Configuring Group Membership

If you are using group authorization, you can configure IBM® SPSS® Collaboration and Deployment Services to query an LDAP provider to determine the group to which an authenticated user belongs. For more information about group authorization, see the topic Group Authorization.

Then, for group lookup to work properly, you must configure your repository first to add an LDAP or Active Directory provider and then to enable SSO using that provider:

  1. Start IBM SPSS Deployment Manager client and select File > New > Administered Server Connection... to create an administered server connection for your repository (if you do not have one already).
  2. Log on to the administered server connection and expand the Configuration folder.
  3. Right-click Security Providers, choose New > Security provider definition..., and enter the appropriate values. Click Help in the dialog for more information.
  4. Expand the Single Sign-On Providers folder, right-click Kerberos SSO Provider, and select Open.
  5. Click Enable, select your security provider, and then click Save. You do not have to fill in any other details here unless you want to use SSO (simply having the provider enabled is sufficient to allow the group lookup).
Important: For group lookup to work properly, the Kerberos provider you configure here must be the same as the provider you configured for IBM SPSS Statistics Server. In particular, they must be working within the same Kerberos realm. So if a user logs on to the server using SSO and it identifies him as jdoe@ibm.com (where ibm.com is the realm), it will expect the security provider in IBM SPSS Collaboration and Deployment Services to recognize that user principal name and return the corresponding group membership from the LDAP directory.