Configuring LTPA using an Active Directory namespace

The following procedure describes how to set up LTPA for Cognos® Analytics with Microsoft Active Directory as the authentication source.


  1. In every location where you installed Content Manager, open IBM® Cognos Configuration.
  2. In the Explorer window, under Security, right-click Authentication, and then click New resource > Namespace.
  3. In the Name box, type a name for your authentication namespace.
  4. In the Type list, select LDAP - Default values for Active Directory and then click OK.

    The new authentication provider resource appears in the Explorer window, under the Authentication component. Default values are generated for you. Check them and make changes as needed.

  5. In the Properties window, for the NamespaceID property, specify a unique identifier for the namespace.
    Tip: Do not use colons (:) in the Namespace ID property.
  6. Specify the values for all other required properties to ensure that IBM Cognos components can locate and use your existing authentication provider.
    • For User lookup, enter (sAMAccountName=${userID})
    • If you use single sign-on, for Use external identity, set the value to True.
    • If you use single sign-on, for External identity mapping, enter (sAMAccountName=${environment("REMOTE_USER")})

      If you want to remove the domain name from the REMOTE_USER variable, enter (sAMAccountName=${replace(${environment("REMOTE_USER")}, "domain\\","")}).

      Important: Ensure that you use only the variable REMOTE_USER. Using another variable can cause a security vulnerability.
    • For Bind user DN and password, enter user@domain.
    • For Unique identifier, enter objectGUID
  7. Create an XML file named local-server.xml and place it in the install_location/configuration directory.
  8. In the local-server.xml file, enter values that are appropriate for your environment:
    <?xml version="1.0" encoding="UTF-8"?>
    	<ldapRegistry id="id" realm="realm" 
    	host="host" port="port" ignoreCase="true" 
    	baseDN="DC=dc,DC=dc,DC=dc" bindDN="CN=doejohn,
    	bindPassword="password" ldapType="Microsoft Active Directory" sslEnabled="false"> 
    	<webAppSecurity allowFailOverToBasicAuth="true" displayAuthenticationRealm="true"/>
  9. If Cognos Analytics is configured to use SSL, see Configuring the SSL protocol for IBM Cognos components for more information.
  10. To verify the configuration, log on to http://host:port/bi or https://host:port/bi for SSL enabled systems, where host is the fully qualified Cognos Analytics host domain.

    You should not see the Cognos Analytics logon page. Instead, you should be prompted by the browser to log on.

What to do next

If you want to configure single sign-on (SSO) between the Cognos Analytics application that was set up with LTPA authentication, and the application is deployed into a WebSphere instance, install the WebSphere key on each Cognos Analytics dispatcher where LTPA was set up, and update the local-server.xml file with the following <ltpa> element:

<ltpa keysFileName="yourLTPAKeysFileName.keys" 
keysPassword="keysPassword" expiration="120" />

For more information, see the WebSphere Liberty documentation. The root directory of the automatically generated LTPA keys file ${server.output.dir}/resources/security/ltpa.keys that is mentioned in this document is cognos_analytics_location/wlp/usr/servers/cognosserver.