Retrieving and Mapping a User ID to a MicroStrategy User

There are situations when you may want a user to connect to MicroStrategy Web with a different ID from the one by which he or she is recognized in your external user repository. For example, a user may log in to your system as JohnA, and the user profile "JohnA" is then passed on to other applications as he requests access to them. However, the user profile (along with its related privileges) that he may actually want to access within MicroStrategy is JArmstrong. This can occur when MicroStrategy has been in place for some time before an external user repository is established. In this situation, a mapping must occur between the userID provided when the user logs in to the system, and the different userID that is needed to log in to MicroStrategy Web. This mapped relationship between the two userIDs can be saved in an external database, or it can be calculated programmatically, based on your business requirements.

There are two approaches to handle this situation. The code to implement each approach is provided below.

• Use the processMSTRLoginForm method in a custom ESM

  In this approach, the user logs in to your system with his usual login credentials, and this login information is used to retrieve this user's MicroStrategy-specific credentials to handle the user's MicroStrategy request. Using the example above, the user enters JohnA and a system password as his login credentials to the system. When the user then requests MicroStrategy data, code within a custom ESM in MicroStrategy Web maps the login credentials JohnA and associated login password map to the MicroStrategy user ID JArmstrong and associated MicroStrategy password.  

• Use the handlesAuthenticationRequest method in a custom ESM

  In this approach, the user ID from the user context within an authentication provider, such as an identity management application, is passed to MicroStrategy Web. Code within a custom ESM  in MicroStrategy Web must retrieve the user context based on a lookup table or an algorithm.

The approach you choose for performing the user mapping between different user IDs is based on your own business requirements, such as whether you want to implement a database lookup table or programmable logic. Both of these approaches assume that if login credentials exist, there is a function or algorithm that can provide the mapped MicroStrategy credentials.

Approach 1:  Use the processMSTRLoginForm method in a custom ESM

To implement this approach, you must create a custom ESM with appropriate code in the processMSTRLoginForm method. This method is called to give a third-party authentication provider access to the form fields supplied in a MicroStrategy login request.  You can write code within this function to replace the supplied credentials with a different set of credentials.

public boolean processMSTRLoginForm(RequestKeys reqKeys, ContainerServices cntSvcs, LoginForm loginForm, int reason)
{
 
//Get the values from the form
String enteredUID = loginForm.getLoginName();
String enteredPWD = loginForm.getPassword();
//Use the values entered to determine the mapped userID (and password) to be used
//using database lookup or an algorithm.
.....
.....
 
//Assume that it is saved in the variable newUID and newPWD.
.....
.....
loginForm.getWebIServerSession().setLogin(newUID);
loginForm.getWebIServerSession().setPassword(newPWD);
 
//Check to make sure that a session can be created
//using the new credentials.
 
loginForm.setFormStatus("true");
return loginForm.getFormStatus();
}

Approach 2:  Use the handlesAuthenticationRequest method in a custom ESM

See Retrieving and validating a token for information on how to retrieve the user ID from a third-party authentication provider and to see how this user ID is passed. If there is no mapping, the variable SSOUserID is passed directly to the createISSession method. This method is defined in the Single Sign-on Sample in Retrieving and Validating a Token.

public int handlesAuthenticationRequest(RequestKeys reqKeys, ContainerServices cntSvcs, int reason)
{
 
// Call Validate token to validate the token which returns the UserID.
 
String SSOUserID=validate(ssoURL, token, cntSvcs);
if (StringUtils.isEmpty(SSOUserID)){
//invalid token
return USE_CUSTOM_LOGIN_PAGE;
}
 
//Use the SSOUserID value entered to determine the mapped userID (and password) to be used
//using database lookup or an algorithm.
//Assume that it is saved in the variable newUID and newPWD.
.....
.....
 
//Valid token and hence create session.
//The signature for the following method is defined in Retrieving and validating a token.
boolean success = createISSession(newUID,reqKeys, cntSvcs);
if (success) {
//session created successfully
cntSvcs.setSessionAttribute(SSO_TOKEN_NAME,token);
return COLLECT_SESSION_NOW;
} else {
//cannot create session
return USE_CUSTOM_LOGIN_PAGE;}

See Retrieving and validating a token for a more detailed explanation of Approach 2.

See also

• Authentication Integration and Single Sign-On  

• Customizing Authentication  

• Retrieving and validating a token