User Guide

Intel® VTune™ Profiler User Guide

ID 766319
Date 11/07/2023
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

Configure User Authentication/Authorization

Use the default passphrase authentication to run the VTune Profiler Server, or benefit from your company solutions with reverse proxy or SAML authentication.

User authentication and authorization for VTune Profiler Server is controlled by a configuration file stored in <vtune-install-dir>/backend/config.yml. This configuration file uses YAML format and comes with brief inline documentation describing available configuration options.

Passphrase Authentication

In the default personal use mode, VTune Profiler Server is configured to use passphrase authentication/authorization. When you start the server, you can specify a passphrase:

There are no usernames involved: if the passphrase is shared between multiple users, then they are treated as the same user.

VTune Profiler persists the hash of the passphrase. The browser also persists a secure HTTPS cookie so that you do not enter the passphrase each time. Cookie expiration time is configurable, default value is 365 days. When you access the VTune Profiler Server from a different machine or use a different browser, or if the browser cookies are cleaned / expired, then you are prompted to enter the passphrase again.

If you forget the passphrase, you can reset it by re-running the VTune Profiler Server using the --reset-passphrase option. The server provides an outcome URL with a one-time token to reset the passphrase:

vtune-backend --reset-passphrase  
Serving GUI at https://127.0.0.1:65417?one-time-token=e2ed7c1365c972ec1024ac4e53179a08

When you open this URL in a web browser, you are prompted to set a new passphrase.

Reverse Proxy Authentication

VTune Profiler Server can be deployed behind a reverse proxy, which is a web server that forwards all requests to the VTune Profiler Server and serves its responses back to the user. With this type of setup, the system administrator can configure arbitrary user authentication and authorization in the reverse proxy. Reverse proxy is configured to pass authenticated user ID to the VTune Profiler Server, while the VTune Profiler Server is configured to trust this user ID.

To enable the reverse proxy authentication, the administrator needs to follow these steps:

  1. Change the authentication type in the <vtune-install-dir>/backend/config.yml to reverse-proxy and specify the header, which is an HTTP header that reverser proxy uses to pass authenticated user ID.

  2. Start the VTune Profiler Server as follows:

    • If VTune Profiler Server and reverse proxy are on the same host: start the VTune Profiler Server without the --allow-remote-ui option to prevent remote connections to be accepted by the VTune Profiler Agent:

      vtune-backend --web-port=8080  
      Serving GUI at https://127.0.0.1:8080  
      warn: Server access is limited to localhost only. To enable remote access, restart with --allow-remote-ui.

    • If VTune Profiler Server and reverse proxy are on different hosts: configure the reverse proxy to use a client certificate authentication when calling the VTune Profiler Server. Provide the VTune Profiler Server with the path to the pubic part of the reverse proxy client certificate :

      vtune-backend --allow-remote-ui --client-certificate /path/to/public/reverse/proxy/cert.crt

    NOTE:

    You are recommended to use the client certificate authentication even when VTune Profiler Server and the reverse proxy are on the same host to prevent an unauthorized access from the host system.

SAML SSO Authentication

VTune Profiler Server supports SAML 2.0 Single Sign On (SSO) for user authentication.

To enable the SAML SSO authentication, the Admin needs to follow these steps:

  1. Change the authentication type in the <vtune-install-dir>/backend/config.yml to saml and specify the rootUrl and the entityID.

  2. Request the IT service to register the VTune Profiler Server into the SAML SSO infrastructure. The request should include the entity ID, consume URL (rootUrl + consumePath), and the name of a network user group to be provided with an access to the VTune Profiler Server.

    In response, the IT service provides the entry point for SAML Identity Provider and its public certificate.

  3. Enter the data provided with the IT service to the entryPoint and cert fields in the config.yml file.

  4. Start the VTune Profiler Server.