Enable single signon between LDAP and IBM Cognos components

You achieve single signon to IBM® Cognos® components by configuring the External Identity mapping property.

The External Identity mapping can refer to a CGI environment variable or an HTTP header variable. For an application server gateway or dispatcher entry that is pointing to IBM Cognos components, the External Identity mapping can refer to the userPrincipalName session variable. The resolved value of the External Identity mapping property at run time must be a valid user DN.

When an LDAP namespace is configured to use the External Identity mapping property for authentication, the LDAP provider binds to the directory server by using the Bind user DN and password or by using anonymous if no value is specified. All users who log on to IBM Cognos by using external identity mapping see the same users, groups, and folders as the Bind user.

If you want IBM Cognos components to work with applications that use Java™ or application server security, you can configure the External identity mapping property to obtain the user ID from the Java user principal. Include the token ${environment("USER_PRINCIPAL")} in the value for the property. For more information, see the online help for IBM Cognos Configuration.

You can apply limited expression editing to the External Identity mapping property by using the replace operation.