Enabling single signon between Active Directory Server and IBM Cognos Components to use REMOTE_USER

If you do not want Kerberos authentication, you can configure the provider to access the environment variable REMOTE_USER to achieve single signon.

You must set the advanced property singleSignonOption to the value IdentityMapping. You must also specify bind credentials for the Active Directory namespace.

Microsoft IIS sets REMOTE_USER by default when you enable Windows authentication. If Kerberos authentication is not used, single signon to Microsoft OLAP (MSAS) data sources is not possible.

When you define the REMOTE_USER, you can also choose to save the REMOTE_USER as a trusted credential. Saving as a trusted credential means that scheduled jobs authenticate the REMOTE_USER with the Binding Credential privileges.

Important: Ensure that you use only the variable REMOTE_USER. Using another variable can cause a security vulnerability.

Procedure

  1. On the computer where you installed Content Manager, open IBM® Cognos® Configuration.
  2. In the Explorer window, under Security > Authentication, and select the Active Directory namespace.
  3. Click in the Value column for Advanced properties and then click the edit icon.
  4. In the Value - Advanced properties dialog box, click Add.
  5. In the Name column, type singleSignonOption
  6. In the Value column, type IdentityMapping.
  7. If you want to save the REMOTE_USER as a trusted credential, in the Value - Advanced properties dialog box, click Add.
  8. In the Name column, type trustedCredentialType.
  9. In the Value column, type IdentityMappingForTC.
  10. Click OK.
  11. Click in the Value column for Binding credentials, and then click the edit icon.
  12. In the Value - Binding credentials dialog box, specify a user ID and password and then click OK.