How to configure OpenID connect authentication with Azure on the TIBCO Spotfire Server

How to configure OpenID connect authentication with Azure on the TIBCO Spotfire Server

This article describes the steps to configure OpenID connect authentication with Azure on the TIBCO Spotfire Server.

 
1) Log onto https://portal.azure.com Portal with your individual account and register an application by navigating to “Azure Active Directory” section of the portal (found in the left navigation bar).


If you would like to enable forms authentication in addition to OpenID Connect authentication, please see the following KB article:

• KB 000043062 How to enable forms authentication in addition to Web authentication (OpenID Connect) in TIBCO Spotfire Server

8) For the "User Directory" you can either go with "Database" or "LDAP". If you are using "Database" as user directory then it is recommended to use the "Auto-create" option for the post-authentication filter (so that successfully authenticated users are automatically created in the user directory database), as set here:

TIBCO Spotfire Server Configuration Tool > Configuration > Post Authentication Filter > Default filter mode: Auto-create

9) Go to "OpenID Connect" page, and click the "Add new provider" button. Specify a name and click OK. For each provider, specify the Discovery document URL, the Client ID and the Client secret as described below:
a). For Discovery Document URL: https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
Steps to get an Azure Active directory tenant {tenant} in Discovery Document URL

• You can find the tenant ID directly from the App you created. Go to "Azure Active Directory" >> "App Registrations" >> Select the app "Test">> This will display the tenant Id.  Refer to step 5 for the screenshot reference. 
• (or)
• Log into the Azure Portal with your individual account.
• Navigate to the “Azure Active Directory” section of the portal (found in the left nav bar).
• Click on “Properties”, you should automatically be signed in to the "Default Directory".
• You should be able to see “Directory ID” in the same page, which is {tenant} value in Discovery Document URL.
• Copy “Directory ID”.
• Paste in {tenant}.

Example: https://login.microsoftonline.com/55e98fdf-9ac4-42f6-a35d-6bcb4d9b4bc7/.well-known/openid-configuration
b). Client Id is the “Application Id”.
c). Client Secret is the “Secret Key” generated by Microsoft Azure from the App.


10) Save the TIBCO Spotfire Server configuration to the database and restart the Spotfire Server.

Note: If you have issues logging in after these steps, please see the following related KB Article for a common issue:

• KB: 000035211 Users are not able to login to TIBCO Spotfire Server or Web Player when using Open ID Authentication with Azure Identity provider
• KB: 000042227 OpenID Connect authentication on TIBCO Spotfire server fails with the error "Signed JWT rejected: Another algorithm expected, or no matching key(s) found"

External: How to get an Azure Active Directory tenant

• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant

Doc: Configuring openID connect:

• https://docs.tibco.com/pub/spotfire_server/10.3.4/doc/html/TIB_sfire_server_tsas_admin_help/GUID-74323530-6878-4741-A50E-22EDC233A2C0.html

KB: 000035211 Users are not able to login to TIBCO Spotfire Server or Web Player when using Open ID Authentication with Azure Identity provider

• https://support.tibco.com/s/article/Users-are-not-able-to-login-to-TIBCO-Spotfire-Server-or-Web-Player-when-using-Open-ID-Authentication-with-Azure-Identity-provider

KB : 000042227 OpenID Connect authentication on TIBCO Spotfire server fails with the error "Signed JWT rejected: Another algorithm expected, or no matching key(s) found"

• https://support.tibco.com/s/article/OpenID-Connect-authentication-on-TIBCO-Spotfire-server-fails-with-the-error-Signed-JWT-rejected-Another-algorithm-expected-or-no-matching-key-s-found