Create, deploy, and maintain analytic applications that engage users and drive revenue. See a Logi demo

Tips + Tricks

Integrating Adaptive Security in a Standalone Enterprise Application

By Noah Mashni | March 1, 2017
Share on LinkedIn Tweet about this on Twitter Share on Facebook

Logi’s approach to adaptive security means we integrate with whatever security model our customers already have. In our experience, we typically see three distinct use cases for integrating new analytics capabilities with a preexisting security model

1. Setting up a standalone analytics solution in an enterprise

2. Setting up a standalone enterprise solution with database integration

3. Embedded in an existing application

In this post, we’ll focus on the first instance: How to configure your web server with Logi applications when providing analytics in a separate enterprise application (instead of embedded in an existing application).

>> Time to Enhance Your Embedded Analytics? Get a Blueprint to Modern Analytics <<

This scenario is predicated on the installation of related Internet Information Services (IIS) web server features. It’s ideal in intranet/extranet environments where web server or domain administrators can easily maintain the list of valid users.

The Security Element

Logi’s adaptive security model is built around the Security element (below), which is added into a Logi application’s _Settings definition. It’s the container element for all other globally configured security elements and handles both authentication and authorization.

The Security element has a Security Enabled attribute, which enables and disables Logi Security. One of the element’s other attributes, Authentication Source, specifies how the Logi Server gets its authentication information.

Logi's security element for Logi Info applicationsBasic and Digest Authentication

This scenario simply configures the web server, IIS 7.5, to require valid credentials before allowing any access to the Logi application.

When using Basic Authentication, user login credentials are sent to the web server in plain text, without any encryption. Anyone attempting to compromise your system security could intercept network messages and examine the unencrypted credentials. This security method is not recommended for use on public networks. Digest Authentication, on the other hand, improves on this by sending hashed credentials.

To configure your Logi Application for either type of authentication:

Example of security authentication in Logi Analytics1. Using the IIS Manager utility, select your Logi application, and then select the Authentication feature.

2. Disable the Anonymous Authentication option, as shown above.

3. Enable the Basic Authentication or Digest Authentication option, as shown above.

4. Exit the feature and restart the appropriate Application Pool.

How security credentials work in Logi Analytics

Now, when your Logi application is browsed, users will see the dialog box shown above and will have to provide valid credentials for your network domain before seeing the Logi application.

Windows Authentication

In this scenario, shown with IIS 7.5, the name of a user who has already been authenticated by Windows domain or network security is supplied to the Logi application. This is a very secure form of authentication. It’s especially convenient for users because they do not have to log in twice.

To configure your Logi Application for this type of authentication:

1. Using the IIS Manager utility, select your Logi application, and then select the Authentication feature.

2. Disable the Anonymous Authentication option, as shown above.

3. Enable the Windows Authentication option, as shown above.

4. Exit the feature and restart the appropriate Application Pool.

Now, when the URL for your Logi application is browsed, authorized domain users will not see a login dialog box at all. Instead they’ll proceed directly into the Logi application. Users who are not authorized will be redirected to an error page.

ASP.NET Impersonation

This scenario, shown with IIS 7.5, lets you run your Logi application under a different security context. This is a required configuration when using Logi OLAP to connect to Microsoft SQL Server Analysis Services cubes via the MSOLAP provider.

To configure your Logi Application for this type of authentication:

How to configure a Logi Application for authentication

  1. Using the IIS Manager utility, select your Logi application, and then select the Authentication feature.
  2. Disable the Anonymous Authentication option, as shown above.
  3. Enable the ASP.NET Impersonation option, as shown above.
  4. Right-click the option and select Edit, then enter credentials for the account you want to impersonate in the resulting dialog box.
  5. Enable the Windows Authentication option, as shown above.
  6. Exit the feature and restart the appropriate Application Pool.

Now, when the URL for your Logi application is browsed, authorized domain users will proceed directly into the Logi application and the appropriate impersonated credentials will be used for connection to other services.

Next Step: Authorization

Once a user is authenticated using one of the above methods, the Logi application has access to an internal username that uniquely identifies the current user and drives the authorization process.

 

About the Author

Noah Mashni is a Solutions Engineer at Logi Analytics, where he acts as the key technical adviser and product advocate.

Subscribe to the latest articles, videos, and webinars from Logi.