SiteMinder authentication provider
The authentication provider uses the SiteMinder Software Development Kit to implement a custom agent. The custom agent deployment requires that you set the Agent Properties in the SiteMinder Policy server administration console to support 4.x agents.
SiteMinder configuration requirements
Configure the following items in the CA SiteMinder Policy Server:
- Cognos
Analytics
11.1.7 and later versions must allow certain special characters and character sequences in the
Cognos
Analytics
server URL. To avoid errors, remove the double quote (“) or encoded as (%22) character on the
POST
methods from the list in the BadURLChars parameter for the Agent Configuration Object in the CA SiteMinder Policy Server. This character is properly encoded for theGET
methods.Tip: Customers who embed URLs in their reports should verify the characters passed in the URL parameters and ensure that CA SiteMinder does not treat these characters as BadURLChars or BadCSSChars. For more information, see the CA SiteMinder documentation. - Cognos
Analytics
requires the
GET
andPOST
verbs for its functionality. Enable these verbs in the CA SiteMinder Policy Server. - Enable the encoding of characters or masking of methods by setting the Is third party XSS Checking enabled? property to True in Cognos Configuration. For more information, see Configuring IBM Cognos components to use IBM Cognos Application Firewall.
SiteMinder configured for more than one user directory
If your SiteMinder environment is configured for more than one user directory, you must use the SiteMinder namespace type in IBM Cognos Configuration.
After you configure the SiteMinder namespace in IBM Cognos Configuration, you must also add a corresponding LDAP or Active Directory Server namespace to IBM Cognos Configuration for each user directory that is defined in SiteMinder.
When you configure a corresponding LDAP namespace, ensure that the External identity mapping property is enabled and that you include the REMOTE_USER token in property value. This does not mean that you must configure SiteMinder to set REMOTE_USER.
When you configure a corresponding Active Directory namespace, ensure that the singleSignonOption property is set to IdentityMapping.
The SiteMinder namespace passes user information internally to the corresponding LDAP namespace using the REMOTE_USER environment variable when it receives successful user identification from the SiteMinder environment.
For more information, see Enabling single signon between Active Directory Server and IBM Cognos Components to use REMOTE_USER.
SiteMinder configured with only one user directory
If your SiteMinder environment is configured with only one user directory, you do not have to use the SiteMinder namespace type in IBM Cognos Configuration.
In this case, you can use the user directory as your authentication source by configuring the appropriate namespace, or you can configure the SiteMinder with one user directory. For example, if the SiteMinder user directory is LDAP, you can configure IBM Cognos components with an LDAP namespace or with one SiteMinder namespace, referring to one user directory that is an LDAP namespace.
If the SiteMinder user directory is Active Directory, you can use an Active Directory namespace or an LDAP namespace that is configured for use with Active Directory.
If you want to use the user directory as your authentication source directly instead of configuring a SiteMinder namespace, you can configure the appropriate LDAP or Active Directory namespace. In this case, verify the Agent Configuration Object properties in SiteMinder Policy Server. Ensure that SetRemoteUser is activated.
When you configure the Active Directory namespace, ensure that the singleSignonOption property is set to IdentityMapping.
When you configure a corresponding LDAP namespace, ensure that the External identity mapping property is enabled and that you include the REMOTE_USER token in property value.
For more information, see Enabling single signon between Active Directory Server and IBM Cognos Components to use REMOTE_USER.