<script> AJS.toInit(function(){ if (AJS.params.remoteUser == ''){ AJS.$('#header').hide(); AJS.$('#main-header').hide(); } }); </script> <iframe id="topheader" src="https://www.targit.com/layouts/targit13/doc_confluence.aspx" scrolling="no" style="width:100%;height:467px;overflow:hidden;scrolling:no;"></iframe> |
TARGIT can now delegate user authentication to external identity providers such as Azure, ADFS, Google etc.
OpenID is increasingly becoming a standard for user authentication. Organizations that already embrace this technology will be delighted to learn that TARGIT now also supports this.
Disclaimer: Administrators working with setting TARGIT up for OpenID user authentication will need to know in advance how to work with the interface of the external identity provider of choice.
When you add a new external identity provider to your TARGIT solution, these are the general steps to take:
Before adding an external identity provider, make sure that Public URLs for the TARGIT Server and the Anywhere component are set up correctly. This is done in the TARGIT Management client, in Setup / Back-end:
Note: Replace “localhost” with the correct server name or IP address within your organization. Also note that the Anywhere component (on the IIS) and the TARGIT server are not necessarily installed on the same server.
The OpenID authentication method has become a new option in the TARGIT Management client’s Security settings:
The Identity Providers dialog lets you add one or more identity providers to the list.
When you add a new Identity Provider, you must fill in its’ settings in the IdentityProviderEditor dialog:
Example on a filled in Identity Provider for Azure OpenID:
The icon and the name is what the end-user will see when logging on to a TARGIT client.
An Identity Provider’s associated script is essential for, at least, the mapping between the external identity provider’s AD users and groups and the internal AD users and groups.
You will need to know the SIDs from both sides.
Example on a script related to an Azure OpenID identity provider:
Use the “Test Login” option to login as one of the authenticated users. The information you get in return can be used for filling parts of your script, e.g. a group SID.
Furthermore, once you have done a Test Login and potentially modified your script, you can then “Run” the script. This will do the mapping and, in Outputs, give you additional information about the user, based on the internal AD.
Now that this user has been mapped from an external identity provider group to an internal AD group (and assuming that internal AD groups already have been added to TARGIT roles), you can then Look up user permissions to get an overview of the user’s effective permissions with regard to access to documents folders, databases, forced criteria etc.
For an existing identity provider, you may:
The solution is based on OpenID Connect, where the user's identity is encoded in a secure JSON Web Token (JWT), called an ID token, based on the standard OAuth 2.0 flow.
The ID token resembles the concept of an identity card, in a standard JSON Web Token (JWT) format, signed by the Identity Provider. An ID token has a limited lifetime (e.g. 30 minutes), so a Refresh token is also provided that can be used to query for a new ID token. The Refresh Token will be necessary for e.g. running scheduled jobs, because we "simulate" a user login.
Authentication will take place at the Identity Provider in two steps.
First step is to request an Authorization Code from the Identity Provider, for that the TARGIT client will use a trusted agent (browser) separate from the TARGIT application. The browser (standard system browser) will handle the dialogue that send the End-User to the chosen Identity Provider.
At the Identity Provider, the End-User will typically be authenticated by checking if they have a valid session (established by a browser cookie), and in the absence of that, by prompting the user to login. After that the user will typically be asked whether they agree to sign into TARGIT.
The TARGIT client will pass the Authorization Code to the TARGIT Server which in step two will do a “back-end” authorization against the Identity Provider, and in exchange for the Authorization Code receive an ID token and the Refresh token. The ID token will be security validated by TARGIT
Functionality TARGIT Management:
In TARGIT Management there will be added an additional security model “OpenID”.
In the “OpenID” security model you will be able to specify/“add” which Identity Provider that you want to trust. For custom Identity Provider you will be able to define a URL with the address of the custom Identity Provider and request parameters in the URI query.
To integrate OpenID into our rights/role-based security model, it should be possible to define certain rules on each right/role that determine if the right/role will be active for a given user. These rules could be something like: if the value of claim x equals y, then this right/role should be active. The administrator can then create several rights/roles that defines what each user can do - based on the contents of their ID token.
