Page History
...
Yellowfin's Administration Service allows for integrating Yellowfin with essentially all third-party authentication processes. Primarily an authentication bridge will be used when implementing Yellowfin as a standalone application or when even a tightly integrated application, where required.To . But to integrate with a third-party authentication process, a custom bridge needs to be created. This bridge will take a username and password from one system and match the details to a user match a user's credentials from a third-party source with those in the Yellowfin system. Usually the third-party authentication source will provide a username, and sometimes but at times a password and other user attributes, to authenticate the user.
The purpose of the bridge is to match this username Once a match is made with an existing user in Yellowfin and Yellowfin user, the bridge will perform a Single Sign-On (SSO) of that user into Yellowfin as that user. Very rarely will there be a password available from the third-party source. The LOGINUSERNOPASSWORD web service will allow for . This can be done using either the LOGINUSER web service (which requires a password for the user to log in), or the LOGINUSERNOPASSWORD service, which allows the bridge to log in a user in, using only their username. Alternatively, LOGINUSER can be used to log in the user with a passwordThis seems ideal, since very rarely will there be a password available from the third-party source.
The bridge is not necessarily used to determine whether or not the user is allowed to log in. The fact that the bridge receives the username, means that the user has already been validated. However, sometimes it will be responsible for “asking” the third-party if the user is valid.
Sometimes there will be a need to auto-create the users if they do not exist in Yellowfin. This might require using additional information to create the user, like their email address, first and last names, etc. which should be sourced from the third-party authentication sourceapplication. The bridge can use the GETUSER or VALIDATEUSER web service functions to determine if a user exists in Yellowfin or not and the ADDUSER web service call to create a user. If bulk user creation option is required, the ADDUSERS web service function can be called.
Part of the bridge process may also be to modify the user's Yellowfin role or group membership as part of the login process. If Yellowfin is integrated with a product where access to different content may change, it may be required to update this group membership during the login process. This would require sourcing information from the third-party source about what which groups a user should be added to/removed from. The UPDATEUSER web service call will allow a user’s role to be modified and the INCLUDEUSERINGROUP or EXCLUDEUSERFROMGROUP web service calls calls can be used to add or remove from groups that determine what which Yellowfin content they can access.
...
When implementing within the Yellowfin container, the various implementation methods will allow for different functionality to be included. JSPs and Servlets allow for implementing code when the user is directed to a particular URL, whereas Filters filters allow for checking authentication on any URL requested from the Yellowfin system.
Here is an image that describes the a basic process of what a Yellowfin authentication bridge needs to do:
...
- Get details via cookie, file, or network connection.
- Check if the user already exists?
- If user doesn't exist, then create user with the details provided.
- If required, update user's details (such as, role, group, etc.)
- Perform a SSO call to log the user in.
Note: If your authentication provider supports SAML, the Yellowfin SAML bridge can be used to SSO users.
...
Expand | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This service connects to Yellowfin and retrieves a logon token for a given user. The user is specified using a user ID (such as an email address or another type of ID depending on the Logon ID method). When this token is passed with the Yellowfin Logon URL, it will disable the login screen for the authenticated users and their session will start immediately.
This function can also be used to pass different login session parameters in order to perform additional tasks, such as hide the Yellowfin header, or navigate to a specific report or dashboard directly after logging in. To learn more about these login session options, refer to this section. Request Request ElementsThe LOGINUSER function will Single Sign On a given user into Yellowfin. The following elements will be passed with this request: Note: The contents of the AdministrationPerson object will be used to define the user being logged in.
These are the main parameters that you need to set in the AdministrationPerson object for this function:
The following SOAP example shows the parameters that you can pass to this call:
Reponse ElementsThe response returned will contain these parameters:
The service will return the below response, according to our SOAP example:
InstructionsSee below for step-by-step instructions on how to perform this call, using a Java example:
Redirecting to Yellowfin with the Login TokenUsing the token received from the web service call (the contents of AdministrationResponse.LoginSessionId), you can forward the user to the URL:
This URL will bypass the authentication screen in Yellowfin and take the user directly into Yellowfin.
Using thetokenToken with the JavaScript APIThe SSO token can also be used with embedded JavaScript API widgets. The token is added to the scriptlet URL like this:
Login Session OptionsYou can pass variables/switches that toggle functionality only for the session created via this Single Sign On request. These options can be enabled by passing them via the Parameters attribute in the AdministrationRequest, or by appending them to the redirection URL. Click here to read more about this.
Complete ExampleYou can use the following LOGINUSER example. To try it out, follow these steps:
|
...
Expand | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
The LOGINUSERNOPASSWORD web service will allow to login a user using only their user name.
Enabling Functionality
This service is a drop in replacement for LOGINUSER, but the password for the user being logged in is not required. The user can log in using only their username. An extra parameter needs to be added to the Configuration table of the Yellowfin database to enable this functionality:
You will receive a web service error 26: UNSECURE_LOGIN_NOT_ENABLED if this configuration option is not added to the Yellowfin database.
Parameter options for this call are the same as LOGINUSER, except for:
|
Styleclass | ||
---|---|---|
| ||