Book a Demo

Author Topic: Sparx Cloud - User Access  (Read 10497 times)

kevinlyons

  • EA Novice
  • *
  • Posts: 7
  • Karma: +1/-0
    • View Profile
Sparx Cloud - User Access
« on: September 06, 2016, 01:58:55 pm »
Hi All,

I have deployed SparxCloud twice now, and I need help to understand the access management.

Business Requirement: Access Sparx models that are deployed in the 'azure cloud'. Allow many different organisational users to access the model. e.g. own internal users and third party organisations that are doing project work.

Problem: You have to 'login' twice!!! A Windows username/password dialog followed by a Sparx username/password dialog. Even though user credentials are in the sparx model and both logins check the same data.

The only way to get rid of the second login is if you enable 'Accept Windows Authentication' in the manage users dialog, and if your windows user id matches the username in the model and there is no password set.... But you can't login to the first login dialog if you don't have a password.

If you are logged into a windows domain, then the username in sparx needs to include your domain e.g. DOMAIN NAME\user name. If you not logged into a domain then your sparx username needs to match the windows user name.

So the ridiculous solution is to ... have two sparx logins. One that has a password set and the other that matches your windows user id but doesn't have a password set.

Has anyone got CloudService working with just a single login, for multiple organisations with their own windows domains, and external users who are just connecting from the public internet?

The user experience is terrible, so I would like to assume that I am doing something wrong and hope that someone out there is doing it correctly and can educate me.  Please.

Regards,
Kevin

Uffe

  • EA Practitioner
  • ***
  • Posts: 1859
  • Karma: +133/-14
  • Flutes: 1; Clarinets: 1; Saxes: 5 and counting
    • View Profile
Re: Sparx Cloud - User Access
« Reply #1 on: September 06, 2016, 08:56:22 pm »
Hi Kevin,


As regards the EA project, the only way to synchronize its access control with anything is to accept Windows authentication, as you've noted. If you don't, each user will need to specify user and password when connecting.

But there are three points of access control, and you're not describing how you've set up them all. Put another way, your set of requirements is incomplete.

1) The database itself. Who has read/write access to the database? What users and/or groups? What DB engine are you on?

2) The cloud service. How have you set up the authentication?

3) The EA project.

Add to that:
0) The Windows domain. Is there a single one or are your cloud-served models supposed to be accessed from several different domains?

So please include that information and I'll take a look.


/Uffe
My theories are always correct, just apply them to the right reality.

Sunshine

  • EA Practitioner
  • ***
  • Posts: 1353
  • Karma: +121/-10
  • Its the results that count
    • View Profile
Re: Sparx Cloud - User Access
« Reply #2 on: September 07, 2016, 06:52:58 am »
So you want single sign on with multiple organisations? Here is a thought but untested. As each organisation will have its own active directory and user base you'll find it difficult however not impossible. You should look into setting up federated Active Directory in Azure and pushing the user credentials up into Azure AD from each organisation. You should then set up the Sparx EA Cloud service and database to use the Azure AD. This way  you might  have a chance of succeeding with single sign on by using a single AD source.
There will probably be some challenges as each organisation will have its AD user base set up with different groups and processes and policies so managing these across different enterprises could be the biggest challenge.

Good luck and do let us know if you were successful.
Happy to help
:)

Eve

  • EA Administrator
  • EA Guru
  • *****
  • Posts: 8110
  • Karma: +119/-20
    • View Profile
Re: Sparx Cloud - User Access
« Reply #3 on: September 07, 2016, 08:50:51 am »
Yes, the double login is a bit of a pain.

The http/https authentication prompt is displayed when the cloud service is setup from model authentication or global authentication. (Or when the IIS proxy is setup with authentication) The information entered into the dialog here is never accessible to EA, so it can't be re-used for a later model security prompt. The only way to suppress this error is to not require http authentication. Fine for internal connections, but not for anything exposed to the net.

If the target model doesn't need security, but you want to authenticate the http connection, use the global authentication option and reference a dedicated model for the log-in details.

