single sign on working even if the user is deleted in cognos

[simplyguru]

hi,

we have single sign on set up in our environment. we have deleted a user in cognos administration. but still the user is able to get into cognos environment

any help would be much appreciated.

Thanks,
Guru

[UseCog]

I can only think of 2 reasons here,

1.  The user may still exists in any of those groups inside Cognos or namespaces
2.  Anonymous access to Cognos may be enabled

[Rahul Ganguli]

Hi,

This is happening because you have integrated the authentication with Active directory and whenever a user already authenticated in AD opens cognos url he/she is able to login to COgnos.

If you want to prevent all users login to cognos environment who are already authenticated in AD, then you have to change the following setting in Cognos Configuration
Security-->Authentication-->Retrict Members of Builtin Namespace ---- Set it to true

Once you change this setting and restart cognos, only those users who you have imported in cognos via Cognos administration will have access and others will not have access to Cognos environment.

Regards,
Rahul

[MMcBride]

Within my environment we are also integrated with Active Directory, all users in the company that have valid AD accounts can actually log into Cognos.

However they can't do anything

Each application folder and all of our Capabilities are tied to specific groups, these Cognos groups are then mapped to Active Directory groups.

We have 25 different reporting 'applications' within our Cognos environment, so if a user has access to 3 of them they have access to 3 different AD groups. When this user loses access to one of the groups their AD profile is updated and when they log into cognos they no longer have access to the corresponding application folder.

What you are deleting when you say "deleted them from cognos" is nothing more than their Cognos Profile, so you just flushed any saved settings they have you haven't really deleted anything.

I highly recommend taking a second look at the IBM documentation regarding Active Directory security and then update your Cognos environment to leverage this.

If you wanted to control their access within Cognos instead of AD, you will have to go to each folder or object (depending on how you have your environment set up) and set the membership for that object - then when a user is to be removed you remove their access to the associated objects and capabilities - they will still have access to Cognos but not to anything within Cognos.

[sir_jeroen]

@MMcBride: Do you make use of the group "Everyone" or "All Authenticated  users" (cognos) or "Domain Users" (AD) in any role/group? If so.. Remove those groups from the roles/groups and you stop all unauthorized users at the gateway and not in Public Folders.

[Yizi]

hi,

we have single sign on set up in our environment. we have deleted a user in cognos administration. but still the user is able to get into cognos environment

any help would be much appreciated.

Thanks,
Guru

If it's just a case of keeping Active Directory up to date, you can set a job up and select your namespace (in your case active directory. Refer to the screenshot for more info.

Cognos Administration > Configuration > Content Administration

[al91206]

If you want to prevent all users login to cognos environment who are already authenticated in AD, then you have to change the following setting in Cognos Configuration
Security-->Authentication-->Retrict Members of Builtin Namespace ---- Set it to true

Once you change this setting and restart cognos, only those users who you have imported in cognos via Cognos administration will have access and others will not have access to Cognos environment.

Regards,
Rahul

Rahul - you just saved me HOURS of frustration - thanks so much for this - my SSO is now working and locked down!!  Hooray!