SiteMinder authentication provider

You can configure IBM® Cognos® Analytics to use a SiteMinder namespace as an authentication source.

The authentication provider uses the SiteMinder Software Development Kit to implement a custom agent. The custom agent deployment requires that you set the Agent Properties in the SiteMinder Policy server administration console to support 4.x agents.

SiteMinder configuration requirements

Configure the following items in the CA SiteMinder Policy Server:

  • Cognos Analytics requires the GET and POST verbs for its functionality. Enable these verbs in the CA SiteMinder Policy Server.
  • Enable the encoding of characters or masking of methods by setting the Is third party XSS Checking enabled? property to True in Cognos Configuration. For more information, see Configuring IBM Cognos components to use IBM Cognos Application Firewall.
  • Customers who embed URLs in their reports should verify the characters passed in the URL parameters and ensure that CA SiteMinder does not treat these characters as BadURLChars or BadCSSChars. For more information, see the CA SiteMinder documentation.

SiteMinder configured for more than one user directory

If your SiteMinder environment is configured for more than one user directory, you must use the SiteMinder namespace type in IBM Cognos Configuration.

After you configure the SiteMinder namespace in IBM Cognos Configuration, you must also add a corresponding LDAP or Active Directory Server namespace to IBM Cognos Configuration for each user directory that is defined in SiteMinder.

When you configure a corresponding LDAP namespace, ensure that the External identity mapping property is enabled and that you include the REMOTE_USER token in property value. This does not mean that you must configure SiteMinder to set REMOTE_USER.

When you configure a corresponding Active Directory namespace, ensure that the singleSignonOption property is set to IdentityMapping.

The SiteMinder namespace passes user information internally to the corresponding LDAP namespace using the REMOTE_USER environment variable when it receives successful user identification from the SiteMinder environment.

For more information, see Enabling single signon between Active Directory Server and IBM Cognos Components to use REMOTE_USER.

Important: Ensure that you use only the variable REMOTE_USER. Using another variable can cause a security vulnerability.

SiteMinder configured with only one user directory

If your SiteMinder environment is configured with only one user directory, you do not have to use the SiteMinder namespace type in IBM Cognos Configuration.

In this case, you can use the user directory as your authentication source by configuring the appropriate namespace, or you can configure the SiteMinder with one user directory. For example, if the SiteMinder user directory is LDAP, you can configure IBM Cognos components with an LDAP namespace or with one SiteMinder namespace, referring to one user directory that is an LDAP namespace.

If the SiteMinder user directory is Active Directory, you can use an Active Directory namespace or an LDAP namespace that is configured for use with Active Directory.

If you want to use the user directory as your authentication source directly instead of configuring a SiteMinder namespace, you can configure the appropriate LDAP or Active Directory namespace. In this case, verify the Agent Configuration Object properties in SiteMinder Policy Server. Ensure that SetRemoteUser is activated.

When you configure the Active Directory namespace, ensure that the singleSignonOption property is set to IdentityMapping.

When you configure a corresponding LDAP namespace, ensure that the External identity mapping property is enabled and that you include the REMOTE_USER token in property value.

For more information, see Enabling single signon between Active Directory Server and IBM Cognos Components to use REMOTE_USER.

Important: Ensure that you use only the variable REMOTE_USER. Using another variable can cause a security vulnerability.