Implications of SIMPLE_AUTHENTICATION

Bogdan Kiselitsa shared this question 7 years ago
Answered

Hi,


We are investigating using SSO with Yellowfin, and it seems that this option needs to be set to enable logon with no password.


My question is what other consequences does this setting have? Are we able to continue using LDAP authentication with full security and allow for SSO as well?


Regards,

Bogdan.

Best Answer
photo

Hello Bogdan,


Thanks for reaching out with your question. I'd like to start by stating that the integration of Yellowfin and the implementation of integration such as SSO is highly customizable, so there is no cookie-cutter answer for this question.


You are correct that in order to use the LOGINUSERNOPASSWORD web service, this needs to be enabled. This configuration essentially allows you to pass this web service call, which logs in a user even if a blank password is supplied.


It's important to note that the LOGINUSER is the typically used web service call when dealing with SSO, which doesn't require the SIMPLE_AUTHENTICATION option be enabled. By this I mean that you can use this web service call without enabling SIMPLE_AUTHENTICATION and have a mechanism which supplies the password to the system during the web service call.


If you're using LDAP Authentication at present, the web service will call to Yellowfin, which in turn will search your LDAP directory to authenticate the user.


In short, enabling SIMPLE_AUTHENTICATION for the use of LOGINUSERNOPASSWORD will allow you to issue web service calls to Yellowfin that will log the user in question into Yellowfin without validating their password. As far as implications, this is highly dependent on your configuration, your integration, and your network map. Ultimately, it leaves a potential opening for anyone who discovers the web service calls being used and knows the username scheme in place.


It may be worth reviewing our Wiki for more information on integration and SSO. This page is a good starting point, if you haven't seen it already.


Does this information help?


Thanks,

Ryan

Replies (3)

photo
1

Hello Bogdan,


Thanks for reaching out with your question. I'd like to start by stating that the integration of Yellowfin and the implementation of integration such as SSO is highly customizable, so there is no cookie-cutter answer for this question.


You are correct that in order to use the LOGINUSERNOPASSWORD web service, this needs to be enabled. This configuration essentially allows you to pass this web service call, which logs in a user even if a blank password is supplied.


It's important to note that the LOGINUSER is the typically used web service call when dealing with SSO, which doesn't require the SIMPLE_AUTHENTICATION option be enabled. By this I mean that you can use this web service call without enabling SIMPLE_AUTHENTICATION and have a mechanism which supplies the password to the system during the web service call.


If you're using LDAP Authentication at present, the web service will call to Yellowfin, which in turn will search your LDAP directory to authenticate the user.


In short, enabling SIMPLE_AUTHENTICATION for the use of LOGINUSERNOPASSWORD will allow you to issue web service calls to Yellowfin that will log the user in question into Yellowfin without validating their password. As far as implications, this is highly dependent on your configuration, your integration, and your network map. Ultimately, it leaves a potential opening for anyone who discovers the web service calls being used and knows the username scheme in place.


It may be worth reviewing our Wiki for more information on integration and SSO. This page is a good starting point, if you haven't seen it already.


Does this information help?


Thanks,

Ryan

photo
1

It does, thank you. I wanted to check that this would only affect the web service call.


Regards,

Bogdan.

photo
1

Hi Bogdan,


Thanks for the reply. I'm glad that this information was helpful. As always, if you have further questions or issues don't hesitate to contact us.


Thanks,

Ryan

Leave a Comment
 
Attach a file