single signon question

[jive]

Hi,
In the project I work now the client ask if the single sign on can be turn on. I read the documentation from Cognos It's look quite straight forward as procedure. My question is, if we allow the single sign on did we have to do something in the credentials like "renew credentials" after the password change, I ask that because we have a lot of report produced and in production I don't want to loose them  :'( .

Thanks.  ;D

[sir_jeroen]

In a nutshell...
In order to have SSO enabled, you set your Virtual directory (/cognos8 or cgi-bin) only to allow users that authenticated using integrated windows authentication (and deny anonymous access).
If a user is allowed to access your virtual directory (/cognos8) by IIS, the Cognos application trusts this and uses the "REMOTE_USER" variable (or Kerberos ticket) to get your user information. So basically, if IIS says you're user X cognos will automatically believe this and allows you access to Cognos.


But there's one case where you'll have to renew your credentials and that's when you have scheduled jobs. Those jobs use your credentials in the background, so after a password change you might have to renew your credentials (My Preferences -> Personalia ).

[smiley]

I always enable SSO directly on the cognosisapi.dll, instead of the cgi-bin directory.
Then if i need a non SSO acces, i just copy the dll to logon.dll and put it back to anonymous.
If you try to revert a full directory back from SSO to non SSO, it can get messy.

[sir_jeroen]

Smiley,

That's an option, but don't forget that after a Fix Pack the file cognosisapi.dll can be overwritten (which happens quite often) and then SSO doesn't work anymore. That's why I set it to cgi-bin instead of the file...
But if you are aware of this, then this is the best solution because only 1 file is authenticated instead all files... less overhead....

[Suraj]

In Cognos 10, if you are not using SSO, it's mentioned that the credentials are renewed each time user logs on removing need of renewing credentials. Can't verify since we are using SSO in all servers.

[sir_jeroen]

@Suraj: These are not the credentials for logging on. It's the credentials that are stored in C10 for running background task / schedules. In C8 you had to renew your credentials after a pwd change so that background tasks and schedules keep on working. In c10 this is done automatically. So this feature has nothing to do with SSO.... Sorry..

[Suraj]

I see.
Yes I'm aware we have to renew in cognos 8.
So you mean, in our existing SSO enabled Cognos environment, there will be no need to renew credential for passwords that are stored for schedules even after they expire?
I watched the IOD presentation from IBM and may have misunderstood but I'll go over it again as I recalled it says it only works in non SSO environment..

[Suraj]

@ReportNet Addict.
Watched the session from IOD again:
Session Number 3048, 'System Management Deep Dive: Business Intelligence for IT'.
Scott Masson and Dean Browne.
If you jump to 45 minutes on the session, they specifically say that it only works for NON single signon environments only. It does not work with 'singlesignon/identitymapping' or kerberos since the token expires. The auto credential renew only works in environment where user logs on with user name and password.
If you have that session available, please watch and let me know if I misunderstood the information.
Thanks.

[sir_jeroen]

Thanks for this info. I'll try to find out of that's true, because that's what i read in the docs.

[sir_jeroen]

Update:
This is what I found in the Cognos KB: FAQ: Security concerns regarding credentials stored in Content Store
https://www-304.ibm.com/support/docview.wss?uid=swg21335738
...............
As of IBM Cognos BI version 10, any scheduled Job or Report will automatically update the stored credential in the schedule when run, eliminating the need for doing the "Renew Credentials" option by the user. This prevents the previous Failing of the Job or Report run when user changed the password in the Authentication Source.
.............

[Suraj]

Seems like that documentation is partially true as the IBM experts specifically explain that in IOD.
The document should have explained more on the conditions when it works.
It is similar to Cognos bragging about Dynamic Query that is so great but in reality, it only works with certain databases, so for most users, it is useless  ::)

[Suraj]

@ReportNetAddict,
Looks like you are getting a run around in finding the exact info.
Here is the link to IBM site that explains what I mentioned about auto credential renewal.
It only works with NON SSO environment as explained below:
http://publib.boulder.ibm.com/infocenter/cbi/v10r1m0/index.jsp?topic=/com.ibm.swg.im.cognos.crn_nf.10.1.0.doc/crn_nf_id913credential_nf.html

Go through the first section for this information.

New Features  10.1.0
Platform enhancements to simplify and cost-effectively scale enterprise analytics > Improvements to system management >
Improved credential management

This release of IBM Cognos Business Intelligence includes several enhancements to credential management.
Automatic update of trusted credentials

For IBM Cognos BI deployments that do not implement a single sign-on (SSO) solution, stored credentials used for running scheduled activities can be automatically updated. When a user logs into the IBM Cognos BI application with a user name and password, the trusted credential used to run schedules when not logged in will be refreshed as well. This removes the burden from the end user of having to remember to manually refresh their trusted credentials and may eliminate failed activities caused by changed or expired user credentials.
User based credential management

Administrators can now configure user based credential management for data source access. In previous releases, credentials used to access data sources are either configured and stored centrally by an administrator and used by all users accessing the database, or users are prompted to provide credentials from an external namespace or from the underlying database. Administrators can now elect to have users manage their own data access signons which will be stored under a user's profile. This provides administrators with an optional mechanism to eliminate the need to manage data access signons and reduces the effort required for administrators to manage an IBM Cognos BI deployment.
Improvements to auditing

Auditing facilities now provide the ability to track the IP address of users accessing the system. The ability to identify system events by IP address will help administrators and network analysts to track the source of network communications related to IBM Cognos BI applications.

[sir_jeroen]

Thanks to pointing me out to this.... I hope this is the real way it works, because I'm starting to get confused  :o

[Suraj]

No problem.
It's the way advertisement works everywhere.
All highlight the good features but the fine print has lots of exclusions.