Overview of trusted authentication process

Cloudera Data Visualization supports embedding applications within client pages through an HTML iframe component. You have two options: one for open access and another with trusted authentication for enhanced security.

In trusted authentication, the Cloudera Data Visualization Server authenticates the <iframe> request made by the client and then returns the visualization. To achieve this authentication, Cloudera Data Visualization uses the trusted authentication protocol, which involves the following steps:
  1. User Browser requests an App page.

    The user requests a web page from the parent web server, which includes an embedded Cloudera Data Visualization visual within an <iframe> element.

  2. App Server requests a ticket from the Cloudera Data Visualization Server.

    The parent App Server makes a POST ticket request to the Cloudera Data Visualization Server, including the Cloudera Data Visualization username for authenticating the <iframe>.

    The ticket request can be authenticated through one of two methods:
    • Ticket-granting user: The ticket request includes the Cloudera Data Visualization username and password of the trusted ticket granter. This account does not normally have admin or superuser privileges. For more information, see Post ticket request using a ticket-granting user.

    • Trusted IP: The parent App Server is listed among trusted IPs. The POST request includes only the Cloudera Data Visualization username to obtain the ticket-granting user's full credentials. For more information, see Post ticket request using an IP.

    By default, the ticket may only be used once. However, it can be configured for multiple uses for debugging purposes. The ticket is valid for a configurable time period before expiring.

  3. Cloudera Data Visualization Server authenticates the request and returns a unique ticket.
    • If the request is valid, the Cloudera Data Visualization Server creates a ticket and returns it as a response to the POST request.

    • If the request is invalid, it returns the value of -1 as a response to the POST request.

  4. App Server returns an HTML page that contains an iframe tag with Cloudera Data Visualization URL and the ticket.

    The parent App Server uses the ticket to generate a unique URL containing the ticket for the embedded visual. This URL is used for the visual's <iframe> element in the HTML returned to the client. For more information, see Request Visual from Cloudera Data Visualization Server.

  5. User Browser requests the iframe from the Cloudera Data Visualization Server, including the ticket.

    The client browser uses the iframe URL obtained in the previous step to request the App from the Cloudera Data Visualization Server.

  6. Cloudera Data Visualization Server authenticates User Browser based on the ticket and returns the visualization for the iframe.

    The Cloudera Data Visualization Server authenticates the <iframe> request based on the ticket that is part of the request URL. If the ticket is valid, it automatically logs in the username specified in the original POST request and then sends the visual to the client.

After the user is logged in using the ticket, they can request any other URL until that session expires. The login session expires at the end of the browser session.