Network access and authentication(网络访问与身份验证)¶
Mobile applications developed in Workshop are simply web applications that have been optimized for use in mobile browsers. As a result, there is no installation step required for users to access these web applications on their tablet or phone devices. However, it is necessary to ensure your users' devices can access your Foundry environment at a network level, and that your users can successfully authenticate to Foundry.
This page describes how you should think about network access and authentication, common problems you may encounter, and possible solutions to these problems. You may need to work with your IT counterparts to debug and fix any issues, especially those related to network access.
At a high level, ensuring access for your users can be broken down into two main components which are described below:
Ensure network access¶
As Foundry can be deployed in a wide variety of settings, ranging from Palantir's managed SaaS environment to on-premise configurations, there is no single solution for ensuring users have access to Foundry from their mobile devices. In this section, we present a range of options for enabling access for your users.
The most common approaches to enabling mobile access to Foundry are to:
Use an enterprise web browser¶
Many organizations have an MDM (Mobile Device Management) solution in place for managing mobile devices, and most MDM solutions include a secure web browser that can be used to access internal company resources. If your organization has an MDM set up, it may be possible to use the MDM-supported browser to access Foundry.
The main downside to this approach is that the MDM-supported web browser may render web components differently than a standard browser such as Safari, Chrome, or Edge. As a result, user experience may be worse compared to commonly used browsers. Additionally, any users who do not have a device managed by your organization will not be able to access Foundry.
If you know your user base already has devices managed by an organizational MDM, using the MDM-supported web browser is likely the most direct and secure path forward.
Next step: Contact your IT organization to learn about whether there is an existing enterprise MDM in place, and whether the MDM's web browser can be configured to enable access to your Foundry environment.
Use a mobile VPN¶
Your organization may support a VPN to enable employees to access corporate resources while away from an office location. Many VPN solutions include support for access on mobile devices as well, enabling users to connect to the VPN and then access internal resources using their device's standard web browser.
The main benefit to this approach is that users can use a standard browser such as Safari or Chrome. The downside is that users will need to go through an additional step of connecting to the VPN each time they use Foundry, in addition to initially setting up the VPN client. If your users are accustomed to this workflow, this may not be an issue, but it could pose problems for rolling out an application to a set of users who have not previously used mobile VPNs.
Next step: Contact your IT organization to learn about whether there is a mobile VPN client available. If so, validate that your users have access to the VPN and that using the VPN will enable access to your Foundry environment.
Allowlist an IP region¶
By configuring network ingress in Control Panel, you can choose to allow broad network access from certain countries from which your users operate.
The benefit to this approach is that users in the allowlisted regions can access your Foundry environment from any device without an MDM-managed device or a VPN client (if you were previously using strict IP-based allowlisting). This method provides a more seamless login experience for users. However, your organization may not be comfortable allowing network ingress into your Foundry environment from a broader set of networks.
Ensure users can authenticate¶
Once your users can access Foundry at a network level, they will need to navigate to the mobile application launcher and authenticate to Foundry. This requires your users to have a user account and to go through your organization's SSO authentication flow. We describe some considerations for these two steps below.
Ensure users have accounts¶
Access to Foundry always requires a user account. Account-related considerations for users on mobile devices can be different than for desktop users. In our experience, some use cases targeting usage on mobile devices can involve a surprisingly complex device landscape:
- Some use cases require contractors to be able to access data from Foundry or submit data to Foundry. If your use case targets a broad set of users who are not employees of your organization, you should ensure these users have accounts and are able to authenticate to Foundry.
- Some mobile use cases target usage on shared devices. For example, there may be tablet devices used on a factory floor to access data in Foundry. The devices do not belong to a single user, but are instead shared between individuals in a work environment. In this case, you should confirm which users will be logging into each device. If necessary, it is possible to configure a dedicated user account per workstation, either in your identity provider or using Foundry's internal realm. If you need to enable an authentication pattern like this, contact your Palantir representative to learn more.
Validate the end user authentication flow¶
Since the authentication process is a key part of the end-to-end user experience, you should validate what the end user authentication experience looks like on a mobile device. Users will need to go through your organization's SSO flow each time they need to authenticate, and will need to go through the MFA (multi-factor authentication) process.
Additionally, your organization's identity provider determines how often users need to re-authenticate to Foundry. If the login timeout is very frequent, this may add additional friction to the end user experience as users may need to authenticate frequently throughout the day. If this poses a problem for your users, contact your IT organization to discuss extending the session length in your identity provider.
