LDAP Single-Sign-On explained
1 July, 2017
Updated documentation can now be found via our YF community HERE
Here is how LDAP Single-Sign-On works with Yellowfin.
The webservice authenticates with a Yellowfin user.
This is usually an admin user that will authenticate communication between the client and Yellowfin webservices.
The webservice consists of a Request Object.
The loginId attribute is the userid that authenticates the webservice call.
The password is the for the user that authenticated the webservce call.
This user will require a "webservices" function to be enabled in their Yellowfin role.
The function attribute should be set to "LOGINUSERNOPASSWORD"
The orgid attrbiute should be set to 1.
The Request Object contains a person attribute. This is a AdministrationPerson object.
This object contains the details that a user would type into the login/password box to login.
It has a userId and password attribute.
In a normal case, the client application will have access to the userid and password, and these could be passed through in this object.
However, with LDAP authentication, neither the client application, or Yellowfin have access to the user's password.
This requires a special Single-Sign-On call that only validates the username, it doesn't require a password. If the username is associated with an LDAP user, it will test that the user exists, and that they have the correct access.. but it doesn't attempt a bind to the LDAP server.
To generate function webservice stubs in .NET point your IDE to WSDL provided by Yellowfin.
Note:You can see the available WSDL for the each of the services as http:///services.
To enable Yellowfin login without a password a modification needs to be made to the Yellowfin configuration tables as noted on page 18 of the following Integration Guide.
Also see post LDAP Authentication Guide
Please see the Yellowfin Integration Guide for more information.