com.crystaldecisions.sdk.plugin.authentication.secwinad
Interface IsecWinADBase

All Known Subinterfaces:
IsecWinAD

public interface IsecWinADBase

This interface provides properties that map Active Directory (AD) principals (users or groups) to BusinessObjects Enterprise, and it also supports both AD and Kerberos single sign-on (SSO) authentication.

The Kerberos protocol is a component of Windows AD that provides mutual authentication between the client and server. If trusted communication is established between two parties, the Key Distribution Center (KDC) grants the principal a session ticket (security context). This session ticket grants SSO access to all applications and services that are integrated with Windows AD. For more information on configuring and managing Kerberos SSO within the BusinessObjects Enterprise Infrastructure, see the BusinessObjects Enterprise Administrator’s Guide.


Method Summary
 java.lang.String getAdminName()
           Returns an Active Directory user account in the following format "\".
 int getAvailability()
           Returns the state of Windows Active Directory (AD) authentication: unloaded (-1), enabled (0), or disabled (1).
 java.lang.String getDefaultDomain()
           Returns the default Active Directory (AD) domain used to authenticate users and map groups.
 java.lang.String getMappedGroups()
           Returns a semicolon-separated string of Active Directory UserGroupAlias instance IDs (SIDs).
 java.lang.String getServicePrincipalName()
           Returns the service principal name (SPN).
 boolean isAliasAutoAdd()
           Returns a boolean that indicates whether to add a secWinAD alias to an existing BusinessObjects Enterprise user.
 boolean isCacheSecurityContext()
           Returns a boolean that indicates whether the security context (session ticket) for Kerberos authentication is stored in the server’s cache.
 boolean isCreateNamedUsers()
           Returns a boolean that indicates whether new users are created as named or concurrent.
 boolean isImportUsers()
           Returns a boolean that indicates whether user aliases should be imported when mapping Active Directory (AD) groups.
 boolean isKerberosEnabled()
           Returns a boolean that indicates whether Kerberos single sign-on (SSO) authentication is enabled.
 boolean isSSOEnabled()
           Returns a boolean that indicates whether single sign-on authentication (SSO) is enabled.
 void setAdminName(java.lang.String value)
           Sets an Active Directory user account in the following format "\".
 void setAdminPassword(java.lang.String value)
           Sets the Active Directory administrator password.
 void setAliasAutoAdd(boolean value)
           Sets a boolean that indicates whether to add a secWinAD alias to an existing BusinessObjects Enterprise user.
 void setAvailability(int value)
           Sets the state of Windows Active Directory (AD) authentication: unloaded (-1), enabled (0), or disabled (1).
 void setCacheSecurityContext(boolean value)
           Sets a boolean that indicates whether the security context (session ticket) for Kerberos authentication is stored in the server’s cache.
 void setCreateNamedUsers(boolean value)
           Sets a boolean that indicates whether new users are created as named or concurrent.
 void setDefaultDomain(java.lang.String value)
           Sets the default Active Directory (AD) domain used to authenticate users and map groups.
 void setImportUsers(boolean value)
           Sets a boolean that indicates whether user aliases should be imported when mapping Active Directory (AD) groups.
 void setKerberosEnabled(boolean value)
           Sets a boolean that indicates whether Kerberos single sign-on (SSO) authentication is enabled.
 void setMappingGroups(java.lang.String value)
           Sets a semicolon-separated string of Active Directory UserGroupAlias instance IDs (SIDs).
 void setServicePrincipalName(java.lang.String name)
           Sets the service principal name (SPN).
 void setSSOEnabled(boolean value)
           Sets a boolean that indicates whether single sign-on authentication (SSO) is enabled.
 

Method Detail

getAvailability

public int getAvailability()
                    throws SDKException

Returns the state of Windows Active Directory (AD) authentication: unloaded (-1), enabled (0), or disabled (1).

This property can be set to -1, 0, or 1. The default value for this property is 0.

Returns:
An int that identifies the state of AD authentication.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setAvailability

public void setAvailability(int value)

Sets the state of Windows Active Directory (AD) authentication: unloaded (-1), enabled (0), or disabled (1).

This property can be set to -1, 0, or 1. The default value for this property is 0.

