Kyvos Authentication
Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace
Kyvos Azure Marketplace  Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)
Note
From Kyvos 2024.1 the process of configuring Kyvos security for LDAP, Active Directory integration, and Single Sign-On has been streamlined. Frequently modified fields will be updated seamlessly without restarting the BI server by choosing the Incremental option from the User Group Sync Level list. The BI Server restart will only be required when updating fields for the first time.
From Kyvos 2023.3 onwards, you can see the last performed Kyvos Authentication operation details, including progress status and start time, by clicking the i icon located next to the Revert button. To view more comprehensive details, simply click the View Details link, which will take you to the Operations page where you can view the operation information in detail.Â
Use this page to configure authentication type governing user login for the Kyvos web portal.
From the Authentication Type, select the one that you want to use.
KYVOS NATIVE:Â Select this option to authenticate only the User Login details by Kyvos.
REMOTE AUTHENTICATIONÂ SYSTEM:Â Select this option to choose LDAP or Kerberos for authentication.
NOTE: The fields shown in the following figure are displayed ONLY if you select the REMOTE AUTHENTICATION SYSTEM option with LDAP as Authentication Type.Â
If you have selected the Kyvos Native option, then specify the type of user that will be created on the first-time login from the management portal using the Default Authentication Type for Newly Created User. You can choose from LDAP and Kyvos Native options.
Important
If you are using Kerberos configured Hadoop, then KYVOS NATIVE Authentication Type does not work for Kyvos Authentication.
In this case, you must edit the kyvosmanager\bin\env.sh file to set the HADOOP_SECURITY_TYPE=KERBEROS property.
You must also edit the krbToken.sh file at kyvosmanager\bin\, olapengine\bin, and queryengine\bin locations to provide the Kerberos token generation command, such as kinit <%ketab_location\key_tab_filename%> <%principal_name%>, after the sample command provided in krbToken.sh file. You MUST restart all components including Kyvos Manager after providing this information.
LDAP and Kerberos configuration
If you have selected the Remote authentication system, specify the Authentication System to use from LDAP and Kerberos, and enter details as mentioned in the table below.
The fields mentioned in this table vary according to the chosen Authentication System.
The fields mentioned in this table vary according to the chosen Authentication System.
Settings | Parameter/Field | Comments/Description |
LDAP Settings     | Alias | Specify a unique alias name for the LDAP account. |
Directory Type | Select the directory type from the list. | |
Referral Mode | Select the mode for the service providers to indicate how to handle referrals.
| |
Host Name | Enter the hostname or IP address of the authentication directory server. | |
Port | Enter the port on which the directory server is listening. | |
User DN | Enter a unique name for the user that the application will use when connecting to the directory server. | |
Password | Enter the password for the user. | |
Use Secure Layer | Select this check box if SSL is configured. You will have to upload the SSL certificate for this. | |
SSL Certificate | Upload the SSL certificate file for use with the authentication directory. | |
Schema Settings           | Base DN | Enter the name that the application will use when connecting to the directory server. If you are searching for users in the Admin department of example.com, then the Base DN would be dc=example,dc=com, and the User DN would be cn=admin,dc=example,dc=com. If you have a group within in the admin called ITadmin, then the User DN would be cn=admin,ou=ITadmin,dc=example,dc=com. |
Additional Group DNÂ | Enter the additional group DN details (if any). | |
Additional User DN | Enter the additional user DN details (if any). | |
Group Filter | Enter the details of group filters (if any). | |
User Filter | Enter the details of user filters (if any). | |
User Group Sync Level | Specify the sync level for the user group from:
NOTE: If User Group Sync Level is set to Incremental, any changes to LDAP Password, User Filter, and Group Filter will not require BI Server restart. | |
Show sync and timeout settings | Click to specify the sync and timeout settings:
| |
Kerberos Settings    | Server | Enter the hostname or IP address of the Kerberos server. |
Realm | Enter the hostname or IP addresses of the Kerberos realm nodes. A Kerberos realm is a set of managed nodes that share the same Kerberos database | |
Mode | Select the login mode for Kerberos from:
|
You can also define multiple LDAP accounts. For this, click on the left.
