Configuring Microsoft Active Directory

When you configure i2 Analyze to use SPNEGO, the users that are in Microsoft Active Directory are used to authenticate with i2 Analyze. The groups that are in Active Directory are used to control i2 Analyze functionality including data access, feature availability, and artifact sharing.

About this task

To use membership of Microsoft Active Directory groups as the basis for allowing or denying access to data, either:

  • the group names must match the values of UserGroup attributes of <GroupPermissions> elements in the i2 Analyze security schema file, or

  • you must use provisioning to map Active Directory groups to i2 Analyze groups.

Note: The security schema that the deployment uses is defined in the ApolloServerSettingsMandatory.properties file. The security schema and properties files are in the toolkit\configuration\fragments\common\WEB-INF\classes directory.

In a single sign-on setup, the following users must also be present in Active Directory:

  • A user for the server that hosts the i2 Analyze application, which is mapped to a Kerberos Service Principal Name (SPN).

  • The users that are used to log in to i2 Analyze.

Procedure

If your organization already uses Active Directory, you can use the existing groups and users to control access to i2 Analyze, and the steps below are not necessary.

Tip: If you want only some of the users and groups in Active Directory to be able to access i2 Analyze, you can use provisioning as a filter.

If you're setting up Active Directory for the first time, specifically for use with i2 Analyze, you can create the users and groups that you need.

  1. Create the Microsoft Active Directory groups:

    1. Open the Microsoft Active Directory groups controller.

    2. Create groups whose names exactly match the values of UserGroup attributes of <GroupPermissions> elements in the i2 Analyze security schema file.

    For more information, see How to Create a Group in Active Directory.

  2. Create the Microsoft Active Directory user accounts that can be used to log in to i2 Analyze.

    For more information, see How to Create a Domain Account in Active Directory.

  3. Make each user a member of the appropriate groups for your environment.

    For more information, see Adding Users to an Active Directory Group.

Results

The users that can access i2 Analyze are created, and are members of the system user groups that govern their access to functionality.