Hello,
Some teams in my company has started experimenting with KNIME recently. They seem to adopt this new tool fairly well, unfortunately it ships with a noticeable drawback.
Indeed, all our IT equipment is connected to a ZScaler proxy. Without proper authentication to this proxy, it is not possible to retrieve data from online sources. I am well aware that KNIME has support for proxys, but it does not allow Windows / SAML authentication. All company hardware for collaborators are running Windows 10.
At the moment, Power BI is still being used as the “master tool” since its proxy integration does allow to access to online resources (blob storages, databases, SAP…), which makes it hard to justify adding KNIME to the catalog of tools for internal use.
My question is: is there any way to connect to such a proxy already, and if not, will this feature be implemented in a future release?
Please let me know if you need more information on the matter, I must add that I am not a security expert.
Thank you
Dear @PaulCombal
I am not aware that we have an option to directly connect to proxies with SAML authentication.
However, by default we use the system wide (native) proxy. Hence, if you configure a proxy in the Windows settings, we will automatically use that (after a program restart).
I’m not familiar with ZScaler, but a quick search suggests that the Zscaler Client Connector may be able to automatically set a system proxy.
Kind regards
Marvin
Hello,
Thank you for your reply. You made me realize that I forgot to mention one detail: access to the through the proxy is only available after authentication on a web portal. As an example, when you try to access the web with a new web browser or private browsing window, you are first greeted by a “company run” authentication form (MFA).
My best guess is that when KNIME issues an HTTP request, it doesn’t reach the intended server since the MFA portal needs to be taken care of first. This also means that every other online KNIME feature is not available (extensions, updates, workflow coach, etc).
The ZScaler client connector is installed on every machine and sets the proxy automatically, and employees are not allowed to disable it at any time.
Once again, I am not in charge neither of networking or security, so I will not be able to give you extended details about the inner workings of the network. However, I would be more than happy to give you the details I have access to, from the company’s machine.
I’m fairly confident there is a way around, since PowerBI can use the MFA natively and access the internet. For your information, a chip card has to be inserted in the laptop to authenticate in Windows and sometimes on internal websites.
Regards,
Paul
Dear @PaulCombal
please excuse the late reply. After some discussions with colleagues I’m afraid it currently doesn’t seem possible to do the MFA within KNIME. If Windows/ZScaler can’t do the authentication, the only way I can currently think of is running a second proxy on the local machine, which requires standard (or no) authentication, and which itself connects to the ZScaler proxy and does the MFA.
Kind regards
Marvin