Parameters:
value - An int that specifies the state of AD authentication.

getDefaultDomain

public java.lang.String getDefaultDomain()
                                  throws SDKException

Returns the default Active Directory (AD) domain used to authenticate users and map groups.

This property is used to locate a user or a group when only its name, and not its Active Directory name, is specified during logon. For example, if the default domain is set to “TestDomain”, then a user who logs on as “jdoe”, is logged on as “TestDomain\jdoe”.

The DefaultDomain property is also used when mapping Active Directory groups to UserGroups. If you do not specify a domain name when you add a third party group alias to a UserGroup instance the domain specified by this property is assumed.

Returns:
A String that identifies the default domain.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setDefaultDomain

public void setDefaultDomain(java.lang.String value)

Sets the default Active Directory (AD) domain used to authenticate users and map groups.

This property is used to locate a user or a group when only its name, and not its Active Directory name, is specified during logon. For example, if the default domain is set to “TestDomain”, then a user who logs on as “jdoe”, is logged on as “TestDomain\jdoe”.

The DefaultDomain property is also used when mapping Active Directory groups to UserGroups. If you do not specify a domain name when you add a third party group alias to a UserGroup instance the domain specified by this property is assumed.

Parameters:
value - A String that specifies the default domain.

getMappedGroups

public java.lang.String getMappedGroups()
                                 throws SDKException

Returns a semicolon-separated string of Active Directory UserGroupAlias instance IDs (SIDs).

When an Active Directory group SID is added to the list of mapped groups, all global user accounts in the group are mapped to Enterprise user accounts as follows:

If the mapped Active Directory group contains other groups, the nested groups are not mapped, but the global user accounts they contain are mapped.

Returns:
A String that identifies the mapped groups.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setMappingGroups

public void setMappingGroups(java.lang.String value)

Sets a semicolon-separated string of Active Directory UserGroupAlias instance IDs (SIDs).

When an Active Directory group SID is added to the list of mapped groups, all global user accounts in the group are mapped to Enterprise user accounts as follows:

If the mapped Active Directory group contains other groups, the nested groups are not mapped, but the global user accounts they contain are mapped.

Parameters:
value - A String that specifies the mapped groups.

getAdminName

public java.lang.String getAdminName()
                              throws SDKException

Returns an Active Directory user account in the following format "\".

To authenticate users and map user groups, the secWinAD plugin must query and view global catalogs. Therefore, AdminName must be a global user account. The domain of the user account is not optional. You must specify a correct domain name to successfully map Active Directory user groups to BusinessObjects Enterprise.

Returns:
A String that identifies the administrator name.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setAdminName

public void setAdminName(java.lang.String value)

Sets an Active Directory user account in the following format "\".

To authenticate users and map user groups, the secWinAD plugin must query and view global catalogs. Therefore, AdminName must be a global user account. The domain of the user account is not optional. You must specify a correct domain name to successfully map Active Directory user groups to BusinessObjects Enterprise.

Parameters:
value - A String that specifies the administrator name.

setAdminPassword

public void setAdminPassword(java.lang.String value)
                      throws SDKException

Sets the Active Directory administrator password.

Parameters:
value - A String that specifies the password.
Throws:
SDKException - This is thrown if the process is unsuccessful.

isAliasAutoAdd

public boolean isAliasAutoAdd()
                       throws SDKException

Returns a boolean that indicates whether to add a secWinAD alias to an existing BusinessObjects Enterprise user.

Returns:
true if the third-party alias is assigned to an existing user. A new user instance is created for users who do not have an existing Enterprise account. false if a new user instance is created for all users in the third-party group that are mapped to BusinessObjects Enterprise.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setAliasAutoAdd

public void setAliasAutoAdd(boolean value)

Sets a boolean that indicates whether to add a secWinAD alias to an existing BusinessObjects Enterprise user.

If this property is set to true, a secWinAD alias is assigned to the existing BusinessObjects Enterprise user account. However, the user accounts for BusinessObjects Enterprise and Active Directory (AD) must be identified by the same name and user credentials.
Note: If the mapped Active Directory (AD) user does not have an associated BusinessObjects Enterprise account (with the same name) and this property is set to true, then a new BusinessObjects Enterprise user account will be created for this user

If this property is set to false, a new user account with an associated secWinAD alias will be created for all users in the AD group that are mapped to BusinessObjects Enterprise.

