Authentication

Managing Data Hub authentication

To deliver authentication, Data Hub supports various authentication providers:

  • Active Directory (Windows). By default, Data Hub is configured to use Windows authentication; no additional configuration is required. Windows authentication recognizes local system users and groups configured on the webserver computer, as well as Active Directory users and groups configured for the web server's domain. For more information, see Using Windows Authentication.

  • Azure Active Directory (Azure AD). Azure AD allows claims-based user and group management for Data Hub and other on-premises and cloud applications, such as Office 365 and Dynamics CRM Online. Once configured, users logging into Data Hub will be redirected to Azure AD to authenticate.

  • Active Directory Federation Services (ADFS). ADFS implements claims-based federated identity for Windows for Data Hub installations. ADFS enables single sign-on to authenticate users across security and enterprise boundaries.

  • Okta.

  • OpenID Connect.

Claims authentication

Claims-based authentication allows the entire authentication process to be handled by an external Security Token Service (STS), such as Active Directory Federation Services (ADFS), and other Security Assertion Markup Language (SAML) token-based systems.

This configuration enables Single Sign-on (SSO) where the authentication result is returned to Data Hub as a SAML token. The STS URL and associated security certificates can be specified when configuring Data Hub for claims-based authentication.

In practical terms, claims-based authentication may be used when an instance of Data Hub is installed in a different domain from the user’s domain (for example, on a cloud-based server). In this scenario, claims-based authentication allows the user to enter their existing domain credentials when logging on to Data Hub. This usage is often referred to as federation.

Note

This method is an alternative to creating a two-way Active Directory trust between the domains and using AGUDLP to implement role-based access control. If a two-way trust can be created, AGUDLP is likely simpler to configure than claims-based authentication.

In its simplest form, claims-based authentication works on a user-by-user basis: users from one domain may be individually assigned roles in Data Hub.

Alternatively, a form of AGUDLP-like, group-based role management is possible when using ADFS claims-based authentication with a federated trust.

Instead of using a universal group to transfer group memberships between domains or forests, transformation rules can be created on the ADFS server to convert users' group memberships in a source domain into memberships of appropriate groups in a target domain.

AGDLP can then be used in the target domain to assign roles in Data Hub to the groups, rather than individual users. See About Role-based Access Control and AGDLP for details of AGDLP.

Due to limitations with SQL Server Analysis Services, cube security cannot be implemented directly using claims-based authentication. Instead, user access to cube information is controlled by configuring model roles in Data Hub.

Configuring claims authentication

Two claims-based options are available:

  • Azure Active Directory (AzureAD) – allows claims-based authentication using Microsoft Azure AD.

  • Active Directory Federation Services (ADFS) – allows claims-based authentication using Microsoft ADFS.

Note

Once claims authentication is set up, you need to provide users with appropriate access to Data Hub. To do this, first, add them to global groups in the users' domain. A user with the appropriate group membership must then (unsuccessfully) attempt login in order for Data Hub to have access to the list of available groups. Once this occurs, a Data Hub system administrator may assign the groups to roles in the appropriate Data Hub policy.

Configure application authentication settings

Select your application authentication method by clicking Settings > Application Settings > Authentication.

Note

The options on this tab also appear during the initial installation of a new instance of Data Hub as described in Installing Data Hub (On-premises Installations). They may also appear during a Data Hub upgrade.

The following authentication methods and settings are available from the Authentication tab:

  • Default (User Invitation)

  • Active Directory Federation Services

  • Azure Active Directory

  • Okta

  • OpenID Connect

  • Anonymous Access

Note

The Allow Anonymous Viewers feature may require a specific license permission to use. Without permission, the check box may not be visible. Contact your account manager for assistance.

Only resources in the Public folder (and its subfolders) may be shared with this feature.

To share a resource or folder with anonymous viewers, its viewer access setting must be enabled. You may also need to override the inheritance of security permissions for the resource.

Active Directory Federation Services (ADFS)

ADFS implements claims-based federated identity for Windows for your Data Hub installation. ADFS enables single sign-on to authenticate users across security and enterprise boundaries. To use Data Hub with ADFS, a relying party trust must be configured in the ADFS Management console, and the Federation Metadata URL and Realm URI (the Data Hub application's web address) entered into the appropriate boxes in the Configure Security Settings screen. Click Save to finish.

For details on configuring a relying party trust and obtaining the Federation Metadata URL and Realm URI values, values, refer to the following Knowledge Base article:

https://zendesk.zaptechnology.com/hc/en-us/articles/207150197

Note

Accessing Knowledge Base articles may require that you log in to the ZAP Support website.

Azure Active Directory

Azure AD allows claims-based user and group management for Data Hub and other on-premises and cloud applications, such as Office 365 and Dynamics CRM Online. Once configured, users logging into Data Hub will be redirected to Azure AD to authenticate.

To use Data Hub with Azure AD, select Azure Active Directory (AzureAD) from the Configure Security Settings screen. Application registration for Data Hub must be completed in the Azure portal and the configuration values for Tenant, Client ID, Application Key obtained during the registration process must be pasted into the corresponding boxes in the Configure Security Settings screen. Click Save to finish.

For details on registering the Data Hub application and obtaining the Tenant, Client ID, and Application Key values, refer to the following Knowledge Base article:

https://zendesk.zaptechnology.com/hc/en-us/articles/207150197

Note

Accessing Knowledge Base articles may require that you log in to the Data Hub Support website.