Single Sign-on (SSO) from IFS Enterprise Explorer to Reporting Services

IFS Applications can be configured to run using different authentication methods.
This document describes the concepts behind configuring Reporting Services to support SSO from IFS Enterprise Explorer to Reporting Services for following IFS Applications authentication methods.

• SSO (Windows Integrated Authentication (WIA))
• Oracle Database

  Note: Oracle and Windows Domain User mappings should be created.

• Simple LDAP

Contents

• General
• How a request to Reporting Services is processed when using SSO
  • My Reports
    • WIA Authentication
    • DB Authentication
    • Simple LDAP Authentication
  • Dashboard and MS Reports (Report Viewer)
    • WIA Authentication
    • DB Authentication
    • Simple LDAP Authentication

• Limitations
• Configuring Oracle and Domain User mappings

General

For WIA, the default SQL Server Reporting services installations can be used. Default Reporting Services installations configures Reporting Services with WIA.

For Oracle and LDAP authentication methods, SQL Server Reporting Services should be configured to use Custom (Forms) authentication using the IFS Provided SQL Server Reporting Services extensions. This should be done using the IFSBI SQL Server Extensions Installer. When using the IFS provided SQL Server Reporting Services Extensions, authentication will be done via IFS Applications extended server.

Note: Oracle data sources cannot be accessed directly without the need to enter the credentials again, a connection should be done via IFS Applications extended server using the IFS Provided Custom Data Source IFS Applications in order to use SSO.

How a request to Reporting Services is processed when using SSO

My Reports

When accessing My Reports via IFS Enterprise Explorer, requests will be handled in the following order.

1. End user Accesses Reporting Services using My Reports link or an IFS Enterprise Explorer window.
2. Report Server authenticates the request using the registered Authentication Provider
3. If authentication is successful, Authorization provider checks for rights for the authenticated user
4. If user is authorized for requested resource, successful response will be send back to IFS Enterprise Explorer.

Each authentication method can be described using following diagrams.

WIA Authentication

End user clicks on My Reports link

1. IFS Enterprise Explorer request the My Reports page from the Report Manager with the Windows credentials
2. Report Server contacts Active Directory with the Windows credentials
3. Active Directory authenticates the Windows credentials, if successful contacts the SQL server to authorize the requested resource access, else login page is displayed
4. SQL Server sends the authorization result
5. If authorized, response is sent to IFS Enterprise Explorer with the My Reports web page, else an error message is sent.
    

Oracle Database Authentication

End user clicks on My Reports link

1. IFS Enterprise Explorer, creates and sends a web request with IFS Enterprise Explorer authentication token to report server to fetch the Authentication Cookie.
2. Reporting Server sends the token to Application Server.
3. Application Server contacts Oracle server to validate the token
4. Oracle server returns the validation result
5. If successful, user is set to “Authenticated“ in report server, else a response with Login Page is sent to IFS Enterprise Explorer.
6. Report Server sends a request to Application server to fetch the domain account connected with the Oracle user
7. Application server forwards the request to Oracle server
8. Oracle server returns the domain user
9. Application server forwards the domain user name to report server, report server sets the current user name to domain user name.
10. Report Server sends the authentication cookie to IFS Enterprise Explorer
11. IFS Enterprise Explorer, stores the authentication cookie for the current IFS Enterprise Explorer process.
12. IFS Enterprise Explorer request the My Reports page from the Report Manager with the authentication cookie
13. Report Server validates the cookie, if successful contacts the SQL server to authorize the requested resource access
14. SQL Server sends the authorization result
15. If authorized, response is sent to IFS Enterprise Explorer with the My Reports web page, else an error message is sent.
     

Simple LDAP Authentication

End user clicks on My Reports link

1. IFS Enterprise Explorer, creates and sends a web request with IFS Enterprise Explorer authentication token to report server to fetch the Authentication Cookie
2. Reporting Server sends the token to Application Server
3. Application Server contacts LDAP Directory after processing the token
4. LDAP returns the authentication result
5. If successful, application server contacts oracle server to check the directory id
6. Oracle returns the validation result
7. If validation is successful application server returns a success message
8. If the validation is successful, user is now authenticated
   1. If the user authenticated successfully
      1. Report server sets the LDAP domain\username as the current user name in report server.
      2. User is set to Authenticated in report server
      3. An authentication cookie is sent to IFS Enterprise Explorer
   2. If not authenticated successfully,
      1. A response with Login Page is sent to IFS Enterprise Explorer.
   3. IFS Enterprise Explorer, stores the authentication cookie for the current IFS Enterprise Explorer process.
9. IFS Enterprise Explorer request the My Reports page from the Report Manager with the authentication cookie
10. Report Server validates the cookie. If successful it contacts the SQL server to authorize the requested resource access.
11. SQL Server sends the authorization result
if authorized. Response is sent to IFS Enterprise Explorer with the My Reports web page, else an error message is sent.
 

Dashboards and MS Reports (Report Viewer))

When accessing Report Server via IFS Enterprise Explorer, requests will be handled in the following order.

1. Report Viewer will send the request to Reporting Services
2. Report Server authenticates the request using the registered Authentication Provider
3. If authentication is successful, authorization provider checks for rights for the authenticated user
4. If user is authorized for requested resource, successful response will be send back to IFS Enterprise Explorer.

Each authentication method can be described using the following diagrams.

WIA Authentication

End user opens the report

1. IFS Enterprise Explorer, report viewer sends a request with the Windows credentials
2. Report Server contacts Active Directory with the Windows credentials
3. Active Directory authenticates the Windows credentials. If successful contacts the SQL server to authorize the requested resource access, else login page is displayed
4. SQL Server sends the authorization result
5. If authorized, report is sent to IFS Enterprise Explorer report viewer
    

Oracle Database Authentication

End user opens the report

1. IFS Enterprise Explorer, report viewer sends a request with IFS Enterprise Explorer authentication token to report server
2. Reporting Server sends the token to Application Server
3. Application Server contacts Oracle server to validate the token
4. Oracle server returns the validation result
5. If successful, user is set to Authenticated in report server, else an error will be raised.
6. Report Server sends a request to Application Server to fetch the domain account connected with the Oracle user
7. Application server forwards the request to Oracle server
8. Oracle server returns the domain user
9. Application server forwards the domain user name to report server, report server sets the current user name to domain user name.
10. Report Server contacts the SQL server to authorize the requested resource access
11. SQL Server sends the authorization result
12. If authorized, report is sent to IFS Enterprise Explorer report viewer, else an error message is sent.

Simple LDAP Authentication

End user opens the report

1. IFS Enterprise Explorer, report viewer sends a request with IFS Enterprise Explorer authentication token to report server
2. Reporting Server sends the token to Application Server
3. Application Server contacts LDAP Directory after processing the token
4. LDAP returns the authentication result
5. If successful, application server contacts Oracle server to check the directory id
6. Oracle returns the validation result
7. If validation is successful application server returns a success message
8. If the validation is successful, user is now authenticated
   1. If authenticated successfully
      1. Report server sets the LDAP domain\username as the current user name in report server.
      2. User is set to Authenticated in report server
      3. An authentication cookie is sent to IFS Enterprise Explorer
   2. If not authenticated successfully
      1. A response with Login Page is sent to IFS Enterprise Explorer.
9. Report Server contacts the SQL server to authorize the requested resource access
10. SQL Server sends the authorization result
11. If authorized, report is sent to IFS Enterprise Explorer report viewer, else an error message is sent.
     

Limitations

• Windows user groups cannot be used when LDAP or Database authentication is used. Permissions for each user should be defined separately
• Microsoft SQL Server Analysis Services (SSAS) only supports Windows Integrated Authentication, therefore domain accounts should always be used to access SSAS. The SSAS data sources should be configured as follows.
  
  • The user specified in username should be an administrator in SSAS instance.
  • For Oracle authentication, mapping between the domain users and oracle users should be made manually in Oracle and Domain User mappings for Reporting Services window.