KB30292: How to setup Trusted Authentication (Single Sign On) for MicroStrategy Web

To set up Trusted Authentication (Single Sign-On) for a Strategy 2021 environment, follow the steps provided below. For SiteMinder users, refer to section (A), while Tivoli users should follow section (B). All users should proceed with section (C) to configure trusted authentication for Strategy Web.

• Configuring Netegrity SiteMinder
  
1. Configure Netegrity SiteMinder Policy Server:
   
1. Install the server as described in the documentation and complete any additional required installations and or configuration.
   
2. Open the SiteMinder administrative tool and login as the user that can create objects.
   
3. Create the objects listed as below:
   
1. Under the "Host Conf Object" system configuration settings - create a host configuration object
   
2. Edit the newly created host configuration object and set the IP address for the Policy Server and the three policy server ports under the "PolicyServer" parameter.
   
3. Under the "Agents" system configuration settings, create a new agent.
   
4. Ensure that the correct IP address or DNS address for the remote agent (Strategy Web) is specified for the agent.
   
5. Other settings such as User Directories, Policy Domains etc should be set up as required by the siteminder administrator.
   
2. Configure Netegrity SiteMinder Web Agent:
   
1. Install the SiteMinder Web Agent on the same machine as the Web Server.
   
2. When setup is complete users may be prompted to complete the Web Agent Configuration Wizard. To run this Wizard at a different time, the utility may be located in the Start -> Programs -> SiteMinder -> Web Agent Configuration Wizard menu.
   
3. Follow the steps in the Wizard. Input the agent and policy server name and IP address as specified in the steps above.
   
4. The Web Agent does not provide self registration and this option should be set to "No".
   
5. After the Wizard is complete, go to the webagent.conf file, and edit it and set the parameter "EnableWebAgent" to "yes".
   
3. Reboot the Strategy Web Server and the SiteMinder Policy Server before proceeding.
   
• Configuring Tivoli Access Manager (Web Seal):
  
1. Install and configure all the Tivoli software and any required additional components set up the users and complete any other configuration required.
   
2. In the Tivoli Access manager, create a Web Seal Junction for the Strategy Web Server.
   
1. 'Junction Point' should be set to the name used to access this resource (e.g. /MSTRWebSSO - the forward slash at the beginning of the name is required)
   
2. 'Target Host' should be set to the DNS / IP address for the Strategy Web Server.
   
3. 'TCP Port' - Port used by the Web Server (example - port 80 for IIS and 8080 for Apache Tomcat or whatever the default Web Application Server is configured to use).
   
4. Select the 'URLs case insensitive' option.
   
5. Enable the 'Win32 file system support' option if required.
   
6. Under 'Client Identity headers' select 'User name (short)' (required) and 'User Name (Full DN)' if LDAP integration is to be used.
   
• Setting up the Strategy Environment:
  
• The first step in the process is to create a trusted relationship between the Strategy Intelligence Server and the Strategy Web Server. Strategy Web must be connected to Strategy Intelligence Server as normally from the Web Administration page.
  NOTE: For Tivoli Access Manager, access to the Web administration page should be done directly (i.e. not using Tivoli junction name or another method) because it cannot handle multiple tokens.
  
• From the Strategy Web administration page, click on the "Modify" button to change the Web connection properties. This action will only be possible when the Web Server is currently connected to the Intelligence Server. In the Intelligence Server properties screen, click on the "Setup" button to define  the trust relationship between the Strategy Intelligence Server and the Web Server.
  

• In the next prompted page, provide the Strategy credentials of an administrative user to verify the trust relationship, as well as a Name (any name can be used) for the trust relationship as shown below (In the example below the name is the URL to access the trusted Strategy Web environment).
  

• Once this is completed, the trusted connection will show with a check mark next to it as shown below.
  

• Now users should log into the Strategy Intelligence Server directly and edit the Intelligence Server configuration -> Web SSO settings . The new trusted connection will be listed there showing either a "Disabled" or "Enabled" status. If the status is "Disabled", to enable this trusted connection, users must change the drop down box to say "Enabled" and save the Intelligence Server configuration.
  

• Go back to the Strategy Web Administrator page. Edit the Intelligence Server connection properties, enable Trusted Authentication Request as a Login Mode and make it the default authentication method (If this is required only - trusted authentication could be used without making it the default authentication mechanism):
  

• Users should now be able to use the trusted authentication mode to access Strategy. The URL to be used will differ depending on the SSO server being used. For example for Tivoli, the URL will include the Tivoli SSO server and the junction name followed by the Strategy path on the web server.
  For example: http://Tivoli1/Junction1/Strategy/servlet/mstrWeb
  Users should contact their system administrators for the details.
  

NOTE:
Users can find additional information about trusted authentication here: Enable Single Sign-on to Web, Mobile, and Office with Third-Party Authentication
 
Third Party Software Installation:
WARNING:
The third-party product(s) discussed in this technical note is manufactured by vendors independent of Strategy. Strategy makes no warranty, express, implied or otherwise, regarding this product, including its performance or reliability.