Functionality TARGIT Client:
When an end-user log into TARGIT, the TARGIT Client should be responsible for launching the browser to initiate the OpenID connect login. When an Authorization Code is received, it should be handed to the TARGIT Server where the actual token handling takes place.
Functionality TARGIT Server:
The TARGIT Server will be the only one knowing the client secret, therefore the actual handling of the ID token and Refresh Token will take place here. Each right and role will be checked to see if any of the OpenID rules are met. After rights and roles have been determined, we will issue our own security token to the TARGIT Client to be used internally.
In this example, you already have an Azure portal account and your Azure AD is already set up with a number of users and groups.
Azure:
i. Apply a proper name (can be changed later) and Register
ii. Copy and store the Application (client) ID. You will need this later.
i. Microsoft Graph
ii. Delegated permission
iii. Checkmark Group.Read.All
iv. Click the Add permissions button at bottom.
i. "groupMembershipClaims": "All",
TARGIT:
i. Authorization Endpoint
ii. Token Endpoint
iii. Scope
Azure:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/352451742" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Iteration with Totals:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/352672483" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Iteration with Subtotals and 'Single' Dynamic content:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/352685617" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Iteration with Hierarchy and with Visibility agent:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/352460907" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Iteration on multi-page report:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/352474092" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Different Iterations on different pages:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/352484090" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
With Generic Embedding we have made it a lot easier to embed the TARGIT Anywhere client in one of your Business Systems.
The idea is, that you do not need to know the exact URL that TARGIT Anywhere requires in order to open the right document with the right criteria. Instead, in the assigned frame in your Business System, you create your own Permalink - something that makes sense to you and your Business System. Then, in the TARGIT Windows client, these Permalinks are mapped in a user-friendly interface to their corresponding documents and dimensions.
Generic Embedding from unknown Permalink:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/363283848" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Generic Embedding from pre-configured Permalink:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/363289387" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
With Tabs you can open multiple documents in one client, rather than opening multiple clients with one document each.
As a Designer user you will benefit from this when:
As a Consumer user you will benefit from this when:
Tabs, general functionality and saving tabs as a bookmark:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/354644915" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Multi-select documents and open in tabs. User preference settings:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/354649415" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Open triggered document in new tab:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/354653148" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Publish and update your Dashboards and Slideshows as browser accessible HTML pages.
With Scheduled Publishing you can render Dashboards, Slideshows and Reports in "offline" mode. (Reports are rendered as PDF documents.)
End-users do not need a TARGIT client to view Dashboards and Reports.
All they need is a browser and the right URL. Even though these Dashboards are non-interactive (no filters, no drills, no triggers), end-users will be able to scroll large crosstabs.
Note: End-users are not authenticated when browsing the HTML output. I.e. everyone with access to the URL will see the same content.
Slideshows no longer need a TARGIT client to run on monitors.
The monitor simply needs a browser with the right URL to run the Slideshow.
When the HTML output is updated (e.g. every 10 minutes), the browser based Dashboards and Slideshows will automatically update as well.
Links
Scheduled Publishing uses links for publishing the output. Technically, the output is placed on the TARGIT Server, and the URL link points to this location.
When you administrate a Scheduled Publishing job, you can change the source document (e.g. replace a slideshow for a different slideshow) without changing the link. In this way, from your central list of scheduled jobs, you can manage what is being displayed on e.g. 15 wide-spread monitors around your organization.
You can even have multiple scheduled jobs publishing to the same link. E.g. one job publishes and updates a Slideshow every 10 minutes from 8:00 to 16:50. Another job publishes a dashboard to the same link at 17:00.
Administration
Scheduled Publishing only adds workload on the TARGIT server and the Data Warehouse when the output is published and updated. Most of the end-users' workload is handled by the browser, which furthermore is often heavily cached. This behavior has a positive effect on the robustness on published content:
Setting up a Scheduled job for a Published link, (and first-time configuration of the Anywhere URL in TARGIT Management Studio):
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/363305719" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Changing the source document for a Scheduled Publishing link:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/355965878" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Scheduled Publishing of Slideshow with custom link:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/356130984" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Easy Central Management of Scheduled Publishing jobs:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/356154966" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
Two or more scheduled jobs publishing to the same link:
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/356159207" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
What happens if you change a publishing link? (Or the scheduled job is deleted, or the scheduled job hasn't run yet):
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/356587012" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
In previous versions of TARGIT you would be able to activate the so-called "Drillpad" in your Smartpad.
