Single Sign On with Cognos 10.2

[anil_70]

Hi Friends

We have installed cognos 10.2 on window environment. We have IIS server in Window 2008
Standard and Cognos Content manager on Windows 2008R2 Enterprise. Content store is on
linux. We are pulling users from Oracle LDAP.
We see two login screeen first for siteminder and second for
namespace . How can we suppress next screen. I have done following so far but it
hasn't helped.
   IN Cognos Configuration i have set up advanced properties Name as
SingleSignOnOption and Value as IdentityMapping. I have tried adding this and deleting it but didn't work.
-At Security>Authentication, Allow session information to be shared between client
applications is set as TRUE
-At Gateway Server- Window authentication is installed and enabled

Am i missing something here. Please advise ?

Anil

[blom0344]

SingleSignOnOption and Value as IdentityMapping

you literally need to get this right for the uppercase:

SingleSignonOption    IdentityMapping

[anil_70]

Spelling was right but i think its valid only for Active directory and not for LDAP (Oracle direcotry Server type).

I am still breaking my head with IBM support. They are kind of taking me around circle.

[sir_jeroen]

SingleSignonOption = IdentityMapping is the setting that tells cognos not to use the Kerberos protocol (see: http://www-01.ibm.com/support/docview.wss?uid=swg21341889)

If I understand you correctly the following happens:
- First you logon to Siteminder (you're authenticated against Oracle LDAP)
- Next you have to enter your username/pwd again for Cognos.(you're authenticating against Oracle LDAP)

I think the part where it's going wrong is on the IIS-Cognos side.
If you have enabled Integrated Windows Authentication then IIS will add to your request a remote user variable. This variable will be used to do a lookup in LDAP.
Have you configured Cognos to do a external Identity Lookup? (e.g. (uid =${environment("REMOTE_USER")})
If I'm right, the username will is filled in when you come to the Cognos logon screen. Is this correct?

In some cases you'll have to do some cleaning up (for example removing the domain part when the username is set to <DOMAIN>\USERNAME )

(I'm guessing for the part of siteminder because I don't know this tool).

[tushar.patil49]

Hi Anil,

Have you got the solution for your SSO.
I am also having same kind of scenario.
Please let me know how you got it implemented in your scenario.
My email id is tushar.patil49@yahoo.in

Regards,
Tushar

[SGD]

Hi All,

Our Cognos environment was working as expected till evening but suddenly it started prompting to enter login details. It seems it is not allowing single sign on (SSO) and prompts to enter uname and password.

What could be the possible reason and how can I fix this issue?

Thanks in advance.

[Raghuvir]

Hi,

Could you tell me the version of IIS you are using ?

Regards

[SGD]

@Raghuvir:

We are using IIS v7.0 as a web server.

This things happens once in month but don't know what is the root cause of it.

[k_dueholm]

Hi there.

I'm not sure it exactly the same issue as yours - but today I had a customer facing the prompt problem also.
This morning everything was fine - but then after a server restart the users could no longer log-in.
Only on the server itself (one server installation) it worked.

I found out that the problem was with the Windows Authentication --> Provider.
We had "Negotiate" listed in the top (which I believe is also what some proven practices says), but moving "Negotiate" down and having "NTLM" in the top, and restarting IIS made it work.

I don't really know why this suddenly became an issue - but most likely it's because of an Windows Update(?).

BR,
Kasper Dueholm