When connecting to a model with security enabled, EA then needs to determine the user to log-in as. As you know, this can be suppressed by allowing Windows authentication, but with the restriction that the full username of the user needs to match their computer login name.

I can't eliminate the double log-in in all circumstances, but I can limit it.

First, there's no issue with mixing usernames in the model including the domain and not. I recommend setting the username for each user to their primary/most used computer username. This way they will only get the security prompt when away from their normal environment.

Second, consider providing different methods for internal vs external access. It could be a separate cloud server, but more practical is providing an internal access port that is blocked by your firewall that doesn't require http authentication and an external access port that isn't blocked by your firewall that does.

Third, if users who are normally internal/domain users are complaining about the double prompt when accessing the model externally, you could provide a VPN so that they can access the internal port. They will still need to log-in twice, but one will be the VPN access.

kevinlyons

  • EA Novice
  • *
  • Posts: 7
  • Karma: +1/-0
    • View Profile
Re: Sparx Cloud - User Access
« Reply #4 on: September 07, 2016, 05:19:36 pm »
Thanks Simon.

I definitely need model security for locking packages.
Everyone is effectively external, until we setup a synched AD.

So it looks like I've hit on the only solution available to me, creating multiple accounts.

Thanks for the suggestions, but having a second account with no password is not very secure! So I have to either accept double login all the time, or compromise security and have a second account with no password!

Only problem now is trying to figure out why some organisations don't get the http/https authentication prompt and get an automatic 401 - Unauthorised error.

I suspect it has something to do with reverse proxies, but the logging in sparxcloud is not very helpful. I have it set to SYSTEM, which I think is the most detailed. Or am I best to turn logging on for the desktop?

It may also be the Virtual Desktop Infrastructure (VDI), but alas I'm just guessing.

As with most IT problems, there are so many moving parts, diagnosing the real problem is difficult. Not to mention that many of the components are black box.

Eve

  • EA Administrator
  • EA Guru
  • *****
  • Posts: 8110
  • Karma: +119/-20
    • View Profile
Re: Sparx Cloud - User Access
« Reply #5 on: September 08, 2016, 08:46:32 am »
I don't think I was suggesting having additional accounts with no passwords. I have a couple of models that are accessed externally by all users. On those I have accepted the double prompt (and enabled the 'require secure and authenticated connection' option on the DB to enforce it.

401 error without prompt is something that happens on the client side. We have encountered it before, but I'm struggling to remember the details. It has something to do with the installed certificates on the client machine, and it's responding with a certificate instead of prompting for username and password. I can't remember if it was fixed by a cloud service update (to request username/password better) or EA update (improved detection of error/showing appropriate dialog.)

What I would like to see at some stage is a new option in EA 'Accept cloud authentication'.  That would allow only a single prompt again, but it requires time to update both EA and the cloud service.

Bulent

  • EA Novice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Sparx Cloud - User Access
« Reply #6 on: June 21, 2017, 02:46:39 am »
Our users are also suffering from double login, and 401 errors which sometimes come up many times.

Simon M said: "The only way to suppress this error is to not require http authentication."

How can I cancel http authentication?

qwerty

  • EA Guru
  • *****
  • Posts: 13584
  • Karma: +397/-301
  • I'm no guru at all
    • View Profile
Re: Sparx Cloud - User Access
« Reply #7 on: June 21, 2017, 04:29:01 am »
I guess by simply deleting the .htaccess for your server.

q.

Eve

  • EA Administrator
  • EA Guru
  • *****
  • Posts: 8110
  • Karma: +119/-20
    • View Profile
Re: Sparx Cloud - User Access
« Reply #8 on: June 21, 2017, 08:49:28 am »
Our users are also suffering from double login, and 401 errors which sometimes come up many times.

Simon M said: "The only way to suppress this error is to not require http authentication."

How can I cancel http authentication?
The authentication is in your cloud config file. It specifies either a global authentication or a model authentication for each port opened. You'll need to restart the service after any changes. If you do remove authentication, you will also need to disable the 'Require a Secure and Authenticated connection' for that database in the cloud management client.