Single Sign On issue with Multiple Namespaces

[aumdy]

We are integrating Cognos with Sharepoint and trying to use 2 namespaces to authenticate users using single sign on access. However, only one of the two namespaces works successfully.

Current environment: Cognos 10

Application server1 (also contains Content Manager)
Application server2
Gateway 1 = points to App server 1
Gateway 2 = points to App server 2

Security>Authentication>Namespace: There are 2 LDAP namespaces built in Cognos Configuration (App server1)
Namespace1 (For InternalUsers)
Namespace2 (For ExternalUsers)

Gateway1 points to Namespace1 (Environment>Gateway Settings>GatewayNamespace)
Gateway2 points to Namespace2 (Environment>Gateway Settings>GatewayNamespace)

Cognos Configuration>Portal Services> on App Server 1 is set to default to Namespace1
Cognos Configuration>Portal Services> on App Server 2 is set to default to Namespace2

Single Sign on is setup correctly.

ISSUE:

When an INTERNAL user (from Namespace1) logs into the portal, the user is authenticated against the domain and is able to log in without entering credentials.

When an EXTERNAL user (Namespace2) logs into the portal, the user is unable to log in with SSO and gets the following message.

"Unable to process the request.
CAM-AAA-0055 User input is required. CAM-AAA-0036 Unable to authenticate because the credentials are invalid. 
A more detailed description of the error that occurred can be found in the log."

Things we have tried as a workaround:

Added a second Content Manager on App server 2
Added a second Cognos Content Store database and pointed it to App server 2
This resolved the issue where users from both namespaces can log in with SSO authentication. However, we need to keep just one content store to authenticate both namespaces. But doing so only authenticates one namespace not both.

Did anyone face this type of issue before?
What can we do to make this work?

Please let me know if you need any other information about the environment. Client is going live next week and has the above mentioned workaround solution for now, but does not want to use that as a solution because it's not best practice and  they do not want to maintain two content store databases.

Thank you.

[Rahul Ganguli]

Hi,

I have implemented SSO in past, but this is the first time I am looking at where we have more than one namespace and one of them in SSO.
But I think you can handle this at gateway level where one gateway is configured for dispatcher pointing to internal AD and other gateway is configured for Dispatcher pointing to external AD. Hope this way you can implement the requirement.

Regards,
Rahul

[torre2011]

I have been feverishly searching the web for assistance on  this exact subject.  I have one Gateway, with one namespace set up for SSO, and the Authentication within Cognos Config on the Application Server is set to Active Directory.  To set up for SharePoint, I have seen that I need to set up a 2nd namespace that will be pointing Custom Java Provider with Anonymous Access.

My concern is will the 2nd namespace cause issues to end users...causing them to be asked for their credentials again?  I am not dealing with external users, so in that way it is not the same as Rahul mentioned in this thread.

I appreciate any assistance I can be given!!