Tips + Tricks

Integrating Adaptive Security in Multi-Tenant Applications

By  |  April 11, 2017

As we’ve discussed in recent Tips & Tricks posts, Logi’s approach to security is based on what we call SecureKey, an adaptive security model that relies on our customers’ existing user management systems. This token-based API allows you to reuse your authentication and authorization mechanisms to control access to your Logi-powered analytics. At the same time, SecureKey allows for multi-tenancy.

>> Top Requirements for Business Intelligence Projects: Get the BI Buyer’s Guide <<

What Is Multi-Tenancy?

Multi-tenancy is about hosting multiple customers on a single application. For example, everyone logs into the same banking portal, but they are all different customers who need to see unique information. Because Logi Info and SecureKey support multi-tenancy, we are able to provide fine-grained user access control across every layer of the application.

Our customers can leverage their existing security models to control user access at the full page level, component level, or down to the row and column granularity of the data. Single sign-on integration is supported for any security framework or application, including LDAP, Windows Active Directory, and custom databases that store user profiles.

Configuring Applications for Multi-Tenancy

Because Logi Info is already built to support multi-tenancy, our customers do not need to take any special steps when configuring the Parent and Logi applications for SecureKey. You would simply follow the steps we previously discussed in Integrating Adaptive Security in Embedded Applications.

Working Within NAT or Proxy Environments

There is one exception: If your company has set up a firewall with a network proxy (such as Network Address Translation, or NAT) that sends all traffic to the Logi application through a single IP address (or a range), you’ll need to make a small modification when configuring the Parent application. In this case, the individual user locations will not be unique, so we need to suppress client IP address checking in SecureKey.

We do this by modifying the Parent application’s request to the Logi application so that it passes a Client Browser Address value of This is accomplished by creating your own custom query string variables. These extra values will be assigned to session variables in the Logi application and can be accessed using @Session tokens.

For example, your custom query string might look like this:

http://myServer/myLogiApp/rdTemplate/rdGetSecureKey.aspx?Username=bob&Roles=Worker,Manager &ClientBrowserAddress=

You can further enhance security by limiting requests to those from certain parts of the network by using an IP address mask in the web server’s security configuration. In Internet Information Server (IIS) environments, this is accomplished in the IIS Manager’s Directory Security tab; for Tomcat, this is accomplished by adjusting some of its XML configuration files.

Read the rest of the Logi Security Series: