Customer is wanting to implement 'single sign on' (SSO). Instructions refer to the parameter 'singleSignOnOption'. What does this parameter do, and what value should they configure?
Inside 'Cognos Configuration', inside the Active Directory namespace, there is a button 'Advanced Properties':
What settings should the customer put inside here (relating to singleSignOnOption) ?
- For example:
If the customer does not create a 'singleSignOnOption' setting, then Cognos CAM will use the default setting.
- The default setting (blank / no entry) is to use standard 'Kerberos' authentication.
In other words, if you want to use standard 'Kerberos' authentication then there is no need to use/configure the singleSignOnOption setting (you can leave this section blank/unconfigured).
Customer is implementing single sign on, where they want the Windows username/credentials to be automatically forwarded to the Cognos CAM (authentication) engine.
- Specifically, they would like the end users to not be asked for their Windows username/password when they logon to Cognos.
Resolving The Problem
Decide which type of SSO authentication you will be using, either:
1. "Remote_User" environment variable.
2. Kerberos (standard)
3. Kerberos (first) then Service for User (S4U) - this is only available for Cognos BI 10.2.1 onwards.
4. Service for User (S4U) first, then Kerberos - this is only available for Cognos BI 10.2.1 onwards.
S4U allows users to access IBM Cognos BI from computers not on the Active Directory domain.
- For example, you have users whose computers do not belong to the domain, but they do have the domain account.
- When they open their web browsers, they are promoted for their domain account. However, they get the Kerberos ticket with Identity privilege only, which prevents them from getting authenticated to IBM Cognos BI. To resolve this issue, you can use S4U.
To enable S4U, you must use enable constrained delegation.
- For more details, see separate IBM Technote #1694595.
IMPORTANT: The following settings are case sensitive!
- For more details, see separate IBM Technote #1343213.
1. Launch 'Cognos Configuration'
2. Browse to "Local Configuration -> Security -> Authentication"
3. Open the Active Directory namespace (authentication source)
4. Click on the edit button for "Advanced properties"
5. Inside 'Name', create an entry: singleSignonOption
6. Inside 'Value', type in one of the following:
- IdentityMapping - Choose this to use the "Remote_User" environment variable method of SSO
- KerberosAuthentication - Choose this to use 'standard' Kerberos
- KerberosS4UAuthentication - Choose this to use Kerberos authentication first. If Kerberos fails, Service For User (S4U) authentication is attempted. If S4U fails, the user is prompted for credentials.
- S4UAuthentication - Choose this if you want to use S4U authentication first. If S4U fails, the user is prompted for credentials.
7. Save changes and restart Cognos service.
15 June 2018