Configuring Lightweight Third-Party Authentication

You can configure IBM® Cognos Analytics components to use IBM Lightweight Third-Party Authentication (LTPA). The practices that are described in this topic are based on Cognos Analytics 11.0.7 distributed environment with IBM Tivoli Directory Server LDAP or Microsoft Active Directory as authentication sources.

With LTPA, the user authenticates with the first server that is accessed, by using a user name and password. After authenticating, the user receives an LTPA token, which is valid for only one session. The token is used to identify the user on other servers within the same domain name system, where the servers are configured to use LTPA. Therefore, the user enters a user name and password only once, and the user directory is accessed only once to verify the identity of that user.

To implement LTPA, Cognos Analytics must be configured to use an authentication source that is configured in the WebSphere Liberty container that it runs in. You can configure single sign-on between Cognos Analytics and WebSphere Liberty using the identity mapping configuration in the Cognos namespace. For example, you can configure WebSphere Liberty to use an LDAP or Active Directory server for authentication, then configure Cognos Analytics to use the same LDAP or Active Directory, and set the identity mapping to use REMOTE_USER.

For Cognos Analytics, this means that a user must be authenticated to an identity assigned to the HTTP session before accessing Cognos Analytics within the same session. Authentication is completed by presenting credentials to an external-to-Cognos security system. The security system might provide the identity and some sort of credential information suitable for achieving single sign-on to other systems, usually in the form of an SSO token. Typical candidates for such security systems are authentication proxies, such as IBM Tivoli WebSEAL, Oracle Oblix, Site Minder, or any other software or hardware solutions that can authenticate an HTTP session and persist that authentication in a token.

WebSphere Liberty has many different options for authenticating users. For more information, see the WebSphere Liberty documentation:


  1. On a computer where the Cognos Analytics server is installed, start IBM Cognos Configuration.
  2. In the Explorer window, expand the Environment category, and then the IBM Cognos services category.
  3. Click the IBM Cognos service.
  4. In the properties pane, click the Enable IBM Lightweight Third Party Authentication (LTPA) property, and change its value to True.
  5. Save the configuration, and restart the IBM Cognos service.
  6. Repeat these steps on all computers where the Cognos Analytics server is installed.

What to do next

To use LTPA, open the install_location/configuration/bi-services/bi-service.xml file, and change the special subject type from EVERYONE to ALL_AUTHENTICATED_USERS in the following way:

<special-subject type="ALL_AUTHENTICATED_USERS"/>

Make this change on all computers where Cognos Analytics servers are installed.