Embed a Dossier with Seamless Login

When you embed a MicroStrategy dossier in your application, you can provide a seamless login experience for users who are already authenticated on your server so that they don't have to authenticate again on the MicroStrategy Server.

Refer to the Embedding SDK for an explanation of how to embed a dossier.

For example, assume that a user is already authenticated with a third-party server and this 3rd-party server is managing the user credentials so that it can authenticate with other applicationson the user's behalf. (The third-party server is responsible for securing the data and initiating authentication on HTTPS.)

When a user is already logged in to a third-party application authorization server, the authentication workflow for the embedded Dossier is as follows:

1. The third-party application authorization server logs in, invoking a REST API login endpoint (POST /auth/login) and providing the user's credential information.
2. Once the user is logged in, the identity token can be retrieved with the authorization token, using POST /api/auth/identityToken. The REST server returns an identity token to the client in the response header. The identity token has a very short duration.
3. The client provides the identity token to the third-party application hosting the embedded dossier.
4. An iFrame, inside the hosting application, uses this identity token to log into the REST server using the GET api/auth/delegate end-point.
5. The REST Server creates a new HTTP session and returns a new authorization token, which essentially maps to the existing Intelligence Server session created for that user. The REST server also creates a JSessionId cookie to maintain a session.
6. Subsequent requests from the iFrame within the hosting application use the authorization token with the session cookie. In addition, if the resources require a project ID, the request needs to include X-MSTR-ProjectID in the header.