Provider Trust Setting

Use the following tags in each provider section to set whether that provider should be trusted or not.

<trusted>false</trusted>

Between the <trusted></trusted> tags, leave the sample value of false, or, if the specified provider is a trusted LDAP or Active Directory provider, replace the value with true.

If the entire <trusted></trusted> section including the tags is deleted, the default value of true is used. Do not delete only the values of the tags; delete the tags and the values if you want to use the default value.

If the trust setting is true, a password is not present nor is it required in the token generated upon user authentication. If the trust setting is false, a password is part of the token.

If you use Hybrid Analysis, you must use untrusted directories. If you are using trusted directories, Analytic Services will not allow access to databases that have Hybrid Analysis enabled. The presence of trusted directories does not affect the behavior of Analytic Services databases that do not contain Hybrid Analysis segments.

More Information: Trusted vs. Not Trusted

Trust, when set to TRUE, means that the user credentials found in a token received by Analytic Services will not be validated against the external authentication repository. This quickens the authentication process.

When trust is set to TRUE in a single sign-on scenario, these actions occur:

  1. Analytic Services receives a token from another Hyperion application (the password is not part of the token).


  2. Analytic Services sends the token to the security platform.


  3. The security platform validates that the token is constructed properly (token decryption and read are successful).


  4. The security platform validates that the token has not timed out.


  5. The security platform returns the identity string to Analytic Services to complete authentication.

When trust is set to FALSE in a single sign-on scenario, additional steps are taken (steps 4-6 are unique to untrusted providers):

  1. Analytic Services receives a token from another Hyperion application (the password is part of the token).


  2. Analytic Services sends the token to the security platform.


  3. The security platform validates that the token is constructed properly (token decryption and read are successful).

  4. The security platform validates that the token has not timed out.


  5. The security platform extracts the identity and password from the token.


  6. The security platform validates the user and the password against the authentication providers indicated in the configuration.


  7. The security platform receives an approval or denial to authenticate from the authentication provider.


  8. The security platform returns the identity string to Analytic Services to complete authentication.

©2004 Hyperion Solutions Corporation. All Rights Reserved.
http://www.hyperion.com