How to configure Spotfire with Azure OpenID?

This article describes how to configure TIBCO Spotfire to work with an Azure OpenID provider.

Create an app registration in Azure

The first step is to create an app registration in Azure for Spotfire. Assistance with this is beyond the scope of Perkin Elmer informatics support, however as general guide this would be done from the Azure active directory admin center (https://aad.portal.azure.com)

A client credential for the application needs to be created:

Also the web redirect URL needs to be created. This will be based on the URL used by clients to access the Spotfire application

Configure Spotfire server OpenID Connect authentication

Once this has been completed, the relevant details can be added to the Spotfire OpenID configuration page. Firstly, add a new provider and fill out the details for Discovery document and Client ID and secret.

Choosing sensible values for user and domain

By default the username claim is set to sub, which may not be a useful human readable value. To counter this a custom claim known as upn can be added to the app in Azure which will contain a user principal in the format user@domain.

This can be done the the Token configuration in Azure. Click to an an optional claim for an ID token, and select UPN as the token.

This can then be added into the Spotfire under the advanced properties.



There are three options for setting the users domain. This can originate from a claim which is the default (using the iss claim from Azure), be a hardcoded static value, or be parsed from the username.

Which one is chosen depends on the User Directory configuration in Spotfire.

Setting the User Directory

There are two options for the user directory in Spotfire, using the database or integrating with an existing LDAP structure. The latter is preferable for the following reasons.

- There will be a  centralised system for user accounts, user data is stored in LDAP
- Groups can be synchronised and managed from LDAP, rather than creating them manually in Spotfire
- If a user retires or their account is locked in LDAP, this will be reflected in Spotfire. This will not happen with the user directory set to database.

Using the database for the User Directory

Under the Post-Authentication Filter setting in Spotfire, set the default filter mode to Auto-create. This means that new users that have not been seen before by Spotfire will be created in the Spotfire database.

Groups must be manually created, and account management is done from Spotfire, including disabling accounts

Using LDAP for the User Directory

The default filter mode for the Post-Authentication filter must be set to block.  This means that any users not found in LDAP will be rejected, and their login will fail.

For a user to successfully login using LDAP as the User Directory, the username obtained from the Azure OpenID claim, must match precisely the Username attribute in LDAP.

So, as described in the earlier section, this is where choosing a sensible username claim becomes more relevant. This may need to be combined with the domain setting to obtain the desired result.

Example 1

The username claim obtained from Azure is "jsmith", and the username attribute in the LDAP configuration is upn which gives a value of "jsmith@mycompany.corp".
In this situation set a static domain name in OpenID (Option 2) of "mycompany.corp". The username claim plus the domain gives a composite name of "jsmith@mycompany.corp" which will match the username attribute in LDAP.

Example 2

The username claim from Azure contains "jsmith@mycompany.corp". Select option 3 (parse username and domain) to obtain the domain. LDAP would use samAccountName as the username attribute, which combined with the LDAP domain would create a composite name of jsmith@mycompany.corp