Parameters:
value - A boolean that specifies whether aliases will be automatically added.

isImportUsers

public boolean isImportUsers()
                      throws SDKException

Returns a boolean that indicates whether user aliases should be imported when mapping Active Directory (AD) groups.

Returns:
true if user aliases are imported when AD groups are mapped to BusinessObjects Enterprise. false if user aliases are imported when users logon to BusinessObjects Enterprise using AD authentication.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setImportUsers

public void setImportUsers(boolean value)

Sets a boolean that indicates whether user aliases should be imported when mapping Active Directory (AD) groups.

Parameters:
value - A boolean that specifies whether user aliases should be imported when mapping AD groups.

isCreateNamedUsers

public boolean isCreateNamedUsers()
                           throws SDKException

Returns a boolean that indicates whether new users are created as named or concurrent.

Returns:
true if new users are created as named, and false if new users are created as concurrent.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setCreateNamedUsers

public void setCreateNamedUsers(boolean value)

Sets a boolean that indicates whether new users are created as named or concurrent.

Parameters:
value - A boolean that specifies whether new users are created as named or concurrent.

isKerberosEnabled

public boolean isKerberosEnabled()
                          throws SDKException

Returns a boolean that indicates whether Kerberos single sign-on (SSO) authentication is enabled.

To grant AD users Kerberos single sign-on (SSO) privileges ensure that the following steps have been completed.

Returns:
true if Kerberos SSO authentication is enabled, and false otherwise.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setKerberosEnabled

public void setKerberosEnabled(boolean value)

Sets a boolean that indicates whether Kerberos single sign-on (SSO) authentication is enabled.

To grant AD users Kerberos single sign-on (SSO) privileges ensure that the following steps have been completed.

Parameters:
value - A boolean that indicates whether Kerberos SSO authentication is enabled.

isCacheSecurityContext

public boolean isCacheSecurityContext()
                               throws SDKException

Returns a boolean that indicates whether the security context (session ticket) for Kerberos authentication is stored in the server’s cache.

This feature applies to the following servers:

If this method is enabled, use the setProviderContextCacheExpiry(int seconds) to set the length of time that the security context will be stored in the cache.

Returns:
true if the security context for Kerberos authentication is stored in the server's cache, and false otherwise.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setCacheSecurityContext

public void setCacheSecurityContext(boolean value)

Sets a boolean that indicates whether the security context (session ticket) for Kerberos authentication is stored in the server’s cache.

This feature applies to the following servers:

If this method is enabled, use the setProviderContextCacheExpiry(int seconds) to set the length of time that the security context will be stored in the cache.

Parameters:
value - A boolean that specifies whether the security context is stored in server's cache.

getServicePrincipalName

public java.lang.String getServicePrincipalName()
                                         throws SDKException

Returns the service principal name (SPN).

The service principal name is associated with the principal (user or groups) and the security context (logon ticket or kerberos ticket) that the service or application uses to run a process. For BusinessObjects Enterprise to accept Kerberos tickets, the SPN must be equivalent to the account used to control the BusinessObjects Enterprise servers. For more information, see the BusinessObjects Enterprise Administrator’s Guide.

Returns:
A String that contains the SPN.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setServicePrincipalName

public void setServicePrincipalName(java.lang.String name)

Sets the service principal name (SPN).

The service principal name is associated with the principal (user or groups) and the security context (logon ticket or kerberos ticket) that the service or application uses to run a process. For BusinessObjects Enterprise to accept Kerberos tickets, the SPN must be equivalent to the account used to control the BusinessObjects Enterprise servers. For more information, see the BusinessObjects Enterprise Administrator’s Guide.

Note:This method sets the value for the SI_SERVER_SSPI_SPN property.

Parameters:
name - A String that specifies the SPN.

isSSOEnabled

public boolean isSSOEnabled()
                     throws SDKException

Returns a boolean that indicates whether single sign-on authentication (SSO) is enabled.

Returns:
true if SSO is enabled, and false otherwise.
Throws:
SDKException - This is thrown if the process is unsuccessful.

setSSOEnabled

public void setSSOEnabled(boolean value)

Sets a boolean that indicates whether single sign-on authentication (SSO) is enabled.

Set to true to enable SSO.

Parameters:
value - A boolean that indicates whether SSO is enabled.