Topic
2 replies Latest Post - ‏2013-03-28T23:25:37Z by SystemAdmin
SystemAdmin
SystemAdmin
217 Posts
ACCEPTED ANSWER

Pinned topic Logging on to Cognos after SSO is done

‏2013-02-11T23:08:47Z |
Hi,
Once authentication is done in SSO via web(we have Shibboleth), how can we provide just the namespaces in either (CMS rest/soap or SDK api ) to login to cognos.

Also I am sure some of the headers that is in SSO session needs to be passed to Cognos. But I am not sure which headers are required when initially logging on to cognos. I looked at the Developer Doc for CMS/SDK but could not find any. It talks about initially logging on with all the credential elements ( usernmae/pass/namespace ) but not the case where one is already authenticated via SSO and need to get into cognos.

Any thread of light on this will be highly appreciated.

Cheers
Updated on 2013-03-28T23:25:37Z at 2013-03-28T23:25:37Z by SystemAdmin
  • KCamp
    KCamp
    20 Posts
    ACCEPTED ANSWER

    Re: Logging on to Cognos after SSO is done

    ‏2013-02-12T13:36:25Z  in response to SystemAdmin
    Is Cognos configured to use SSO with your Shibboleth solution (i.e. are you prompted to logon via the regular Cognos portal)? If that doesn't work, then you'll find trying to get an SSO solution to work with CMS will be difficult.

    There are so many possible configurations for SSO that it's impossible to describe in the Developer Guide, but here's an article you should find helpful:
    https://www.ibm.com/developerworks/mydeveloperworks/blogs/0a7c97bb-6cf9-4ddb-a918-80994e7b444d/entry/sercurity_part3_cms_and_sso?lang=en

    Many SSO solutions will end up setting the REMOTE_USER header (or some custom header) to something that can be mapped to an LDAP user. In Cognos Configuration, you would have set the external identity mapping for the LDAP to be able to perform a lookup using whatever value is passed in via REMOTE_USER. When you get the login screen in Cognos (assuming multiple namespaces), you simply have to pick the appropriate namespace.

    As long as you pass that REMOTE_USER header via your CMS application (this is often automatic), this is the same, the only credential you pass via the REST/Soap Login API is the namespace and you should be automatically logged in as the correct user.
    If you're using Axis and SOAP to talk to CMS, you might have to write a custom authenticator, much like in the NTLM case described in the article, though the authenticator would be closer to this example: http://predic8.com/shibboleth-web-services-sso-en.htm
    • SystemAdmin
      SystemAdmin
      217 Posts
      ACCEPTED ANSWER

      Re: Logging on to Cognos after SSO is done

      ‏2013-03-28T23:25:37Z  in response to KCamp
      Hi,

      Thank you for your response KCamp. The article was of great help.

      The system is setup to use let's say "userid" coming from Shibboleth SSO. And it does just works fine on browser level. We have default namespace is also set for account. So when a gateway url is lunched it takes to cognos home page, provided user has already signed in Shib based SSO earlier.

      I have some other questions, I will pose them as separate questions(threads).

      Thank You.