Getting the SSO user's group membership

When a user logs on to SPSS® Modeler Server using SSO and the server is running non-root, then the name of the authenticated user is not associated with an operating system user account. The server cannot obtain the user's operating system group membership. So how is group configuration performed in this case?

We assume the user is registered in an LDAP directory (which could be Active Directory) and we can request the group membership from the LDAP server. SPSS Modeler Server can query the LDAP provider in IBM® SPSS Collaboration and Deployment Services for the group membership.

There are two properties in options.cfg on the SPSS Modeler Server that control the server's access to the IBM SPSS Collaboration and Deployment Services Repository:

     repository_enabled, N
     repository_url, ""

To enable group lookup, you must set both properties. For example:

     repository_enabled, Y
     repository_url, "http://jdoemachine.spss.ibm.com:9083"

The repository connection is only used for SSO group lookup, so you do not need to change these property settings unless you need this feature.

For group lookup to work properly, you must configure your repository first to add an LDAP or Active Directory provider and then to enable SSO using that provider:

  1. Start IBM SPSS Deployment Manager client and select File > New > Administered Server Connection... to create an administered server connection for your repository (if you do not have one already).
  2. Log on to the administered server connection and expand the Configuration folder.
  3. Right-click Security Providers, choose New > Security provider definition..., and enter the appropriate values. Click Help in the dialog for more information.
  4. Expand the Single Sign-On Providers folder, right-click Kerberos SSO Provider, and select Open.
  5. Click Enable, select your security provider, and then click Save. You do not have to fill in any other details here unless you want to use SSO (simply having the provider enabled is sufficient to allow the group lookup).
Important: For group lookup to work properly, the Kerberos provider you configure here must be the same as the provider you configured for SPSS Modeler Server. In particular, they must be working within the same Kerberos realm. So if a user logs on to SPSS Modeler Server using SSO and it identifies him as jdoe@SPSS.COM (where SPSS.COM is the realm), it will expect the security provider in IBM SPSS Collaboration and Deployment Services to recognize that user principal name and return the corresponding group membership from the LDAP directory.