Skip to main content
Pentaho Documentation

SSO security

Parent article

This section contains instructions for configuring the Pentaho Server to work with a single sign-on (SSO) framework. At this time, only Central Authentication Service (CAS) and Integrated Windows Authentication (IWA) are supported. Refer only to the instructions below that apply to the framework you are using.

Switch to Central Authentication Service (CAS)

You can integrate Pentaho with Central Authentication Service (CAS). You must have a CAS server installed and running before you continue.

Perform the following steps to integrate Pentaho with CAS.

Procedure

  1. Stop the Pentaho Server

  2. Download the following files and copy them to the pentaho-server/tomcat/webapps/pentaho/WEB-INF/lib directory.

  3. Navigate to the pentaho-server/pentaho-solutions/system directory and open the pentaho-spring-beans.xml file with any text editor.

    1. Add the <import resource="applicationContext-spring-security-cas.xml"/> to the list of imports after all the other applicationContext*.xml files.

    2. Save and close the file.

  4. Navigate to the pentaho-server/pentaho-solutions/system directory and open the applicationContext-spring-security-cas.xml file with any text editor. Update the file as follows:

    NoteYou must use the publicly available IP address for all URLs in this file.
    1. If you are using Pentaho with SSL, then update the references for https://localhost:8443/cas to your working CAS server URL. If you are not using Pentaho with SSL, then update the references for http://localhost:8080/pentaho to your working CAS server URL.

    2. Locate the bean containing the ID for casAuthenticationProvider.

      <bean id="casAuthenticationProvider"
      class="org.springframework.security.providers.cas.CasAuthenticationProvider">
      <property name="userDetailsService">
       <ref bean="userDetailsService" />
      </property>
    3. Change the bean ID based on your configuration to the applicable one as shown below.

      casAuthenticationProvider.MemoryUserDetailsService
      casAuthenticationProvider.hibernateUserDetailsService
      casAuthenticationProvider.jdbcUserDetailsService
      casAuthenticationProvider.ldapUserDetailsService
  5. Save and close the file.

  6. Navigate to the pentaho-server/tomcat/webapps/pentaho/WEB-INF directory and open the web.xml file.

    1. Add the following lines to their respective sections in the file:

      <servlet>
        <servlet-name>casFailed</servlet-name>
        <jsp-file>/jsp/casFailed.jsp</jsp-file>
      </servlet>
      <servlet-mapping>
        <servlet-name>casFailed</servlet-name>
        <url-pattern>/public/casFailed</url-pattern>
      </servlet-mapping>casAuthenticationProvider.hibernateUserDetailsService
      <listener>
          <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>  
      </listener>
    2. Save and close the file.

  7. If you are using a self-signed certificate, perform the following steps. If you are not using a self-signed certificate, start the Pentaho Server now.

    1. For CAS authentication providers using memory-based methods only, open the applicationContext-spring-security-memory.xml file with a text editor.

    2. Search for the DaoAuthenticationProviderbean and add the id=authenticationProvider to the bean, as follows:

      <bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider" id=authenticationProvider
    3. Make sure that the SSL is enabled on CAS.

  8. Start the Pentaho Server.

Results

The Pentaho Server is now configured to authenticate users against your central authentication server.

Configure session timeout

Connection timeout issues when using CAS with the Pentaho Server can result in the inability to login or re-load data in the web client page until you refresh the page. To avoid problems with the session timing out, perform the following steps to configure the session timeout:

Procedure

  1. Stop the Pentaho Server.

  2. Navigate to the pentaho-server/tomcat/webapps/pentaho/WEB-INF directory and open the web.xml file with any text editor.

    1. Find the session-config property and edit the session-timeout value (the default value is 120 minutes) to increase the period to a value that is greater than the setting used for your CAS server session timeout value:

      <session-config>
        <tracking-mode>COOKIE</tracking-mode>
        <session-timeout>120</session-timeout>
      </session-config>
      
    2. Locate the Pentaho Web Context Filter and add the following init-param:

      <init-param>
        <param-name>ssoEnabled</param-name>
        <param-value>true</param-value>
      </init-param>
      
    3. Save and close the file.

  3. Activate the session timeout dialog box:

    1. Navigate to the pentaho-server/pentaho-solutions/system directory and open the applicationContext-spring-security-cas.xml file then locate the httpSessionPentahoSessionContextIntegrationFilter bean id.

    2. Find the ssoEnabled property and set the value from true to false.

    3. Save and close the file.

  4. Restart the Pentaho Server.

Switch to Integrated Windows Authentication (IWA)

You can configure your system to allow local users with account credentials to access the Pentaho Server using Integrated Windows Authentication (IWA). This authentication method requires Microsoft Windows Server 2012 R2, IIS 8.5, and Internet Explorer. If you are using different versions of any of this software, you may adjust the instructions to fit your needs.

You must download and install a patch JAR before you switch to IWA. If you want to use IWA in the Pentaho Server, please refer to the article on the Pentaho Customer Support Portal for more information.