Visokio website     Downloads     Video tutorials     KnowledgeBase  
Security: Mobile Web Server Authentication using AD & LDAP+SSO - Visokio Forums
Security: Mobile Web Server Authentication using AD & LDAP+SSO
  •     Veaceslav May 23, 2014 6:49AM
    Mobile Web Server Authentication

    Mobile Web Server Authentication


    Mobile Server authentication has been redesigned to include LDAP/Active Directory (AD) authentication and Single-Sign-On (SPNEGO) mechanism while preserving the List Of Users (Omniscope Users) existing mechanism.

    A realm defines a protection space. Realms allow the protected resources on the server to be partitioned into a set of protection spaces, each with its own authentication and authorization settings.

    By default, all protected resources on the server are configured in the config.xml file. This is the (Home) realm. Specific folders may be manually configured to have their own set of permissions and authentication groups. For more information about folder permissions read this post.

    Server permissions may be configured for anonymous users and for authentication groups.

    A group may have a list of authentication mechanisms and server permissions.

    For instance, the server may be configured to have a group named 'Data Analysts' with permissions to:
    - List directory
    - View in mobile
    - Export view data
    and authenticate users through LDAP Query and List Of Users.

    image

    Authentication mechanisms


    List Of Users

    List Of Users mechanism let's you define custom Omniscope users that are stored and managed by the Omniscope Mobile server. No third party servers/services are involved. Users are manually added/edited/removed by an administrator of the server.

    A user name and a password has to be added for each individual user. Read this post for more information about List Of Users mechanism configuration.

    LDAP Query

    LDAP Query authentication mechanism let's you configure Omniscope Mobile server to query an LDAP server to validate user credentials.

    • Users are stored and managed by an LDAP/AD server
    • Omniscope Mobile server is configured to query the LDAP/AD server

    To learn how to configure Omniscope server to use LDAP Query read this post.

    SPNEGO (Single-Sign-On) Mechanism

    SPNEGO (Single-Sign-On) mechanism allows users to authenticate automatically with their LDAP/AD account without asking them for credentials. Having a proper setup, authorized users never type their credentials in any dialog or form. Unauthorized users, however, are either prompted for credentials or are denied server access.

    • Users are stored and managed by an LDAP/AD server
    • LDAP/AD user password is never sent to Omniscope server
    • Omniscope Mobile server is configured to ask the LDAP/AD server to validate user tokens

    How does SPNEGO work ?

    The browser negotiates with the LDAP/AD server and gets a temporary ticket which is further used to generate temporary unique tokens that are included in every client/browser request sent to Omniscope Mobile server. The tokens contain no information about client user name, password, or any other sensitive data, they are simple strings that can be verified only by the LDAP/AD server. Whenever Omniscope Mobile receives requests having SPNEGO tokens, Omniscope Mobile asks the LDAP/AD for token validation and if the token is valid, LDAP/AD provides only the user name associated with that token. Omniscope server checks whether this user is authorized to be served the requested resource and proceeds accordingly.

    To learn how to configure Omniscope server to use SPNEGO mechanism read this post.

    Authentication Groups

    A group may have multiple authentication mechanisms. Each mechanism will be used during authentication until the user authenticates successfully. If no group authorizes the action that has been requested by the user, the access will be denied.

    You may want to temporarily disable groups instead of deleting them and then adding them back later when needed. Disabled groups are disregarded during authentication.

This discussion has been closed.
← All Discussions

Welcome!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership