For quite some time we have been using our home grown SSO systems to authenticate users with Microstrategy. Lately, we wanted to move to a machine based trust Authentication, that is supposedly supported by Microstrategy. This article is about implementing the "Trusted Authentication" in a custom ESM plugin for Microstrategy.
This requires the following steps to be accomplished in the order they are mentioned below.
- Establish trust relationship between webserver and the i-server.
- Modify ESM plugin code to use Trusted Authentication.
Establish trust relationship between webserver and the i-server
To do this, you should know the admin credentials to login into the webserver admin console. Typically
Open the MicroStrategy Web Administration application.
In the left-hand pane, choose WEB SERVER -> Intelligence Servers -> Servers.
In the right-hand pane, click the "Modify" icon ( PI_IServer_ModifyIcon.gif ) under Properties for the Intelligence Server with which you want to establish the trust relationship.
Under Connection Properties on the Server Properties tab, click the Setup button for “Trust relationship between Web Server and MicroStrategy Intelligence Server”.
On the setup page, enter the User name and Password that will be used for the trusted relationship and click the Create Trust Relationship button.
Note: A checkmark will now appear next to “Trust relationship between Web Server and MicroStrategy Intelligence Server”, indicating that the relationship has been established.
Close the MicroStrategy Web Administration application.
Modify ESM plugin
There are 4 important places to modify the plugin
In the function call
handlesAuthenticationRequest(...)comment the line
Set trust token
In place of
userSession.setPassword(password);this , substitute the following line.
Set Authentication Mode
In the function
handlesAuthenticationRequest(...)add the following line after the
Update the trusted user name attribute of the Microstrategy user.
Trusted authentication doesn't take the username into account. But it expects and identity which can be mapped against the trustedUserId attribute in the User Entity in Microstrategy. Because of this, even if you pass the userid value to create an I-Server session, it will still fail, siting that the user is not found. To fix this we have to update the "trustedUserId" column of the user row with the id of the user who is logging in. To achieve this you have to do the following inside
WebObjectSource wos = adminFactory.getObjectSource(); WebUser user = this.searchUser(wos,userId); user.getSimpleSecurityPluginLoginInfo().setUid(userId);