Hitachi Vantara Pentaho Community Wiki
Skip to end of metadata
Go to start of metadata

Note: The Single Sign-On (SSO) Enable Script is part of the Pentaho BI Suite Enterprise Edition, which you can read about in Pentaho Editions Feature Comparison.


Single sign-on (SSO) allows a user to authenticate then request secured resources from members of the SSO system without subsequent re-authentication. Pentaho can integrate with SSO systems like CA SiteMinder and CAS. For more information, please refer to the Spring Security documentation on CA SiteMinder integration (in the Pre-Authentication chapter) and CAS integration. The remainder of this document discusses integrating Pentaho with CAS.

Central Authentication Service

CAS is a single sign-on service. When users explicitly attempt to login (also known as authenticate) or when users request a resource which requires authentication, they are redirected to the CAS application. It alone handles the username and password submitted by the user. Upon successful login, CAS returns the user to the resource originally requested. It is up to the application containing the requested resource to grant or deny access based on authorization rules inside that application. Note that CAS provides only the name of the authenticated user to each application; it is up to each application to fetch the roles belonging to the authenticated user. Once it has fetched the roles belonging to an authenticated user, it can make authorization decisions based on those roles.

In CAS terminology, a "service app" refers to a "client" of the Central Authentication Service; it relies on CAS to authenticate users for it. The Pentaho BI Platform is a service app. Also note that the backing database used by CAS to check usernames and passwords is not necessarily the same backing database used by client applications to fetch roles.

Integrating Pentaho with CAS SSO

Enabling CAS SSO in Pentaho is as simple as running the SSO Enable Script, which is part of the Pentaho BI Suite Enterprise Edition. The script assumes that a CAS server is already configured. However, if you are setting up a new CAS server, some helpful tips can be found in CAS Tips & Troubleshooting.