You can also duplicate an existing LDAP configuration, for this use the Duplicate option, as shown.
Click the Validate button to authenticate and verify the LDAP configurations. For multiple LDAP accounts, you also use the Validate All button from the three-dots menu to validate all the LDAP accounts at once.
Settings | Parameter/Field | Comments/Description |
LDAP Settings     | Alias | Specify a unique alias name for the LDAP account. |
Directory Type | Select the directory type from the list. | |
Referral Mode | Select the mode for the service providers to indicate how to handle referrals.
| |
Host Name | Enter the hostname or IP address of the authentication directory server. | |
Port | Enter the port on which the directory server is listening. | |
User DN | Enter a unique name for the user that the application will use when connecting to the directory server. | |
Password | Enter the password for the user. | |
Use Secure Layer | Select this check box if SSL is configured. You will have to upload the SSL certificate for this. | |
SSL Certificate | Upload the SSL certificate file for use with the authentication directory. | |
Schema Settings           | Base DN | Enter the name that the application will use when connecting to the directory server. If you are searching for users in the Admin department of example.com, then the Base DN would be dc=example,dc=com, and the User DN would be cn=admin,dc=example,dc=com. If you have a group within in the admin called ITadmin, then the User DN would be cn=admin,ou=ITadmin,dc=example,dc=com. |
Additional Group DNÂ | Enter the additional group DN details (if any). | |
Additional User DN | Enter the additional user DN details (if any). | |
Group Filter | Enter the details of group filters (if any). | |
User Filter | Enter the details of user filters (if any). | |
User Group Sync Level | Specify the sync level for the user group from:
NOTE: If User Group Sync Level is set to Incremental, any changes to LDAP Password, User Filter, and Group Filter will not require BI Server restart. | |
Show sync and timeout settings | Click to specify the sync and timeout settings:
| |
Kerberos Settings    | Server | Enter the hostname or IP address of the Kerberos server. |
Realm | Enter the hostname or IP addresses of the Kerberos realm nodes. A Kerberos realm is a set of managed nodes that share the same Kerberos database | |
Mode | Select the login mode for Kerberos from:
|
Single Sign On configuration
To enable Single Sign On, select the corresponding check box; and define the Single Sign On Configuration as follows.
Parameter/Field | Comments/Description |
---|---|
Single Sign-On Provider | Select the provider to be used to perform SSO. |
Bind Address | Enter the machine name where this computer account has been created. |
DNS Servers IPs | Comma-separated list of DNS Server IPs. |
Computer Account Name | JESPA, as an SSO provider, needs a computer account name for system authentication against the active directory. |
Computer Account Password | Enter the password for the computer account name mentioned above. |
jespa jar | Upload the JESPA jar file. Kyvos uses this to perform SSO using JESPA. You can download the jar from https://www.ioplex.com/downloads.php |
jcifs jar | Upload the JCIFS jar file. Kyvos uses this to perform SSO using JESPA. You can download the jar from https://jcifs.samba.org/src |
Click the Validate JESPA Configuration button to verify that the JESPA settings mentioned are correct.
Kerberos SSO configuration
To enable Enable Kerberos SSO, select the corresponding check box; and define the configuration as follows.
Parameter/Field | Comments/Description |
---|---|
Service Principal | Kerberos principal is a unique identity to which Kerberos can assign tickets. It follows the primary/instance@REALM format. Define it as:
|
KRB5 File | The krb5.conf file contains Kerberos configuration information, including Kerberos realms, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. |
Keytab | Select the Upload file or File path option. |
Keytab File | Upload your Keytab file to be used for authentication or provide its path. |
Â
Copyright Kyvos, Inc. All rights reserved.