Remove Cognos Logon Page

[Magdalina08]

Hello, we have SaaS environment in place where we are hosting multiple applications including Cognos. We have a SSO solution in place that allows single-sign-on to all those applications. Now that SSO is in place and working as expected we would like to disable the ability for users to logon to Cognos directly with username and password. Essentially, we would like to see if it's possible to disable the Cognos logon page or if maybe there is a better way to accomplish this.

We are using Linux. We have reached out to support and they basically said it's not in their scope. Can anyone here offer any suggestions? We have tried customizing signin page but this doesn't work. If a user puts in the sign on URL, they are still able to access the sign on page. This is a security hazard.

[dougp]

If you have Cognos configured properly for SSO, the user should only see the login page if they have not authenticated yet.  My guess is SSO is not working properly.  Although, my experience is with using IIS as a gateway on Windows Server and all of the components on prem.

Unless there is some initial configuration issue that would require a professional services contract, SSO being broken is definitely in the scope of IBM Support.  Perhaps you're being told that you are attempting to do something that requires you or your contractor to have a certain level of expertise.

How is that a security hazard?  They're getting the login page, so you are not allowing anonymous access.  Delete or disable all of the logins in the Cognos namespace and nobody can get in if they are not in the external directory namespace.

What happens if users see the login page and enter their credentials for the [non-Cognos] external directory namespace?
What happens if users go to the dispatcher rather than the gateway?

[Magdalina08]

So, users are unable to sign in from the Cognos generated login page that they can access from the direct URL unless they have a temporary password provided from our operations team, however our security guy thinks the login page being accessible is a security risk. I don't agree, but we need to make sure we exhaust all our attempts to remove this page from being access. Thus far, we haven't been able to find a solution and support basically said it's not possible. Surely there is a way to disable it?

[dougp]

That's confusing.  Do they think that the login screen in Windows is a security risk?  Maybe someone should ask Microsoft to remove it.

Seriously, the login page doesn't let you do anything but log in.  As long as permissions are set correctly in Cognos, there's no risk.

I use SSO on prem using IIS and have an external directory namespace using Active Directory.  My users don't see a login screen.  If SSO fails (basically, if I do something stupid and mess up my gateway config in IIS) or if the user is using the URL to the dispatcher (bypassing the gateway) users see the login screen.  But even then, the only credentials that will work for them are the ones in Active Directory.

The only security risk I can imagine is if your security team allows random key loggers to be installed on the users' workstations.  Maybe that should be addressed first.

[Magdalina08]

Thanks for the response. I totally agree with you! I'm not seeing the issue either. We are going to open a discussion with him and see if we can get around this. I mean, gonna have to. There doesn't seem to be another way around it.

[cognostechie]

What is the identity provider for this sign-on? I recently configured SSO for an environment where Cognos was on LINUX and we don't see the login page pop-up. Just clicking on the URL from their favorites in the browser was taking them to Cognos landing page. The IP was Active Directory

[Magdalina08]

We use Secure Auth

[cognostechie]

It has something to do with that because the logon page will pop up when the credentials are not passed. Cognos connects to the IP and passes a token which then returns another token to Cognos and then the use gets into the landing page. That token is not being passed somehow.

[Magdalina08]

It goes to our SSO page and that's how our users log in, however the url for the Cognos logon page still works. That was the problem. Our security guy got on board and the problem is solved. No way to disable that page though that we could find.

Thanks for your help! Appreciated!

[cognostechie]

Like I said, the Cognos logon page will appear in lieu of credentials being passed and that's probably what your security guy did. They made sure the credentials are passed which would automatically hide the Cognos logon page as SSO is configured. Cognos has only one side of it, the other side depends on the authentication provider. Configuring SSO is dependent on how both sides are configured.