- API
- Security & Authentication
- System & Performance
- Profiles - Datasources - Filters - Lists
- Users - Collections - Service Accounts
- Data Management & Processing
- Support
- Release Notes
Pass-through Authentication
Pass-through Authentication is an Angelfish feature that lets you create a direct link to a Profile's reports, bypassing the login screen. When the link is clicked, a script handles authentication and the User is sent to the reports for a single Profile.
The primary use case for Pass-through Authentication is when the User has already authenticated to the Page that contains the direct report link.
Global Admins can enable Pass-through Authentication in the General tab in Configure - Global - Settings. Once enabled, the generated key must be used to generate the Auth Signature.
OVERVIEW
- Enable Pass-through Authentication
- Generate the Auth Signature
- Send POST request
ENABLE PASS-THROUGH AUTHENTICATION
- Navigate to the General tab in Configure - Global - Settings
- Click the Generate button in the Pass-through Authentication field
- A key will appear in the field: use this key to generate the Auth Signature
GENERATE THE AUTH SIGNATURE
- Concatenate the profile ID and time the request is made:
- PROFILE_ID + '-' + TIME
- Create an MD5 HMAC hash (base64 encoded) of the concatenated string
- Use the generated key to hash the string
SEND POST REQUEST
Send the POST to this URL: (use https if enabled):
- SERVER: the hostname of the Angelfish Server
- PORT: the TCP port of the Angelfish Server
- PROFILE_ID: the ID of the Profile
Example:
http://10.11.12.13:9000/reports/#!/42
The POST also requires a few parameters:
- p - the ID of the Profile to view
- t - the timestamp of the request in GMT epoch seconds
- sig - the Auth Signature
Once authenticated, a "ptsession" cookie is created, restricting the User's access to the specified profile ID.
RESTRICTIONS
- The difference between the request timestamp and the server time cannot exceed 10 seconds
- The Auth Signature is linked to the Profile ID: to view a different Profile, a new Auth Signature must be created
EXAMPLE SCRIPT (PHP)
<?php// Pass-through KEY generated from Angelfish UI$PASSTHROUGH_KEY = "3x4mP13k3Y";
// Location of Angelfish Server$ANGELFISH = "http://10.1.1.15:9000";
// Capture Profile ID$profile_id = $_GET["p"];
// Capture current epoch seconds$time = time();
// Sign the data$sig = base64_encode(hash_hmac("md5", $profile_id . "-" . $time, $PASSTHROUGH_KEY, true));?>
// POST data
<form action="<?php echo $ANGELFISH; ?>/reports/#!/<?php echo $_GET["p"]; ?>/" method="post" name="frm" style="display:none;"> <input type="hidden" name="p" value="<?php echo $_GET["p"]; ?>" /> <input type="hidden" name="t" value="<?php echo $time; ?>" /> <input type="hidden" name="sig" value="<?php echo $sig; ?>" /></form><script type="text/javascript"> document.frm.submit();</script>