authentication type is available.
There are additional authentication types besides the mentioned ones:
Two-factor authentication. It is used together with any basic authentication type.
Built-in authorization. It is used together with any basic authentication type. Simultaneous use of built-in authorization with domain or integrated domain authentication is available only when working with PostgreSQL DBMS.
The following authentication types are available in the web application besides the basic ones:
External services. The OAuth 2.0 and OpenID Connect protocols are supported.
Guest login. It is used to get familiar with web application work.
Password Authentication
The user is authenticated using user name and password explicitly.
The user enters user name and password in the login dialog box of Foresight Analytics Platform:
Foresight Analytics Platform addresses DBMS by means of the given user name and password.
To use password authentication, set up password policy in the security manager.
Integrated Domain Authentication
Integrated domain authentication is similar to standard domain authentication, except the domain user, under whom the operating system is logged in, is used for authorization.
When working with PostgreSQL DBMS, integrated domain authentication is executed using Kerberos authentication. This mechanism can be activated optionally in additional parameters of repository connection.
To work according to Kerberos protocol, install MIT Kerberos on a client computer (not included into software package of Foresight Analytics Platform).
The user enters domain user name and password on the operating system login.
The operating system addresses the domain controller, the domain controller checks correctness of the specified data and returns the temporary ticket to the operating system.
The operating system sends the specified credentials and the temporary ticket to Foresight Analytics Platform. The login dialog box does not display the User Name and Password boxes:
Foresight Analytics Platform sends the credentials and the temporary ticket to the DBMS server.
DBMS addresses the domain controller, the domain controller checks correctness of the specified data and grants Foresight Analytics Platform permission to connect under the domain user by means of a temporary ticket.
To use integrated domain authentication, one should add domain users or groups in the security manager. When working in the web application, set up integrated domain authentication depending on the web server:
If Apache2 web server is used, see the Setting Up Domain/Integrated Domain Authentication on Apache2 Web Server section.
If ASP.NET web server is used, see the Setting Up Domain/Integrated Domain Authentication on ASP.NET web server section.
If Java web server is used, see the Setting Up Domain/Integrated Domain Authentication on Java Web Server section.
Domain Authentication
The user is authenticated by means of specifying domain, user name and password explicitly. The following directory services are supported: Active Directory, OpenLDAP. For details about interaction between Foresight Analytics Platform and domain directory services, see the Working with Directory Services section. Domain authentication is always executed using Kerberos authentication on DBMS side.
Domain authentication is similar to password authentication for the end user, but it facilitates user administration on using domain controllers.
The user enters domain user name in the format: domain\name and password in the login dialog box of Foresight Analytics Platform:
Foresight Analytics Platform sends the specified credentials to the operating system.
The operating system addresses the domain controller, the domain controller checks correctness of the specified data and returns the temporary ticket to the operating system.
The operating system returns the temporary ticket to Foresight Analytics Platform.
Foresight Analytics Platform sends the specified credentials and the temporary ticket to the DBMS server.
DBMS addresses the domain controller, the domain controller checks correctness of the specified data and grants Foresight Analytics Platform permission to connect under the domain user by means of a temporary ticket.
To use domain authentication, one should add domain users or groups in the security manager. When working in the web application, set up domain authentication depending on the web server:
If Apache2 web server is used, see the Setting Up Domain/Integrated Domain Authentication on Apache2 Web Server section.
If ASP.NET web server is used, see the Setting Up Domain/Integrated Domain Authentication on ASP.NET web server section.
If Java web server is used, see the Setting Up Domain/Integrated Domain Authentication on Java Web Server section.
Two-Factor Authentication
The user is authenticated using any basic authentication type or user certificate.
The user executes basic authentication in Foresight Analytics Platform.
Foresight Analytics Platform addresses DBMS by means of the given user name and password.
The user grants Foresight Analytics Platform the certificate after executing a query and gets access to repository if the certificates match.
To use two-factor authentication, see the Setting Up Two-Factor Authentication section.
Built-In Authorization
User authentication and access to DBMS data is executed under the built-in administrator and is used together with password authentication type by default. User permissions are checked at the level of Foresight Analytics Platform. Administrator credentials are stored in encrypted form.
The user enters login and password to Foresight Analytics Platform.
Foresight Analytics Platform checks user permissions and addresses the DBMS by means of the built-in administrator user credentials.
Simultaneous use built-in authorization with domain or integrated domain authentication is available when working with PostgreSQL DBMS. The scheme of interaction between built-in authorization element is similar to scheme of interaction between elements and external service.
To use built-in authorization, see the Setting Up Built-In Authorization section.
External Services
The user is authenticated by means of specifying an account of the services that support the OAuth 2.0 or OpenID Connect protocol. The use of external services is available only in the web application.
DBMS connection is executed using technological account. Technological account is an account used for communication with DBMS during user authentication via external services. In the security manager one should create one or several users who will be used as technological accounts. Each technological account credentials should be saved using the PP.Util utility.
The user selects the repository configured to work with an external service:
The user is redirected to an external authorization service where the user enters login and password.
The BI server is authorized on the external service and gets required information about the user.
The BI server addresses the DBMS by means of the previously saved technological account.
To use external services that support the OAuth or OpenID Connect protocol, see the Setting Up Authentication via External Services section.
Guest Login
Guest login is available only in the web application and is recommended:
To get familiar with the web application. The user can log in without entering user credentials and using a previously created guest account.
On integration with IDM (Identity Management) systems to ensure asynchronous messaging via HTTP:
If access control in Foresight Analytics Platform is executed by an external centralized system.
When integrating with data bus (Enterprise Service Bus (ESB) class systems) when creating a highly loaded system architecture.
If guest login is used, it is recommended to limit guest account permissions. The web application should be started in an isolated environment.
The user opens the guest link.
The BI server addresses DBMS by means of the previously entered guest account user name and password.
To use guest login, see the Setting Up Guest Login section.