Enable single signon between Active Directory Server and IBM Cognos components
If Windows authentication is enabled, you are not prompted to reenter authentication information when you access IBM® Cognos® content that is secured by the Active Directory namespace.
If you use Kerberos authentication, you can choose to use Service for User (S4U). S4U allows users to access IBM Cognos Analytics from computers not on the Active Directory domain. To enable S4U, you must use enable constrained delegation.
For example, you have users whose computers do not belong to the domain, but they do have the domain account. When they open their web browsers, they are prompted for their domain account. However, they get the Kerberos ticket with Identity privilege only, which prevents them from getting authenticated to IBM Cognos Analytics. To resolve this issue, you can use S4U.
If you do not want Kerberos authentication, you can configure the provider to access the environment variable REMOTE_USER to achieve single signon.
To enable single signon to use Kerberos authentication, you must ensure that you complete the following tasks:
- Configure Windows authentication on your Microsoft IIS web server for the ibmcognos/cgi-bin application.
- Install Content Manager on a computer that is part of the Active Directory domain, for the active and standby Content Managers.
- Set up the computers, or the user account under which Content Manager runs, to be trusted.
For more information, see the following technote documents:
- Enabling single sign-on to CRN or Cognos secured against Active Directory technote (www.ibm.com/support/docview.wss?uid=swg21341889)
- When using Kerberos Single Sign-on (SSO) with Active Directory in Cognos, user is prompted for credentials technote (www.ibm.com/support/docview.wss?uid=swg21659267)