Support for custom login page

Bogdan Kiselitsa shared this question 1 year ago
Answered

Hi,


We are currently in the process of integrating Yellowfin with SSO via SAML for one of our clients. I'm using the SAML Bridge from the marketplace, and it works well when using dologin.jsp as a custom SSO login portal.


However, there is one user workflow that's not possible at the moment, and that is the following:

1. User clicks bookmark for specific report.

2. User is not logged in currently.

3. User is redirected to standard login portal instead of the custom SSO login portal.

4. User must go to SSO login portal manually, then later return to the original link.


What we need is some way to configure the user to redirect to the SSO auth page automatically in case they are not logged in, and also to preserve the query string so that they can be redirected back to their original destination.


This presents some design difficulties given a multi-tenant (client org) deployment because:

1. One SSO Auth page (i.e. SAML bridge) will be deployed per tenant.

2. User must be redirected to the SSO Auth page relevant to their tenant, or to the regular login page if no SSO page is set.


Those are the basic requirements, but obviously there may be more integrated way to implement it.


Clearly this will require some additional development, but I think it would really complete the SSO (SAML) integration story for Yellowfin, which can be a real selling point.


Please let me know what can be done here.


Regards,

Bogdan.

Lead Developer

LivePerson Engage

Comments (12)

photo
1

Hi Bogdan,


Thanks for getting in touch about this, as well as for your detailed workflow replication instructions. I have one quick question though. When you say 'bookmark', you are referring to a browser bookmark, and not Yellowfin's built-in bookmark feature, correct? And just to further clarify, here is where things currently stand:

  1. User is already logged in to your larger tool.
  2. User opens a browser bookmarked link to a certain report.
  3. User is not authenticated via your SSO integration using the SAML bridge and brought to their report, but is instead direct to the 'standard' Yellowfin login page despite being logged in to your larger tool already.
  4. User then has to go the long way and access the SSO portal, then go hit the initial link to bring them to their desired report.

Is my interpretation here correct?


This is one of those tricky scenarios that toes the line between new development on the SAML bridge vs. patching up a feature that should already be in there. If you could let me know if I've understood things correctly, that would be great. Thanks in advance!


-Conner

photo
1

Hi Conner,


Thanks for the reply.


To answer your question, yes I'm referring to external bookmarks or links generated by Yellowfin's 'Share' functionality.


Otherwise, yes, you have it right.


Regards,

Bogdan.

photo
1

Hi Bogdan,


Apologies for my delayed reply on this one, it looks like I goofed and set this to the incorrect status on my system. Thanks for confirming my questions. As I mentioned in my initial reply, this one is a bit tricky to classify between new development and 'preexisting' dev. I'm going to reach out to the rest of my team for a second opinion on how this should be classified in our internal system, and then we can go from there. Stay tuned for an update, and thank you for your patience here!


Best,

-Conner

photo
1

Hi Bogdan,

I haven't tried the following using the SAML bridge, however, I know that it works with a standard custom login page, so because of that I'm asking that you try it out:

set the following element in <Yellowfin home>\appserver\webapps\ROOT\WEB-INF\web.xml :


<welcome-file-list>
    <welcome-file>dologin.jsp</welcome-file>
</welcome-file-list>

Make sure your custom login page is residing in the ROOT folder.


And you will also have to change the following line in your custom login page:


<input type="hidden" name="<%=Const.INDEX_PAGE%>" value="/ dologin.jsp " /> 


Please let us know if that helps or not.

regards,

David

photo
1

Hi Dave,


Thanks for the idea, but unfortunately that wouldn't work with a multi-tenant configuration. There really needs to be a per-user (or per tenant?) setting that determines which auth page that user will be sent to, as they may be different for each tenant.


Regards,

Bogdan.

photo
1

Hi Bogdan,


I'm not a developer obviously, but couldn't you do something like create a filter that determines which tenant requires logging into:


http://localhost:7373/RunReport.i4?reportUUID=0603c784-ee14-460a-b42d-4fe4208b40d9&primaryOrg=1&;clientOrg=12001&filterUUIDbf112013-b657-4614-8b12-b41c37deaeef=3


and then redirect from dologin.jsp to that particular tenant's auth page (after checking whether the user is already logged in or not of course)


regards,

David

photo
1

Hi Dave,


That's quite a good idea! I started prototyping with it, but found that trying to load a report when not logged in will redirect straight to MIRequireLogin.i4 instead of the welcome page, which defeats the point. Is there a way to change this behaviour?


Regards,

Bogdan.

photo
1

Hi Bogdan,


I guess that's why I'm not a developer! :-(

Luckily, I found an old forum post that addresses this issue:


https://www.yellowfinbi.com/resources/forum/YFForum-Can-we-make-a-custom-MIRequireLogin-i4-or-point-at-the-login-page-thread-156288


Unfortunately it looks as though the original code example in it is lost, but if you would really like to see it then please let me know and I'll try and get someone here to retrieve it, but hopefully the info that is there will be enough to get your prototype happening.


regards,

David

photo
1

Hi Dave,


Thanks, that might work!


I'll have to do some prototyping, but will post an update when I've had a chance to try it.


Regards,

Bogdan.

photo
1

Hi Bogdan,


that sounds exciting!

Yes please do let us know how the prototyping goes.

Do you mind if I close this Question for the moment? When you post the update the status will automatically go back to "In Progress" and it will reappear in my work list.


regards,

David

photo
1

Sure, No problem.

photo
1

thanks!