0 votes
1 view
Hi,

does anybody have experience with replacing the authentication and authorization of Knowage?

We use Keycloak with OpenID Connect for authentication and authorization in our application. Is there a way to get Knowage working together with an outside user management solution like Keycloak to achieve Single-Sign On?

Any hints or suggestions are appreciated.

Thanks in advance!

Kristina
asked Sep 29, 2017 in Single Sign-On by kheckelmann (220 points) | 1 view

2 Answers

0 votes
Dear Kristina

at the time being, the Knowage security system is very similar to SpagoBI's one, therefore you can have a look at SpagoBI documentation:

for authentication:

http://wiki.spagobi.org/xwiki/bin/view/spagobi_server/sso#HHowtoenableSSO

for authorization:

http://wiki.spagobi.org/xwiki/bin/view/spagobi_server/User+Management_v3

Summary: you have to implement some Java classes, deploy them (with their dependencies) into Knowage wars and configure them. SsoServiceInterface.readUserIdentifier is in charge of retrieving the user id from SSO system, ISecurityServiceSupplier.createUserProfile is in charge of retrieving the roles and attributes of the user; SsoServiceInterface.readTicket and SsoServiceInterface.validateTicket methods are in charge of securing the SOAP backend services.

Note: the Knowage security mechanism is going to change with the next release, the main change is that you'll need to protect with SSO only the Knowage core application, while at the moment you need to protect ALL Knowage applications (core + external engines).

Hope this helps

Cheers
answered Jan 16, 2018 by davide.zerbetto (2,260 points)

Hi,
I'm integrating Knowage into my Java application. I'm following the guide that you've linked on how to configure SSO using CAS. Knowage must rapresented a module for my application, so I clicking on a link can I directly access it for to use any functionality. My application already use the SSO (with CAS 3), it has the configuration of SSL and HTTPS for the use of other modules.
Essentially I have 3 question:
1.  I noticed that the guide is written considering SpagoBI as the original application, from which there is initially access. Instead, if I consider my application as a starting point, the configuration in Server.xml of the HTTPS connector under Tomcat should not be done (since it is already present on the Tomcat it runs on). Even if the two apps run on two different Tomcats, is that right?
2.  Do not I even consider implementing the interface to enable the SSO, because it is already present for the other modules used by the application; or I have to develop a specific implementation of spagobi_sso_class, put it into a JAR file and put the JAR file into WEB-INF/lib of Knowage?
3.  That I have to do is only add the changes to the Web.xml of Knowage? The changes to the Web.xml file and any other modification should be done only in the core of Knowage and not in the other engines, right?

I tried! Knowage is redirected to the my application through the CAS, but when I enter with your credentials, I get this message:

javax.servlet.ServletException:javax.servlet.ServletException:org.jasig.cas.client.validation.TicketValidationException: The ticket does not match any available services.
it.eng.spagobi.commons.filters.SpagoBICoreCheckSessionFilter.doFilter(SpagoBICoreCheckSessionFilter.java:109)
it.eng.spagobi.utilities.filters.EncodingFilter.doFilter(EncodingFilter.java:54)

Please, help me! Thanks in advance.

Hi,
I'm integrating Knowage and my Java application, using the SSO with CAS 3. I have followed every step of the procedure. I have created a link in the application that must let me directly access to the BI platform.

When I run a test, the CAS server redirects me correctly to the application, but once I post the credentials (user credentials added to the web app's DB) it redirects me to the Knowage Login page. Why not inside the platform?
Thanks in advance

0 votes
I know this thread is a bit old, but I had the same requirement, to use keycloak.

The OAuth2 config in Knowage was not compatible, so I created a more generic solution, based on the existing classes.  

Source code here -
https://github.com/savantly-net/Knowage-Server/tree/jb/oauth2/knowageoauth2

And example usage in this fork of the docker image -  
https://github.com/savantly-net/knowage-docker
answered Mar 15, 2021 by jdbranham (310 points)
edited Mar 20, 2021 by jdbranham
1,553 questions
1,017 answers
2,037 comments
2,567 users