From this version on, the Drillpad is history.
Instead, you will be able to explore your Drill History (including opening of documents, applying global criteria etc.) using the Back and Forward buttons in the upper right corner of the TARGIT Windows client.
Furthermore, right-clicking any of these buttons will provide easy access to any point in your Drill History.
<div style="margin-left: 30.0px"> <iframe src="https://player.vimeo.com/video/356181583" noborder="0" width="800" height="450" allow="fullscreen" scrolling="yes" seamless></iframe> </div> |
<style type="text/css"> #title-text { display: none;} #breadcrumbs, #footer, #likes-and-labels-container, #comments-section { display:none; } div.theme-default .ia-splitter #main { margin-left: 0px; } .ia-fixed-sidebar, .ia-splitter-left { display: none; } div#main { margin-left: 0px !important; } div#footer { margin-left: 0px !important; } .columnLayout.two-equal { padding-left: 20px; padding-right: 20px } #main #content { padding-right:0px; } div#main { padding:0px; } #page { overflow-x: hidden; } iframe#topheader { border:0px; } .contentLayout2 .columnLayout { margin-bottom:0px; } #workflow-page-message { margin-bottom: 0px; } </style> <script src="//cep.targit.com/bundle/beacon"></script> <div class="Footer" style="background-color: #1d252d;width:100%;"> <div class="loop" style="padding-top:69px;padding-bottom:72px;text-align:center;"> <img src="https://targitmedia.azureedge.net/Resources/MainSite/Images/TARGIT_OODA-jigsaw-start-screen.svg" style="margin-bottom:32px;width:100px;"> <div style="font-size:24px;line-height:32px;letter-spacing:0.6px;color:#fff;"> Courage to Act </div> </div> <div style="width:100%;background-color:#121a23;"> <div style="width:1080px;margin:auto;padding-bottom:20px;padding-top:20px;"> <div style="float:left;font-size:13px;color:#8a9298;"> <div style="margin-top:5px;display:inline-block;padding-right:30px;color:#8a9298;"> © 2019 TARGIT. All Rights Reserved. </div> <a style="margin-top:5px;display:inline-block;text-decoration:none!important;color:inherit;font-size:13px;" href="https://www.targit.com/en/personal-data-policy">Personal Data Policy</a> </div> <div style="float:right;"> <a style="vertical-align:super;font-size:13px;letter-spacing:0.6px;margin-right:36px;color:#fff;text-decoration:none!important;text-transform:uppercase" href="https://www.targit.com/en/meet-targit/meet-the-targit-team/contact-targit">CONTACT</a> <a style="vertical-align:super;font-size:13px;letter-spacing:0.6px;margin-right:36px;color:#fff;text-decoration:none!important;text-transform:uppercase" href="https://www.targit.com/en/meet-targit/targit-news/news-list">PRESS</a> <a style="vertical-align:super;font-size:13px;letter-spacing:0.6px;margin-right:36px;color:#fff;text-decoration:none!important;text-transform:uppercase" href="https://www.targit.com/en/meet-targit/targit-career/jobs">CAREERS</a> <a style="margin-right: 36px !important;text-decoration: none !important;color: inherit;" href="https://twitter.com/targit" target="_blank"><img src="https://targitmedia.azureedge.net/Resources/MainSite/Images/twitterfooter.png"></a> <a style="margin-right: 36px !important;text-decoration: none !important;color: inherit;" href="https://www.linkedin.com/company/targit" target="_blank"><img src="https://targitmedia.azureedge.net/Resources/MainSite/Images/linkedinfooter.png"></a> <a style="margin-right: 36px !important;text-decoration: none !important;color: inherit;" href="https://www.facebook.com/TARGIT.BI.Suite" target="_blank"><img src="https://targitmedia.azureedge.net/Resources/MainSite/Images/fbookfooter.png"></a> </div> <div style="float:none;clear:both;"></div> </div> </div> </div> |