Cognos and Active Directory ..

[NaviGator]

Hello All,

Hope you are doing fine. I have a situation that I need some information about.

We are developing a web application that will be used to host some Cognos reports. Each page in the application will contain something like a frame and the frame will have the report URL. So when a user clicks on a page the page is loaded and the report is loaded inside the frame.

I would like to know if I am using an Active Directory as an authentication provider, how the security will be handled.  Can I get a Single Sign On so the user will enter the user name and password when he opens the application for the first time? Or the user will have to enter the user name and password each time he navigates to a new page? ::)

Do you have any concerns or recommendations for such a situation?

Thanks a lot.

[josepherwin]

For SSO with AD, search the Cognos Knowledge Base for SingleSignonOption and IdentityMapping

[swordfish]

Correct me if I understood your question wrong. Enabling SSO will not prompt for login for each page. It will NOT prompt for login if you do something like right click on report and open in new window or you do a CTRL N. All pages that are accessed in the same browser session, will not be required for authentication with or without SSO. If SSO is not enabled, you cannot open a report in a new browser because the login credentials are not passed to the new browser session. In this case, you will be prompted for login (again).

Regards
SF

[asirilow]

This is something I have been struggling with as well.  In the SDK environment, I happen to be using C#.NET, using SSO is nearly impossible but I believe strongly there is a solution.  With that being said, we all need to understand how SSO to cognos works and I am a little unclear to be honest.  I believe when the SSO is used, it passes a username, something like environment.username, within cognos to validate a user against their CAMID inside of access manager.  After that has finished it creates a browser cookie that holds the user's information/credentials (CAMID) to be able to bounce around from report to report during this session.  As soon as the session is terminated (browser is closed), the cookie gets removed from memory and the user will have to authenticate again for a new session using the method previously described. 

The part of this process that is concerning for me is setting up the bibusheader information (i.e. SOAP information) when trying to connect to the contentManagerService or ReportService or whatever other webservice cognos would like me to connect to.  Without these connections defined, you will never be able to connect to cognos webservices however there methods inside of the cognosdotnet_2_0 class that can handle this information.

For those of you using Metamanager out there, another thing I have noticed is that SSO will not work with it either.  it will work in a traditional since of passing a user name and password to the dispatcher (controls the access to the webservices) but it will not work anonymously nor will it work with SSO.  Honestly, it seems that these two problems a re directly related if not the same problem in two different applications.

Well thats my two cents and I hope someone can answer this anomaly.

[kolonell]

SSO does indeed utilize some kind of token to seamlesly authenticate the user. This varies depending on which type of SSO you have configured. For IdentityMapping for example the REMOTE_USER variable is used. In C#
this can be read with the following :
       request.servervariables(" REMOTE_USER") 

If authentication succeeds you get a "Passport" in return (CAMID does not contain username and password). If a valid CAM cookie is present it means the request has been already been authenticated. So you'll not be asked to login again.

I'm not sure what you mean with "MetaManager" but I assume this is Framework manager. In that Case SSO does work with that tool. Again depending what type SSO you are trying to use, different prerequisites need to be fullfilled. SSO is not something that Cognos 8 implements, It's something they piggy back off. 

As for NaviGator's case, If he just makes sure the cam_passport cookie is present with each request then once authenticated the application will not ask for credentials again.

Asirilow, In your case you might want to look into TSPs (Trusted Signon Provider) for implementing SSO easily.

Depending on the requirements / environment SSO is possible to achieve (and is not too hard)

Hope this helps

[leoraj]

Hi,

I have a similar situation like yours and thought by now you might have a solution.

We are using a portal application that will host some Cognos reports just like yours. some pages in the application will contain frames and the frame will have the report URL.

We want to implement a Single Sign On so the user will enter the user name and password when he opens the application for the first time and this login should be passed to Cognos reports when they click on that particular page/tab with reports on it.

Could you assist me regarding this issue?

Thanks!.