Implementing Single Sign-On

An important developer consideration for an embedded BI application is how to implement single sign-on (SSO) between the embedded application and WebFOCUS so that the user is not required to provide credentials on multiple occasions. There are several options to consider, including:

• Windows Authentication
• SAML 2.0
• Web SSO Products
• Custom Solutions

In this content and accompanying embedded BI demo application, you will learn how the Trusted Ticket Authentication feature in WebFOCUS can be used to implement SSO.

As shown in the following diagram, the embedded BI demo application authenticates the user (1) with a simple method, as described in Registering User Names and then makes a trusted ticket request (2) to WebFOCUS. This is typically referred to as a back channel request because the connection is established directly between the server hosting the embedded application and the server hosting WebFOCUS, and is therefore not seen by the network where the web browser of the user is running.

WebFOCUS verifies that the trusted ticket request originates from a trusted host and returns a trusted authentication ticket. The application then presents this ticket in a trusted sign-on request (3), originating from the web browser of the user, in order to obtain a WebFOCUS session cookie. Moving forward from this point, the embedded BI demo application can request content from WebFOCUS using URL requests or the WebFOCUS RESTful Web Services API.

If the embedded application will be making POST requests that create or update WebFOCUS resources, then a Cross-Site Request Forgery (CSRF) token must be obtained from WebFOCUS and submitted with these requests. The trusted sign-on request can include an option to obtain a CSRF token. The embedded BI demo application receives a CSRF token, but does not use it.