Issue setting up SSO with Cognos 11 and Websphere Portal

[ttra10]

Hi everyone,

I can't seem to get Single Sign-On working with Cognos. I am trying to setup SSO with IBM Websphere Portal 8.5 and Cognos 11.0.11 with IBM HTTP Server 8.5.

I followed IBM's guide to setup Cognos SSO with LTPA and IHS. However, after logging into the portal application, I hit the Cognos URL and the browser prompts for a username/password. I am able to login to Cognos if I enter the userid/pw but how do I get the SSO to work? Below is a copy of my configuration files. Any help is appreciated. Thank you.

local-server.xml

Code Select Expand

<?xml version="1.0" encoding="UTF-8"?>
<server>
<featureManager>
<feature>ldapRegistry-3.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<ldapRegistry id="portalLdap" realm="defaultWIMFileBasedRealm"
host="directory" port="389" ignoreCase="true"
baseDN="dc=ttt,dc=com" ldapType="IBM Tivoli Directory Server" sslEnabled="false" bindDN="cn=root" bindPassword="REMOVED">
<idsFilters
userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))"
userIdMap="*:uid"
groupFilter="(&amp;(cn=%v)(objectclass=groupOfUniqueNames))"
groupIdMap="*:cn">
</idsFilters>
</ldapRegistry>
      <webAppSecurity allowFailOverToBasicAuth="true" displayAuthenticationRealm="true" />
  <ltpa keysFileName="D:\ttt\portal\security\HOU06Portal.key" keysPassword="REMOVED" expiration="120" />
</server>

cognos.conf

Code Select Expand

# Licensed Materials - Property of IBM
# IBM Cognos Products: gate
# (C) Copyright IBM Corp. 2017
# US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
#
# this is a sample cognos.conf for IHS 8 ( with Apache 2.2).  To use it, rename or
# copy it to "cognos.conf"
#

LoadModule headers_module modules/mod_headers.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule expires_module modules/mod_expires.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so

#mod_proxy_balancer is not a supported component of IBM HTTP Server,
#however on select platforms this module is distributed with IHS in the modules/WebSphereCE/ subdirectory
LoadModule proxy_balancer_module modules/WebSphereCE/mod_proxy_balancer.so

LoadModule deflate_module modules/mod_deflate.so
LoadModule cognos_module "d:/act/cognos/cgi-bin/mod2_2_cognos.dll"

<IfModule mod_expires.c>
<FilesMatch "\.(jpe?g|png|gif|js|css|json|html|woff2?|template)$">
ExpiresActive On
ExpiresDefault "access plus 1 day"
</FilesMatch>
</IfModule>

<IfModule mod2_2_cognos.c>
CGIBinDir "d:/act/cognos/cgi-bin"
</IfModule>

<Directory d:/act/cognos>
<IfModule mod_deflate>
AddOutputFilterByType DEFLATE text/html application/json text/css application/javascript
</IfModule>
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

#Set up a cluster for load-balancing
# Include all ICA servers that have the ICA Application server components installed and configured.
# Note: do not include ICA servers that are used to run the Content Manager service.
<Proxy balancer://mycluster>
BalancerMember http://houw12ttt03.clearlake.com:9081 route=1
</Proxy>

# UI to monitor/configure load balancer
<Location /ibmcognos/balancer-manager>
   SetHandler balancer-manager
</Location>

# Uncomment the following line if you want to use cognos.cgi instead of mod_cognos for SSO
#ScriptAlias /ibmcognos/cgi-bin /opt/IBM/cognos/analytics/cgi-bin
Alias /ibmcognos d:/act/cognos/webcontent

RewriteEngine On
# Send default URL to service
RewriteRule ^/ibmcognos/bi/($|[^/.]+(\.jsp)(.*)?) balancer://mycluster/bi/$1$3 [P]
# Send login requests and legacy UI's through cognos module for SSO
RewriteRule ^/ibmcognos/bi/v1/(login|disp)(/.*)? /ibmcognos/sso/bi/v1/$1$2 [PT,L]
# OR (enable one or the other)
# Send login requests and legacy UI's through the cognos cgi for SSO
#RewriteRule ^/ibmcognos/bi/v1/(login|disp)(/.*)? /ibmcognos/cgi-bin/cognos.cgi/bi/v1/$1$2 [PT]

# Rewrite Event Studio static references
RewriteCond %{HTTP_REFERER} v1/disp [NC]
RewriteRule ^/ibmcognos/bi/(ags|cr1|prompting|ccl|common|skins|ps)/(.*) /ibmcognos/$1/$2 [PT,L]

# Rewrite Saved-Output and Viewer static references
RewriteRule ^/ibmcognos/bi/rv/(.*)$ /ibmcognos/rv/$1 [PT,L]

# Define cognos location
<Location /ibmcognos>
RequestHeader set X-BI-PATH /ibmcognos/bi/v1
</Location>

# Route CA REST service requests through proxy with load balancing
<Location /ibmcognos/bi/v1>
ProxyPass balancer://mycluster/bi/v1
</Location>

# To enable the stickysession, uncomment the following lines to replace the above section
#<Location /ibmcognos/bi/v1>
# Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/ibmcognos/bi/v1" env=BALANCER_ROUTE_CHANGED
# ProxyPass balancer://mycluster/bi/v1 stickysession=ROUTEID
#</Location>

# Route login and legacy UI requests through mod_cognos
<Location /ibmcognos/sso>
SetHandler cognos-handler
AuthType Basic
AuthName "portalLdap"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=root"
AuthLDAPBindPassword "REMOVED"
AuthLDAPURL "ldap://directory:389"
Require valid-user
</Location>
# Route login and legacy UI requests through cognos.cgi
#<Location /ibmcognos/cgi-bin>
# SetHandler cognos-handler
# AuthType Basic
# AuthName "portalLdap"
# AuthBasicProvider ldap
# AuthLDAPBindDN "cn=root"
# AuthLDAPBindPassword "REMOVED"
# AuthLDAPURL "ldap://directory:389"
# Require valid-user
#</Location>