Active Directory and SSO

[sheridan06]

Hi All - we have a newly deployed Cognos 10.1.1 environment with dual web servers and dual app/report servers.  Sitting on top of all this is an F5 load balancer and we are using siteminder for SSO.  In Cognos Configuration, we have identified an Active Directory namespace and it is working fine.  HOWEVER, we actually have two different domains, inside two different/distinct forests...when users from the "other" domain try to access the same URL, they don't have permission to get in eventhough our 2 domains have a trust.

Has anybody done this?  How can we configure C10.1.1 to allow for 2 trusted AD domains??

thanks

[bdbits]

I am not an admin in my current job, but I looked at http://publib.boulder.ibm.com/infocenter/cbi/v10r1m0/topic/com.ibm.swg.im.cognos.inst_cr_winux.10.1.0.doc/inst_cr_winux_id17584IncludeDomainsUsingAdvancedPropert.html#IncludeDomainsUsingAdvancedProperties.

From this, I think you can get authentication for multiple domains inside a single forest, but it does not look like you can cross forests or that it will traverse trusts. For what it's worth a lot of products have this limitiation, annoying as it may be. As an alternative, you could define multiple AD authentication namespaces. However I do not know what that might do with single sign-on.

Perhaps someone else has tried this and would have some insight. Or, support could probably at least clarify all the options available for your scenario.

[sheridan06]

Thanks for the feedback bdbits.  if we were to add another AD namespace in Cognos Configuration, then it would pretty much hose single sign-on.  the user would be presented with a prompt to 'select a namespace' first.

i can hear my 600+ users now..."what's a namespace?".  "why do i have to login?" blah blah blah :)

so does anybody else have some insight?

thanks

[MMcBride]

Talk to your AD folks,
We accomplished this by creating a master group and linking the other domain users into this master group.

So even though we have 8 or 9 domains the server only has to go one place to validate the users.
I wish I had more details for you, but when we saw this problem with our large number of domains the situation was resolved by the AD team in this fashion.

We had 720+ users spread across 4 primary domains, with small groups of users on 4 additional domains and this grouping solved our issues

[vishal.singh]

Hi MMcBride,
We want to know more about the solution you provided, we are in a similar situation. Could we reach out to you and get more details? You can email me at vsingh198@gmail.com with your details and I can reach out to you to speak to you on this.

Regards,
Vishal