Configuring authentication providers

IBM® Cognos® components run with two levels of access: anonymous and authenticated. By default, anonymous access is enabled.

You can use both types of logon with your installation. If you choose to use authenticated logon only, you must disable anonymous access. For more information, see Disable anonymous access.

For authenticated logon, you must configure IBM Cognos Analytics components with an appropriate namespace for the type of authentication provider in your environment. You can configure multiple namespaces for authentication and then choose, at run time, which namespace you want to use. For more information, see the Administration and Security Guide.

If you upgraded from ReportNet and IBM Cognos detects a previously configured namespace that is no longer configured, the unconfigured namespace appears in the list of authentication providers in the Administration portal. You can configure the namespace if you still require the user account information. Otherwise, you can delete the namespace. Also, when upgrading from one version to another, you must use the same authentication namespace for both versions. Otherwise, the old secured content will not be available because the new version might not contain the same policies, users, roles, and groups.

IBM Cognos components support the following types of servers as authentication sources:

  • Active Directory Server
  • Custom Authentication Provider
  • IBM Cognos Series 7 namespace
  • LDAP
  • OpenID connect
  • CA SiteMinder
  • SAP

If you use more than one Content Manager, you must configure identical authentication providers in each Content Manager location. This means that the type of authentication provider you select and the way you configure it must be identical in all locations for all platforms. The configuration must contain information that is accessible by all Content Managers.

When IBM Cognos is installed in a single Linux-based computer, or when Content Manager is installed on a Linux-based computer, IBM Cognos can be configured to use only LDAP V3-compliant directory servers and custom providers as authentication sources.

Some authentication providers require libraries external to the IBM Cognos environment to be available. If these libraries are not available on Linux®, the authentication provider cannot be initialized.

If you want to configure one of the following as your authentication source, you must install Content Manager on an operating system it supports:

  • IBM Cognos Series 7 namespace (Windows, Solaris, AIX)
  • Active Directory Server (Windows only)
  • SAP BW (All except Power PC, z/OS, z/Linux)

If you enable security, you must configure security settings immediately after you complete the installation and configuration process. For more information, see the Administration and Security Guide.

Important: Do not disable security after you enable it. Existing permission settings will refer to users, groups, or roles that no longer exist. While this does not affect how the permissions work, a user administering the permission settings may see "unknown" entries. Because these entries refer to users, groups, and roles which no longer exist, you can safely delete them. However, "unknown" entries can also show up if you are not authenticated into all namespaces. In this scenario, do not delete "unknown" entries.

After you configure an authentication provider for IBM Cognos components, you can enable single signon between your authentication provider environment and IBM Cognos components. This means that a user logs on once and can then switch to another application without being asked to log on again.

Users can select namespaces when they log in to the IBM Cognos Analytics portal. You can hide Custom Java™ namespaces and CA SiteMinder namespaces from users. For more information, see Hide the Namespace from Users During Login.