If TIBCO Spotfire Server has been configured to work with Kerberos for single sign-on, Spotfire will ONLY allow Kerberos tokens as it's authentication method (there is not a negotiate option). This is acceptable for internal client network traffic, since internal users are able to tap into an organizations Microsoft Active Directory (AD) environment which is essential for generating Integrated Windows Sessions required for creating Kerberos Tokens. This is NOT acceptable for mobile devices, since users would be required to be on the organizations internal network so that the mobile device may interact with AD to pass a Kerberos token, OR require that organization to externally expose their AD environment (which I've found to be undesirable due to security risks).
This leads me to 2 recommendations, which are focused on providing flexible options for organizations, and for promoting a quality user experience:
Option 1: To build Spotfire so that it is capable of "negotiating" inbound authentication requests, so that it will accept kerboros, NTLM, Basic Auth, or other types of authentication simultanouesly, Not just a single authentication type at a time. This would allow for Kerberos to work for internal client traffic, and for the mobile application to pass basic authentication credentials from outside of the organizations network (preferably over SSL), to the Spotfire Servers where they could then validate those credentials against an internal AD provider. The mobile device would not need direct access to an organizations internal AD network.
Option 2: **This option may not be required if Option 1 were made available**
The other recommendation is to make the mobile application capable of utilizing the custom/external authentication (Per Tibco Support, currently, Mobile is not capable of utilizing external authentication) that Spotfire allows for other technologies to tap in to. This option is would be most useful in the scenario that an organization is leveraging Kerberos for SSO for internal users/devices, but would like to also enable the usage of Spotfire Mobile externally, without exposing their AD environment.
Link to External Authentication information for reference: https://docs.tibco.com/pub/spotfire_server/7.8.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-622BEAFC-C3BC-488E-9AC1-9D30B2349390.html?_ga=2.181304673.751451175.1497453788-1346728984.1494522721
In this option, the mobile application would point to an external authentication endpoint, where basic authentication credentials are passed (over SSL) and validated against an internal AD environment. Then, a header is passed from the external authentication endpoint to the Spotfire server containing a specified header type that includes the user's ID. (Spotfire would be configured to accept this header from only specific devices/IP addresses).
Support: Please reference Case #: 01475071 for additional details
Thanks,
Richard Fair
My comment seems to fit in here I think. We are currently in the process of setting up the mobile app, and I was asked to share information with Tibco about the AppConfig community: https://appconfig.org/ . This is supposed to ease the deployment of enterprise apps.
Very useful request. And the JavaScript API should adopt such modern sso (such as google, azure etc)