Single Sign-on (SSO) from IFS Enterprise Explorer to Reporting Services
IFS Applications can be configured to run using different
authentication methods.
This document describes the concepts behind configuring Reporting Services to
support SSO from IFS Enterprise Explorer to Reporting Services for following IFS
Applications authentication methods.
Contents
For WIA, the default SQL Server Reporting services installations can be
used. Default Reporting Services installations configures Reporting Services
with WIA.
For Oracle and LDAP authentication methods, SQL Server Reporting Services
should be
configured to use Custom (Forms) authentication using the IFS Provided SQL
Server Reporting Services extensions. This should be done using the
IFSBI SQL
Server Extensions Installer. When using the IFS provided SQL Server
Reporting Services Extensions, authentication will be done
via IFS Applications extended server.
Note: Oracle
data sources cannot be accessed directly without the need to enter the
credentials again, a connection should be done via IFS Applications extended
server using the IFS Provided Custom Data Source
IFS
Applications in order to use SSO.
When accessing My Reports via IFS Enterprise Explorer, requests will be handled in the
following order.
- End user Accesses Reporting Services using My Reports link or an IFS
Enterprise Explorer
window.
- Report Server authenticates the request using the registered
Authentication Provider
- If authentication is successful, Authorization provider checks for
rights for the authenticated user
- If user is authorized for requested resource, successful response will
be send back to IFS Enterprise Explorer.
Each authentication method can be described using following diagrams.
WIA Authentication
End user clicks on My Reports link
- IFS Enterprise Explorer request the My Reports page from the Report Manager with the
Windows credentials
- Report Server contacts Active Directory with the Windows credentials
- Active Directory authenticates the Windows credentials, if successful
contacts the SQL server to authorize the requested resource access, else
login page is displayed
- SQL Server sends the authorization result
- If authorized, response is sent to IFS Enterprise Explorer with the My Reports web page, else
an error message is sent.
End user clicks on My Reports link
- IFS Enterprise Explorer, creates and sends a web request with IFS
Enterprise Explorer authentication token
to report server to fetch the Authentication Cookie.
- Reporting Server sends the token to Application Server.
- Application Server contacts Oracle server to validate the token
- Oracle server returns the validation result
- If successful, user is set to “Authenticated“ in report server, else a
response with Login Page is sent to IFS Enterprise Explorer.
- Report Server sends a request to Application server to fetch the domain
account connected with the Oracle user
- Application server forwards the request to Oracle server
- Oracle server returns the domain user
- Application server forwards the domain user name to report server,
report server sets the current user name to domain user name.
- Report Server sends the authentication cookie to IFS Enterprise Explorer
- IFS Enterprise Explorer, stores the authentication cookie for the current IFS
Enterprise Explorer process.
- IFS Enterprise Explorer request the My Reports page from the Report Manager with the
authentication cookie
- Report Server validates the cookie, if successful contacts the SQL
server to authorize the requested resource access
- SQL Server sends the authorization result
- If authorized, response is sent to IFS Enterprise Explorer with the My Reports web page, else
an error message is sent.
End user clicks on My Reports link
- IFS Enterprise Explorer, creates and sends a web request with IFS
Enterprise Explorer authentication token
to report server to fetch the Authentication Cookie
- Reporting Server sends the token to Application Server
- Application Server contacts LDAP Directory after processing the token
- LDAP returns the authentication result
- If successful, application server contacts oracle server to
check the directory id
- Oracle returns the validation result
- If validation is successful application server returns a success message
- If the validation is successful, user is now authenticated
- If the user authenticated
successfully
- Report server sets the LDAP domain\username as the current user name in
report server.
- User is set to Authenticated in report server
- An authentication cookie is sent to IFS Enterprise Explorer
- If not authenticated successfully,
- A response with Login Page is sent to IFS Enterprise Explorer.
- IFS Enterprise Explorer, stores the authentication cookie for the current IFS
Enterprise Explorer process.
- IFS Enterprise Explorer request the My Reports page from the Report Manager with the
authentication cookie
- Report Server validates the cookie. If successful it contacts the SQL
server to authorize the requested resource access.
- SQL Server sends the authorization result
if authorized. Response is sent to IFS
Enterprise Explorer with the My Reports web page,
else an error message is sent.
When accessing Report Server via IFS Enterprise Explorer, requests will be
handled in the following order.
- Report Viewer will send the request to Reporting Services
- Report Server authenticates the request using the registered
Authentication Provider
- If authentication is successful, authorization provider checks for
rights for the authenticated user
- If user is authorized for requested resource, successful response will be
send back to IFS Enterprise Explorer.
Each authentication method can be described using the following
diagrams.
End user opens the report
- IFS Enterprise Explorer, report viewer sends a request with the Windows
credentials
- Report Server contacts Active Directory with the Windows credentials
- Active Directory authenticates the Windows credentials. If successful
contacts the SQL server to authorize the requested resource access, else
login page is displayed
- SQL Server sends the authorization result
- If authorized, report is sent to IFS Enterprise Explorer report viewer
End user opens the report
- IFS Enterprise Explorer, report viewer sends a request with IFS
Enterprise Explorer authentication token to report server
- Reporting Server sends the token to Application Server
- Application Server contacts Oracle server to validate the token
- Oracle server returns the validation result
- If successful, user is set to Authenticated
in report server, else an
error will be raised.
- Report Server sends a request to Application Server to fetch the domain
account connected with the Oracle user
- Application server forwards the request to Oracle server
- Oracle server returns the domain user
- Application server forwards the domain user name to report server,
report server sets the current user name to domain user name.
- Report Server contacts the SQL server to authorize the requested
resource access
- SQL Server sends the authorization result
- If authorized, report is sent to IFS Enterprise Explorer report viewer,
else an error message is sent.
End user opens the report
- IFS Enterprise Explorer, report viewer sends a request with IFS
Enterprise Explorer authentication token to report server
- Reporting Server sends the token to Application Server
- Application Server contacts LDAP Directory after processing the token
- LDAP returns the authentication result
- If successful, application server contacts Oracle server to
check the directory id
- Oracle returns the validation result
- If validation is successful application server returns a success message
- If the validation is successful, user is now authenticated
- If authenticated
successfully
- Report server sets the LDAP domain\username as the current user name in
report server.
- User is set to Authenticated in report server
- An authentication cookie is sent to IFS Enterprise Explorer
- If not authenticated successfully
- A response with Login Page is sent to IFS Enterprise Explorer.
- Report Server contacts the SQL server to authorize the requested
resource access
- SQL Server sends the authorization result
- If authorized, report is sent to IFS Enterprise Explorer report viewer, else
an error message is sent.
- Windows user groups cannot be used when LDAP or Database authentication
is used. Permissions for each user should be defined separately
- Microsoft SQL Server Analysis Services (SSAS) only supports Windows
Integrated Authentication, therefore domain accounts should always be used to
access SSAS. The SSAS data sources should be configured as follows.
- The user specified in username should be an administrator in SSAS
instance.
- For Oracle authentication, mapping between the domain users and oracle users
should be made manually in Oracle and Domain User mappings for Reporting
Services window.