Kyvos Authentication

Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)

Note

From Kyvos 2023.3 onwards, you can see the last performed Kyvos Authentication operation details, including progress status and start time, by clicking the i icon located next to the Revert button. To view more comprehensive details, simply click the View Details link, which will take you to the Operations page where you can view the operation information in detail.

Use this page to configure authentication type governing user login for the Kyvos web portal.

From the Authentication Type, select the one that you want to use.
- KYVOS NATIVE: Select this option to authenticate only the User Login details by Kyvos.
- REMOTE AUTHENTICATION SYSTEM: Select this option to choose LDAP or Kerberos for authentication.
  NOTE: The fields shown in the following figure are displayed ONLY if you select the REMOTE AUTHENTICATION SYSTEM option with LDAP as Authentication Type.
If you have selected the Kyvos Native option, then specify the type of user that will be created on the first-time login from the management portal using the Default Authentication Type for Newly Created User. You can choose from LDAP and Kyvos Native options.

Important

If you are using Kerberos configured Hadoop, then KYVOS NATIVE Authentication Type does not work for Kyvos Authentication.

In this case, you must edit the kyvosmanager\bin\env.sh file to set the HADOOP_SECURITY_TYPE=KERBEROS property.

You must also edit the krbToken.sh file at kyvosmanager\bin\, olapengine\bin, and queryengine\bin locations to provide the Kerberos token generation command, such as kinit <%ketab_location\key_tab_filename%> <%principal_name%>, after the sample command provided in krbToken.sh file. You MUST restart all components including Kyvos Manager after providing this information.

LDAP and Kerberos configuration

If you have selected the Remote authentication system, specify the Authentication System to use from LDAP and Kerberos, and enter details as mentioned in the table below.
The fields mentioned in this table vary according to the chosen Authentication System.

The fields mentioned in this table vary according to the chosen Authentication System.

Settings	Parameter/Field	Comments/Description
LDAP Settings	Alias	Specify a unique alias name for the LDAP account.
	Directory Type	Select the directory type from the list.
	Referral Mode	Select the mode for the service providers to indicate how to handle referrals. Ignore: Ignore referrals. Follow: Automatically follow any referrals. Throw: Throw a Referral Exception error for each referral.
	Host Name	Enter the hostname or IP address of the authentication directory server.
	Port	Enter the port on which the directory server is listening.
	User DN	Enter a unique name for the user that the application will use when connecting to the directory server. For example, cn=user,dc=domain,dc=name for user@domain.name.
	Password	Enter the password for the user. NOTE: If not specified, the last provided password will be used. To change, enter a new password.
	Use Secure Layer	Select this check box if SSL is configured. You will have to upload the SSL certificate for this.
	SSL Certificate	Upload the SSL certificate file for use with the authentication directory.
Schema Settings	Base DN	Enter the name that the application will use when connecting to the directory server. If you are searching for users in the Admin department of example.com, then the Base DN would be dc=example,dc=com, and the User DN would be cn=admin,dc=example,dc=com. If you have a group within in the admin called ITadmin, then the User DN would be cn=admin,ou=ITadmin,dc=example,dc=com.
	Additional Group DN	Enter the additional group DN details (if any).
	Additional User DN	Enter the additional user DN details (if any).
	Group Filter	Enter the details of group filters (if any).
	User Filter	Enter the details of user filters (if any).
	User Group Sync Level	Specify the sync level for the user group from: Bootup: The system searches for changes at every bootup and syncs the users with the LDAP directory. Incremental: The system search for changes whenever new data comes in and syncs the users with the LDAP directory. Never: The system does not sync user information from the LDAP directory. NOTE: If User Group Sync Level is set to Incremental, any changes to LDAP Password, User Filter, and Group Filter will not require BI Server restart.
	Show sync and timeout settings	Click to specify the sync and timeout settings: Import Users As: Select the default role for all users being imported from the LDAP. Read Timeout: Specify the timeout interval (in seconds) for reading data from LDAP. Search Timeout: Specify the timeout interval (in seconds) for searching new data from LDAP. Connection Timeout: Specify the timeout interval (in seconds) for connecting to the LDAP directory. Custom Attributes: If needed, add custom attributes for users being imported from LDAP.
Kerberos Settings	Server	Enter the hostname or IP address of the Kerberos server.
	Realm	Enter the hostname or IP addresses of the Kerberos realm nodes. A Kerberos realm is a set of managed nodes that share the same Kerberos database
	Mode	Select the login mode for Kerberos from: Login Info: If selected, specify the Kerberos login string in the field below. File Upload: If selected, upload the Kerberos configuration file (containing login credentials).

You can also define multiple LDAP accounts. For this, click on the left.
You can also duplicate an existing LDAP configuration, for this use the Duplicate option, as shown.
Click the Validate button to authenticate and verify the LDAP configurations. For multiple LDAP accounts, you also use the Validate All button from the three-dots menu to validate all the LDAP accounts at once.