中文翻译¶
网络访问与身份验证¶
在 Workshop 中开发的移动应用,本质上是经过优化以在移动浏览器中使用的 Web 应用。因此,用户在平板电脑或手机上访问这些 Web 应用时无需安装步骤。但必须确保用户设备能够在网络层面访问您的 Foundry 环境,并且用户能够成功通过 Foundry 的身份验证。
本页将介绍您应如何考虑网络访问和身份验证、可能遇到的常见问题以及这些问题的可行解决方案。您可能需要与您的 IT 部门合作来调试和修复任何问题,尤其是与网络访问相关的问题。
从宏观角度来看,确保用户访问权限可分为以下两个主要部分:
确保网络访问¶
由于 Foundry 可以部署在各种环境中,从 Palantir 托管的 SaaS 环境到本地部署配置,因此没有单一的解决方案可以确保用户从其移动设备访问 Foundry。在本节中,我们将介绍一系列为用户启用访问权限的选项。
启用移动设备访问 Foundry 的最常见方法包括:
使用企业级 Web 浏览器¶
许多组织都部署了 MDM(移动设备管理,Mobile Device Management)解决方案来管理移动设备,大多数 MDM 解决方案都包含一个可用于访问内部公司资源的安全 Web 浏览器。如果您的组织已设置 MDM,则可以使用 MDM 支持的浏览器来访问 Foundry。
这种方法的主要缺点是,MDM 支持的 Web 浏览器渲染 Web 组件的方式可能与标准浏览器(如 Safari、Chrome 或 Edge)不同。因此,与常用浏览器相比,用户体验可能会较差。此外,任何未由组织管理设备的用户将无法访问 Foundry。
如果您知道您的用户群体已经拥有由组织 MDM 管理的设备,那么使用 MDM 支持的 Web 浏览器可能是最直接、最安全的前进方向。
下一步: 联系您的 IT 部门,了解是否已有企业级 MDM 解决方案,以及该 MDM 的 Web 浏览器是否可以配置为允许访问您的 Foundry 环境。
使用移动 VPN¶
您的组织可能支持 VPN,以便员工在离开办公地点时访问公司资源。许多 VPN 解决方案也支持在移动设备上访问,使用户能够连接到 VPN,然后使用设备的标准 Web 浏览器访问内部资源。
这种方法的主要好处是用户可以使用标准浏览器,如 Safari 或 Chrome。缺点是用户除了初始设置 VPN 客户端外,每次使用 Foundry 时还需要额外连接 VPN。如果您的用户已经习惯这种工作流程,这可能不是问题,但对于向之前未使用过移动 VPN 的用户群体推广应用程序来说,可能会带来问题。
下一步: 联系您的 IT 部门,了解是否有可用的移动 VPN 客户端。如果有,请验证您的用户是否可以访问 VPN,并且使用 VPN 是否能够访问您的 Foundry 环境。
将 IP 区域加入白名单¶
通过在控制面板中配置网络入口,您可以选择允许来自用户所在特定国家/地区的广泛网络访问。
这种方法的好处是,白名单区域内的用户无需使用 MDM 管理的设备或 VPN 客户端(如果您之前使用的是严格的基于 IP 的白名单),即可从任何设备访问您的 Foundry 环境。这种方法为用户提供了更无缝的登录体验。但是,您的组织可能不愿意允许来自更广泛网络的流量进入您的 Foundry 环境。
确保用户能够通过身份验证¶
一旦用户能够在网络层面访问 Foundry,他们需要导航到移动应用启动器并通过 Foundry 的身份验证。这要求您的用户拥有用户账户,并完成您组织的 SSO(单点登录,Single Sign-On)身份验证流程。下面我们介绍这两个步骤的一些注意事项。
确保用户拥有账户¶
访问 Foundry 始终需要用户账户。移动设备用户的账户相关注意事项可能与桌面用户不同。根据我们的经验,某些针对移动设备使用的用例可能涉及异常复杂的设备环境:
- 某些用例要求承包商能够从 Foundry 访问数据或向 Foundry 提交数据。如果您的用例面向的是非组织员工的广泛用户群体,您应确保这些用户拥有账户,并且能够通过身份验证访问 Foundry。
- 某些移动用例针对共享设备的使用场景。例如,工厂车间可能使用平板设备访问 Foundry 中的数据。这些设备不属于单个用户,而是在工作环境中由多人共享。在这种情况下,您应确认哪些用户将登录每台设备。如有必要,可以在您的身份提供商中或使用 Foundry 的内部域为每个工作站配置专用用户账户。如果您需要启用此类身份验证模式,请联系您的 Palantir 代表以了解更多信息。
验证最终用户身份验证流程¶
由于身份验证过程是端到端用户体验的关键部分,您应验证最终用户在移动设备上的身份验证体验。用户每次需要身份验证时,都需要完成您组织的 SSO 流程,并且还需要经过 MFA(多因素身份验证,Multi-Factor Authentication)过程。
此外,您组织的身份提供商决定了用户需要多久重新通过 Foundry 的身份验证。如果登录超时时间非常短,可能会给最终用户体验带来额外的不便,因为用户可能需要在一天内频繁进行身份验证。如果这对您的用户造成问题,请联系您的 IT 部门,讨论在身份提供商中延长会话时长的问题。