IBM Support

IBM Cognos Custom Authentication

Cognos Custom Authentication and Authorization

Custom Security models and providers


To supplement out-of-the box security functionality or align with IT requirements, most enterprises have adopted security models based on a set of guidelines and best practices, applicable to their business and security needs. IBM Cognos supports the most common directory providers (LDAP, AD) and OpenID Connect protocol for two-factor authentication. capture information about Cognos Environment in an automated fashion, get the answers to plan an upgrade/migration effort or perform regular maintenance.

These limitations demand a flexible security model to support custom directory providers (in-house WebService, database, third party provider) and protocols (SAML, OpenID). The Custom Java Authentication provider (CJAP) provided with this offering answers the need to have a fully functional security model built to provide additional technologies in Cognos BI and Analytics.

CJAP is developed and customized to address specific security tasks and provides the same functionality as out-of-the-box providers:

Authentication (Logon)

Upon Logon to Cognos, the user will be authenticated against predefined criteria. Possible use cases include:

User credentials: Providing userID and password. The CJAP will connect to a back-end authentication provider, passing appropriate credentials for authentication. Upon successful validation the user will be logged into Cognos. The user profile in Cognos will synchronize the attributes from the user account in the authentication provider, including but not limited to ID, FNAME, LNAME, EMAIL. Additionally, custom properties can be utilized in Cognos, if required.

SAML: If Federated services are in effect with support for SAML, the CJAP can support integration through federation with SAML protocol. The user information can be passed through the SAML assertion or initiate communication between SP and IdP to obtain user information.

HTTP request session information: If a cookie, HTTP header or other session token is provided, the CJAP can use it to authenticate the user and pull the necessary information from the back-end provider. 

Using other logon mechanisms: If there is any other custom method to initiate the user logon request, it can be evaluated for applicability for the CJAP.

User Profile

The user profile in Cognos is created when the user first logs into Cognos or when an Administrator creates it from UI or SDK (API) application. The Account object will store the preferences and properties of the user, will associate content accessible only by that user, and will store encrypted user credentials for scheduling, etc.

The CJAP will create the Account object in Cognos and assign properties, based on the user attributes retrieved during logon process. 


Authorization in Cognos is achieved either through direct association with Cognos Groups and Roles or the Identity Provider’s membership settings. In the first case the user is a member of one or more Groups and Roles in the Cognos Namespace. In the second, the user’s Group membership is configured in the CJAP namespace.

The user membership in the CJAP namespace is pulled from the authentication provider, if this is the required functionality. Such an approach eliminates maintenance tasks for the user’s membership in Cognos namespace. Instead, the whole Group from the authentication provider is being assigned permissions or capabilities in Cognos. This allows security against one or more groups with direct reference from the authentication provider.

The Directory or System administrator can logon to the CJAP namespace and browse or search for users and groups to assign security in Cognos.

Note: The authentication and authorization do not have to be based on the same authentication provider. For example, a SAML protocol can used for authentication against Ping Federate and the user's membership can be retrieved from database tables.

Search and Browse

Directory and System Administrators are able to search for Users and Groups, or browse the security tree to assign Permissions, Capabilities and Cognos Groups/Roles memberships.

Schedules and Credentials

For schedules, Cognos stores encrypted user credentials (based on different algorithms). These credentials are validated at the time the schedule is executed through the CJAP. During logon the user credentials will be renewed/refreshed, allowing the schedules to run uninterrupted. 

Logoff and Session expire

Explicit Logoff request and session expiration will be handled from the CJAP. The default timeout can be either the global timeout session in Cognos Configuration, or set through the provider’s configuration properties.

Support for SSL 

Communication between the CJAP and authentication provider can be through secure connection (SSL) and/or with required encryption.


The CJAP uses a standard logging mechanism with different levels of log information: INFO, WARN, ERROR, DEBUG. The level of logging is set through a properties file.

Fig. 1: CJAP Authentication and authorization diagram

image 1426


Additional resources Custom Authentication Provider Documentation