One of the major concern among customers while they make the shift to cloud is security. There are multiple provisions within the Secured Cloud of MicroStrategy to address the concerns and one of them is the SSO enablement of MicroStrategy Web. Customers would invariably want to integrate MicroStrategy Web, which would be available over open internet, to be integrated with their on premise authentication service provider.
In this post we are going to look at how the SSO configuration for a MicroStrategy Cloud environment would work.
Before we look into detail the authentication workflow here is a definition of different components and terminologies involved. You may dig the internet and do some further reading on these topics.
SAML- SAML stands for Security Assertion Markup Language. It is a XML based open standard format for exchanging authentication and authorization information.This standard was developed to implement web based SSO authentication and is the protocol used to exchange information between the Service Provider and Identity Provider. MicroStrategy supports SAML 1.x and 2.0 standards.
Federation Service Provider - Service Provider is the partner (represented by the MicroStrategy Federated Cloud SSO Service Provider in the following diagram) that provides the service that requires authentication to the end user. The SP will receive a request for access to the service from users. That service access request will be received by the SP and then directed to the Identity Provider (IdP) for authentication for validation of the user. The IdP will receive the request, validate the user, and pass back an assertion token to the SP. When the SP receives a valid assertion token, it will allow the user access to the service
Federation Identity Provider - Identity Provider is the partner (in this case the customer Federated Identity Provider Service such as PingFederate) that is responsible for validating and authenticating the user. The IdP, will receive a request from a Service Provider (SP) to validate a user. Once the IdP validates the identity of the user, they will provide the assertion token to the SP. The IdP handles the management of user identities.
In order SSO to be configured metadata information needs to be exchanged between the Service Provider (hosted in MicroStrategy side) and Identity Provider (hosted in Customer side). Generally all Identity Providers have the ability to produce a metadata file which can be exchanged directly. If metadata file cannot be exchanged, then the information needs to be exchanged and configured manually.
Following diagram depicts how the SSO authentication workflow works:
Step 1: End user access MicroStrategy Web through browser
Step 2: MicroStrategy Web redirects the access request to the MicroStrategy Cloud Federation Service Provider
Step 3: MicroStrategy Cloud SP sends a SAML request and redirects to the Federation Identity Provider SSO screen . On the Federation IdP SSO screen the user is asked to enter his SSO credentials
Step 4: The IdP validates the credentials provided by the user against the Identity Store and requests for any other additional attributes which were defined when the metadata was exchanged between the IdP and the SP
Step 5: Once authenticated the IdP returns to the browser with a SAML assertion containing the required attributes
Step 6: The browser posts the assertion to Service Provider
Step 7: The Service Provider asserts to MicroStrategy Web that the user is valid
Step 8: MicroStrategy Web provides application access to the user
As you can understand in a MicroStrategy Secured Cloud environment ownership most of the components of this entire SSO setup either resides with MicroStrategy Inc. or the Customer infrastructure team. If you are a System Integrator then generally you would have less role to play in the entire integration process apart from the coordination.