Version

Security

ReportPlus supports two types of authentication when embedding in a host application:

  • Windows Authentication, which is recommended when embedding ReportPlus into an internal application.

  • Token-based Single Sign On (SSO), which is the recommended approach for public-facing and extranet solutions.

Windows Authentication

This is the default authentication mode for embedding and should be used by internal applications. Both the host application and ReportPlus server must be configured to use Windows Authentication with anonymous authentication disabled. When a host application renders a dashboard, the browser will pass the end user’s windows credentials token to the server via CORS (Cross-Origin Resource Sharing).

Web-Security-Windows-Authentication
Note
Note

For browsers other than Internet Explorer, the users of the host application will be prompted to enter in their Windows Authentication credentials; these may be cached by their browser for later use until the user’s Windows password expires. Currently, Apple’s Safari browser does not support Windows Authentication over CORS. For applications that require Safari, the SSO token-based authentication is the recommend approach.

Dashboard Access Level

Once the end user has been authenticated, the ReportPlus server will verify if the end user has the necessary permissions to view the requested dashboard. To configure access, use the ReportPlus Server Repository screen to define what folders and dashboards the user can access. Once the permissions have been granted, the user will be able to view the dashboards using the standard ReportPlus Repository screen or from the host (embedding) application.

Data Access Level

Users must have the appropriate credentials to access the dashboard’s data sources. There are several ways for those credentials to be provided; in all cases, the authentication and authorization is delegated to the data sources themselves.

ReportPlus supports three security models when accessing data:

  • User Name/Password-based credentials. If by the time the dashboard is shown users have not defined the appropriate credentials for the dashboard’s data sources, they will be redirected to an HTTPS modal dialog where they can specify them. These credentials are then stored using a per-user basis encryption in a secure store.

  • OAuth based credentials. If by the time the dashboard is shown users have not defined the appropriate credentials for an OAuth-based data provider, they will be redirected to the data source (e.g. Google, Dropbox, etc.) authentication screen. Once ReportPlus has been granted access by the OAuth data provider, the access security token returned will be encrypted and stored in the secure store for later use.

  • Kerberos Delegation. Use Windows Single Sign-On authentication to access enterprise data sources that support it.

Note
Note

For additional information about the required security configuration for ReportPlus, see the Kerberos Sign-On Configuration and OAuth Configuration guides on this website.

Single Sign-On (SSO) Token Authentication

This is the authentication mode recommend for public-facing and extranet-based solutions that are not using Windows Authentication or host applications that want to manage users outside of the ReportPlus enterprise repository. When using SSO authentication, the ReportPlus Embed Server web application must be installed and configured in Internet Information Services (IIS) web server with Windows authentication disabled and anonymous authentication enabled. See the ReportPlus Server installation document for more details about installing ReportPlus for embedding.

The host application can be configured to use any authentication protocol they want and will be responsible for managing their users independently of ReportPlus Server. When displaying a dashboard, the host application must supply a SSO Token using the generated security key provided by ReportPlus server. The dashboard viewer will pass the SSO token to the ReportPlus server which will use the token to authenticate and authorize the application and which dashboards can be displayed.

Web-Security-SSO-Token
Note
Note

Currently ReportPlus uses JSON web tokens (https://jwt.io/introduction/) for SSO authentication. All browsers, including Apple’s Safari support this authentication approach and the end user will not be prompted when the dashboard viewer is displayed. It is up to the host application to manage end user authentication and map the users to one or more SSO tokens.

Creating an SSO Token

When using a SSO Token, ReportPlus will verify if the supplied token maps to a valid application user in the ReportPlus enterprise repository. Once the application has been authenticated, the ReportPlus server will verify if the application user has the necessary authorization to view the requested dashboard.

The administrator of ReportPlus or the developer of the host application will be responsible for generating a security key for an application user. To configure an application and grant access to one or more dashboards, the ReportPlus Permissions Dialog must be loaded from the root folder in the web repository screen.

Web-SSO-Token-ReportPlus-Permissions-Dialog

To authenticate using SSO, an application user must be granted access to ReportPlus, and one or more security token keys must be generated. The application user must exist as a standard Windows user in Active Directory before being added to ReportPlus through the Permissions Dialog.

To generate a security key, a description and host URL must be supplied. Multiple keys can be generated for the same application; the only requirement is that each URL must be unique. When the SSO token is sent to ReportPlus, it will verify the calling host URL matches the one associated with the security key.

Web-Security-Key-2

Dashboard Access and Managing Data Source Credentials

When using SSO authentication, dashboard security is independent from the normal repository folder and dashboard access. To grant an application user access to a dashboard, the ReportPlus administrator must configure both the dashboard and the necessary credentials for the application user through the Manage Dashboard Screens. This screen can be displayed by selecting an application user from the permissions dialog.

Using this screen, the administrator can configure any dashboards that require username/password or OAuth-based credentials. For dashboards that authenticate using Kerberos delegation, the configured user of the ReportPlus ASP.NET worker process will be used and must have the necessary access to retrieve data from the data source (e.g. read-only access to SQL Server or SQL Analysis Server - OLAP).

Web-Security-Configure-Dashboards