Configure User Authentication/Authorization
Use the default passphrase authentication to run the VTune Profiler Server, or benefit from your company solutions with reverse proxy or SAML authentication.
User authentication and authorization for VTune Profiler Server is controlled by a configuration file stored in
<. This configuration file uses YAML format and comes with brief inline documentation describing available configuration options.
In the default personal use mode, VTune Profiler Server is configured to use passphrase authentication/authorization. When you start the server, you can specify a passphrase:
There are no usernames involved: if the passphrase is shared between multiple users, then they are treated as the same user.
VTune Profiler persists the hash of the passphrase. The browser also persists a secure HTTPS cookie so that you do not enter the passphrase each time. Cookie expiration time is configurable, default value is 365 days. When you access the VTune Profiler Server from a different machine or use a different browser, or if the browser cookies are cleaned / expired, then you are prompted to enter the passphrase again.
If you forget the passphrase, you can reset it by re-running the VTune Profiler Server using the
--reset-passphraseoption. The server provides an outcome URL with a one-time token to reset the passphrase:
vtune-backend --reset-passphrase Serving GUI at https://127.0.0.1:65417?one-time-token=e2ed7c1365c972ec1024ac4e53179a08
When you open this URL in a web browser, you are prompted to set a new passphrase.
Reverse Proxy Authentication
VTune Profiler Server can be deployed behind a reverse proxy, which is a web server that forwards all requests to the VTune Profiler Server and serves its responses back to the user. With this type of setup, the system administrator can configure arbitrary user authentication and authorization in the reverse proxy. Reverse proxy is configured to pass authenticated user ID to the VTune Profiler Server, while the VTune Profiler Server is configured to trust this user ID.
To enable the reverse proxy authentication, the administrator needs to follow these steps:
- Change the authentication type in the<tovtune-install-dir>/backend/config.ymlreverse-proxyand specify theheader, which is an HTTP header that reverser proxy uses to pass authenticated user ID.
- Start the VTune Profiler Server as follows:
You are recommended to use the client certificate authentication even when VTune Profiler Server and the reverse proxy are on the same host to prevent an unauthorized access from the host system.
- If VTune Profiler Server and reverse proxy are on the same host:start the VTune Profiler Server without the--allow-remote-uioption to prevent remote connections to be accepted by the VTune Profiler Agent:vtune-backend --web-port=8080 Serving GUI at https://127.0.0.1:8080 warn: Server access is limited to localhost only. To enable remote access, restart with --allow-remote-ui.
- If VTune Profiler Server and reverse proxy are on different hosts: configure the reverse proxy to use a client certificate authentication when calling the VTune Profiler Server. Provide the VTune Profiler Server with the path to the pubic part of the reverse proxy client certificate :vtune-backend --allow-remote-ui --client-certificate /path/to/public/reverse/proxy/cert.crt
SAML SSO Authentication
VTune Profiler Server supports SAML 2.0 Single Sign On (SSO) for user authentication.
To enable the SAML SSO authentication, the Admin needs to follow these steps:
- Request the IT service to register the VTune Profiler Server into the SAML SSO infrastructure. The request should include the entity ID, consume URL (rootUrl+consumePath), and the name of a network user group to be provided with an access to the VTune Profiler Server.In response, the IT service provides the entry point for SAML Identity Provider and its public certificate.
- Enter the data provided with the IT service to theentryPointandcertfields in theconfig.ymlfile.
- Start the VTune Profiler Server.