Internet Explorer 11 cannot run report via SSO (get blank page)

[gohabsgo]

Hey Folks,
We're getting a very particular issue that is causing major headaches.

We have our own portal which our users login to where they can hop over to Cognos to view some reports via SSO.

This is all working fine and everyone gets authenticated without issue with correct authorization in place.  The issue is when they attempt to run any report it just opens a blank page, nothing gets logged in our logs either.

The caveats are as follows;
1) - This only occurs when coming through SSO into the portal, if the very same user directly logs into Cognos they can run reports to their hearts content
2) - This only occurs with Internet Explorer 11 with update version 11.0.37 or higher.  We have users on 11.0.32 that everything works fine.  So something between 32 and 37 has broken our ability to run any report via SSO.

We've added everything to trusted sites as well as compatibility on or off without any success.

Anyone run into anything similar, your guidance would be most appreciated!

Thanks!

[gohabsgo]

Just to add some new information, I turned on the IE debugger and it looks like it's a permissions issue;

Here's the error message we're seeing;

Script70: Permission Denied
File: cvContentView.js, Line: 67, Column: 4

When we do the same tests after a direct logon (not via SSO) then this permission issue doesn't show up.

Could it be that we're being assigned to a different local user account when coming in via SSO vs direct login?  If so where can I check / modify?

[gohabsgo]

The plot thickens;

If I open a new tab on the same IE window then it works fine.  Does anyone know of an advanced setting that will force a report request to open in a new tab or window?

[bdbits]

Have you checked with your Cognos admin about permissions to that javascript?

Aside from that, I would check the Cognos server logs first. Next, I would guess a browser configuration issue. Unfortunately IE makes it a mess to compare security configuration (in my opinion anyway). If it is your own portal calling to Cognos via javascript window.open(), tell your developers about your issue. They should know how to open it in a new window.

You may want to open a ticket with IBM. It could be something broken in IE11 and you cannot fix it, but maybe they can.

[gohabsgo]

Thanks for the note, you're on the right track.

We were able to track it down to a particular build of IE 11.  The November release that brings IE to 11.0.37 (or higher) has enhanced security arround cross-frame denial. The following is the article that explains the change that has been implemented.

•   Microsoft Browser Information Disclosure Vulnerability CVE-2016-7199"
•   https://technet.microsoft.com/library/security/MS16-142

We figured out the reason why the "permission denied" does not occur when opening the url from the "new tab" or "new window" right-click option. When clicking those options, the second url that is being opened is not referenced to the first url. Therefore, the "window.opener" variable that appears in the functionality of the pages in the second url has "undefined" in its value.

The first url we are coming from is in the format xxx.yyy.microsoft.com for example and we're launching cognos on yyy.microsoft.com and it's the fact that the URL domains are not matching exactly that is preventing this ie build to render reports.

I found some information that seems to suggest to set the document.domain variable to the top most level of a script tag that this should allow access between two domains for data between the windows. Below is an example of the addition.
   
     <script>
           document.domain = "microsoft.com";
     </script>

As well, below is further information about the document.domain, and how it interacts with webpages accessing different domains.

•   https://msdn.microsoft.com/en-us/library/ms533740(v=vs.85).aspx

My question is does this relate to the CAF settings for valid domains or is that something else?  I'm assuming that the document.domain script setting is what we would need to add to the button in our first application that launches cognos and not something that is added somewhere on the cognos side?

Is my thinking on the right track?

Thanks,

[bdbits]

It seems to me you've run into walls specifically set up to avoid cross-site scripting (xss) vulnerabilities. May be difficult to get around these, though to be honest I was not aware of document.domain. This might help you get around it, at least for now. But it is not a CAF thing, it's a browser thing. Browsers are very protective against xss due to the very big hole this provides malicious actors, and if anything it may get stricter and so more difficult for you with your current infrastructure. You might want to look at changing some things, if possible, in the future.

I wonder though, have you tried/considered using an iframe in your portal? You won't be able to communicate between the parent page and the iframe, but I would think it would allow the callout to Cognos to work since an iframe is essentially a sandboxed embedded page-in-a-page.

[gohabsgo]

Thanks for your help on this, it is appreciated.

The really bizarre thing to me is that if I click on the launch button (which opens Cognos in a new tab) from our first portal application the reports will not work, but if I right click on that button and select "open in new tab" then everything is peachy.  Essentially the exact same action, but there is something deeper that is different enough to cause the issue.  And again only on the particular IE version.

[gohabsgo]

This is the Microsoft info about the issue;

https://msdn.microsoft.com/en-us/library/ms533740(v=vs.85).aspx

I'm assuming that this is going to become a much bigger issue for other users.  It was the november update that microsoft pushed down that broke this.

[rvmuthukumar]

We have SSO, custom portal (with custom prompts), with URL based integration with Cognos 11.0.5.
We had the same issue as gohabsgo.
Our developer kind of solved this issue by displaying the content in a new browser window having IFrame on it.
Without IFrame, we had our users press <Ctrl> key and the View report button.

[gohabsgo]

After much pain and suffering in troubleshooting this it turns out it's a Cognos code issue that is resolved in 11.0.6

http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1PI75218