Setting up Trusted Authentication with Microstrategy

For quite some time we have been using our home grown SSO systems to authenticate users with Microstrategy. Lately, we wanted to move to a machine based trust Authentication, that is supposedly supported by Microstrategy. This article is about implementing the "Trusted Authentication" in a custom ESM plugin for Microstrategy.

If you are not familiar with writing an ESM for Microstrategy, I highly encourage you to read it from here. And to understand the basics of Trusted Authentication, do some reading from here.

This requires the following steps to be accomplished in the order they are mentioned below.

  1. Establish trust relationship between webserver and the i-server.
  2. Modify ESM plugin code to use Trusted Authentication.

Establish trust relationship between webserver and the i-server

To do this, you should know the admin credentials to login into the webserver admin console. Typically :8080/mstrAdmin

  1. Open the MicroStrategy Web Administration application.

  2. In the left-hand pane, choose WEB SERVER -> Intelligence Servers -> Servers.

  3. In the right-hand pane, click the "Modify" icon ( PI_IServer_ModifyIcon.gif ) under Properties for the Intelligence Server with which you want to establish the trust relationship.

  4. Under Connection Properties on the Server Properties tab, click the Setup button for “Trust relationship between Web Server and MicroStrategy Intelligence Server”.

  5. On the setup page, enter the User name and Password that will be used for the trusted relationship and click the Create Trust Relationship button.

Note: A checkmark will now appear next to “Trust relationship between Web Server and MicroStrategy Intelligence Server”, indicating that the relationship has been established.

  1. Click Save.

  2. Close the MicroStrategy Web Administration application.

Modify ESM plugin

There are 4 important places to modify the plugin

  1. Skip password
    In the function call handlesAuthenticationRequest(...) comment the line

  2. Set trust token
    In place of userSession.setPassword(password); this , substitute the following line.

  3. Set Authentication Mode
    In the function handlesAuthenticationRequest(...) add the following line after the setTrustToken() call.

  4. Update the trusted user name attribute of the Microstrategy user.
    Trusted authentication doesn't take the username into account. But it expects and identity which can be mapped against the trustedUserId attribute in the User Entity in Microstrategy. Because of this, even if you pass the userid value to create an I-Server session, it will still fail, siting that the user is not found. To fix this we have to update the "trustedUserId" column of the user row with the id of the user who is logging in. To achieve this you have to do the following inside handlesAuthenticationRequest(...)
    WebObjectSource wos = adminFactory.getObjectSource(); WebUser user = this.searchUser(wos,userId); user.getSimpleSecurityPluginLoginInfo().setUid(userId);