Settings	Parameter/Field	Comments/Description
LDAP Settings	Alias	Specify a unique alias name for the LDAP account.
	Directory Type	Select the directory type from the list.
	Referral Mode	Select the mode for the service providers to indicate how to handle referrals. Ignore: Ignore referrals. Follow: Automatically follow any referrals. Throw: Throw a Referral Exception error for each referral.
	Host Name	Enter the hostname or IP address of the authentication directory server.
	Port	Enter the port on which the directory server is listening.
	User DN	Enter a unique name for the user that the application will use when connecting to the directory server. For example, cn=user,dc=domain,dc=name for user@domain.name.
	Password	Enter the password for the user. NOTE: If not specified, the last provided password will be used. To change, enter a new password.
	Use Secure Layer	Select this check box if SSL is configured. You will have to upload the SSL certificate for this.
	SSL Certificate	Upload the SSL certificate file for use with the authentication directory.
Schema Settings	Base DN	Enter the name that the application will use when connecting to the directory server. If you are searching for users in the Admin department of example.com, then the Base DN would be dc=example,dc=com, and the User DN would be cn=admin,dc=example,dc=com. If you have a group within in the admin called ITadmin, then the User DN would be cn=admin,ou=ITadmin,dc=example,dc=com.
	Additional Group DN	Enter the additional group DN details (if any).
	Additional User DN	Enter the additional user DN details (if any).
	Group Filter	Enter the details of group filters (if any).
	User Filter	Enter the details of user filters (if any).
	User Group Sync Level	Specify the sync level for the user group from: Bootup: The system searches for changes at every bootup and syncs the users with the LDAP directory. Incremental: The system search for changes whenever new data comes in and syncs the users with the LDAP directory. Never: The system does not sync user information from the LDAP directory. NOTE: If User Group Sync Level is set to Incremental, any changes to LDAP Password, User Filter, and Group Filter will not require BI Server restart.
	Show sync and timeout settings	Click to specify the sync and timeout settings: Import Users As: Select the default role for all users being imported from the LDAP. Read Timeout: Specify the timeout interval (in seconds) for reading data from LDAP. Search Timeout: Specify the timeout interval (in seconds) for searching new data from LDAP. Connection Timeout: Specify the timeout interval (in seconds) for connecting to the LDAP directory. Custom Attributes: If needed, add custom attributes for users being imported from LDAP.
Kerberos Settings	Server	Enter the hostname or IP address of the Kerberos server.
	Realm	Enter the hostname or IP addresses of the Kerberos realm nodes. A Kerberos realm is a set of managed nodes that share the same Kerberos database
	Mode	Select the login mode for Kerberos from: Login Info: If selected, specify the Kerberos login string in the field below. File Upload: If selected, upload the Kerberos configuration file (containing login credentials).

Single Sign On configuration

To enable Single Sign On, select the corresponding check box; and define the Single Sign On Configuration as follows.

Parameter/Field	Comments/Description

Parameter/Field	Comments/Description
Single Sign-On Provider	Select the provider to be used to perform SSO.
Bind Address	Enter the machine name where this computer account has been created.
DNS Servers IPs	Comma-separated list of DNS Server IPs.
Computer Account Name	JESPA, as an SSO provider, needs a computer account name for system authentication against the active directory.
Computer Account Password	Enter the password for the computer account name mentioned above.
jespa jar	Upload the JESPA jar file. Kyvos uses this to perform SSO using JESPA. You can download the jar from https://www.ioplex.com/downloads.php
jcifs jar	Upload the JCIFS jar file. Kyvos uses this to perform SSO using JESPA. You can download the jar from https://jcifs.samba.org/src

Click the Validate JESPA Configuration button to verify that the JESPA settings mentioned are correct.

Kerberos SSO configuration

To enable Enable Kerberos SSO, select the corresponding check box; and define the configuration as follows.

Parameter/Field	Comments/Description

Parameter/Field	Comments/Description
Service Principal	Kerberos principal is a unique identity to which Kerberos can assign tickets. It follows the primary/instance@REALM format. Define it as: Service: In the case of a user, enter your username. For a host, use the word host. FDQN: Optional string qualifying the primary. For a host, use a fully qualified hostname, such as John.abc.com. For a user, the instance is usually null, but a user might also have an additional principal, with an instance called admin, which he/she uses to administrate a database. The principal John@EXAMPLE.COM is separate from the principal john/admin@EXAMPLE.COM, with a different password, and separate permissions. Realm: Your Kerberos realm can be your domain name, in upper-case letters. For example, the machine abc.example.com would be in the realm EXAMPLE.COM.
KRB5 File	The krb5.conf file contains Kerberos configuration information, including Kerberos realms, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms.
Keytab	Select the Upload file or File path option.
Keytab File	Upload your Keytab file to be used for authentication or provide its path.