Once authentication is done in SSO via web(we have Shibboleth), how can we provide just the namespaces in either (CMS rest/soap or SDK api ) to login to cognos.
Also I am sure some of the headers that is in SSO session needs to be passed to Cognos. But I am not sure which headers are required when initially logging on to cognos. I looked at the Developer Doc for CMS/SDK but could not find any. It talks about initially logging on with all the credential elements ( usernmae/pass/namespace ) but not the case where one is already authenticated via SSO and need to get into cognos.
Any thread of light on this will be highly appreciated.
NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
This topic has been locked.
2 replies Latest Post - 2013-03-28T23:25:37Z by SystemAdmin
Pinned topic Logging on to Cognos after SSO is done
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-03-28T23:25:37Z at 2013-03-28T23:25:37Z by SystemAdmin
KCamp 27000108YJ20 PostsACCEPTED ANSWER
Re: Logging on to Cognos after SSO is done2013-02-12T13:36:25Z in response to SystemAdminIs Cognos configured to use SSO with your Shibboleth solution (i.e. are you prompted to logon via the regular Cognos portal)? If that doesn't work, then you'll find trying to get an SSO solution to work with CMS will be difficult.
There are so many possible configurations for SSO that it's impossible to describe in the Developer Guide, but here's an article you should find helpful:
Many SSO solutions will end up setting the REMOTE_USER header (or some custom header) to something that can be mapped to an LDAP user. In Cognos Configuration, you would have set the external identity mapping for the LDAP to be able to perform a lookup using whatever value is passed in via REMOTE_USER. When you get the login screen in Cognos (assuming multiple namespaces), you simply have to pick the appropriate namespace.
As long as you pass that REMOTE_USER header via your CMS application (this is often automatic), this is the same, the only credential you pass via the REST/Soap Login API is the namespace and you should be automatically logged in as the correct user.
If you're using Axis and SOAP to talk to CMS, you might have to write a custom authenticator, much like in the NTLM case described in the article, though the authenticator would be closer to this example: http://predic8.com/shibboleth-web-services-sso-en.htm
SystemAdmin 110000D4XK217 PostsACCEPTED ANSWER
Re: Logging on to Cognos after SSO is done2013-03-28T23:25:37Z in response to KCampHi,
Thank you for your response KCamp. The article was of great help.
The system is setup to use let's say "userid" coming from Shibboleth SSO. And it does just works fine on browser level. We have default namespace is also set for account. So when a gateway url is lunched it takes to cognos home page, provided user has already signed in Shib based SSO earlier.
I have some other questions, I will pose them as separate questions(threads).