Upon Logon to Cognos, the user will be authenticated against predefined criteria. Possible use cases include:
User credentials: Providing userID and password. The CJAP will connect to a back-end authentication provider, passing appropriate credentials for authentication. Upon successful validation the user will be logged into Cognos. The user profile in Cognos will synchronize the attributes from the user account in the authentication provider, including but not limited to ID, FNAME, LNAME, EMAIL. Additionally, custom properties can be utilized in Cognos, if required.
SAML: If Federated services are in effect with support for SAML, the CJAP can support integration through federation with SAML protocol. The user information can be passed through the SAML assertion or initiate communication between SP and IdP to obtain user information.
HTTP request session information: If a cookie, HTTP header or other session token is provided, the CJAP can use it to authenticate the user and pull the necessary information from the back-end provider.
Using other logon mechanisms: If there is any other custom method to initiate the user logon request, it can be evaluated for applicability for the CJAP.
The user profile in Cognos is created when the user first logs into Cognos or when an Administrator creates it from UI or SDK (API) application. The Account object will store the preferences and properties of the user, will associate content accessible only by that user, and will store encrypted user credentials for scheduling, etc.
The CJAP will create the Account object in Cognos and assign properties, based on the user attributes retrieved during logon process.
Authorization in Cognos is achieved either through direct association with Cognos Groups and Roles or the Identity Provider’s membership settings. In the first case the user is a member of one or more Groups and Roles in the Cognos Namespace. In the second, the user’s Group membership is configured in the CJAP namespace.
The user membership in the CJAP namespace is pulled from the authentication provider, if this is the required functionality. Such an approach eliminates maintenance tasks for the user’s membership in Cognos namespace. Instead, the whole Group from the authentication provider is being assigned permissions or capabilities in Cognos. This allows security against one or more groups with direct reference from the authentication provider.
The Directory or System administrator can logon to the CJAP namespace and browse or search for users and groups to assign security in Cognos.
Note: The authentication and authorization do not have to be based on the same authentication provider. For example, a SAML protocol can used for authentication against Ping Federate and the user's membership can be retrieved from database tables.
Search and Browse
Directory and System Administrators are able to search for Users and Groups, or browse the security tree to assign Permissions, Capabilities and Cognos Groups/Roles memberships.
Schedules and Credentials
For schedules, Cognos stores encrypted user credentials (based on different algorithms). These credentials are validated at the time the schedule is executed through the CJAP. During logon the user credentials will be renewed/refreshed, allowing the schedules to run uninterrupted.
Logoff and Session expire
Explicit Logoff request and session expiration will be handled from the CJAP. The default timeout can be either the global timeout session in Cognos Configuration, or set through the provider’s configuration properties.
Support for SSL
Communication between the CJAP and authentication provider can be through secure connection (SSL) and/or with required encryption.
The CJAP uses a standard logging mechanism with different levels of log information: INFO, WARN, ERROR, DEBUG. The level of logging is set through a properties file.
Fig. 1: CJAP Authentication and authorization diagram
Questions? Email us
Additional resources Custom Authentication Provider Documentation