TM1 10.2 Integrated Login On AIX ?

[Stuart_]

Hello,

I am trying to setup SSO for TM1 10.2  installed on AIX and following this document.

http://www.ibm.com/developerworks/library/ba-pp-security-cognos_bi_platform-page651/

With regards to the section "Example 1: Using Apache web server to provide REMOTE_USER for SSO token", are these just examples on testing the functionality not actual ways to implement SSO? Because the "Using SetEnvironment" would appear to only work for 1 user, and the "Using Apache authentication for MOD Gateway + Remote_USER" would require knowing the password for each user, which isn't going to happen.

Have I interpreted this wrong? Or can someone provide the correct instructions for implementing SSO with an AIX TM1 web server?

Thanks
Stuart

[Stuart_]

Please refer to this post for the answer to this question:

https://www.ibm.com/developerworks/community/forums/html/topic?id=6c058feb-299b-4aac-9cf5-ced7d550defd&ps=25

there are two options here:


A) go with mod_auth_vas

This module will provide a solution for the SSO from your windows based clients to Apache. Thus you can then leverage REMOTE_USER for SSO to BI.
Downside is, IBM Cognos Support will not be of assistance in setting up mod_auth_vas nor troubleshoot SSO issues in that environment. Basically it's good luck !
Personally I consider this a valid option as it will allow you to leverage your AIX installs as-is. Mind that on the BI configuration you would need to use an LDAP authentication provder
which connects to AD by LDAP. If your users are from a single domain only, attach to that domain. I your users are from a domain tree or even different forests, you moved out of the frying pan
into the fire unfortunately, as you would need to connect to the GC of each forest. GC access is not officially supported either, and per LDAP namespace you can attach to a single GC only.
Technically this will most probably just work fine. You can research on similar context with a BI focus, as all of the above has nothing to do with TM1 any more ;)


B) move required components to Windows

If you would prefer to operate in an all supported environment, you would need to move the Cognos BI GW and the BI Content Manager components to Windows. Then configure "normal" WIA
SSO from your client's to IIS, then Kebreros based SSO to an Active directory provider for BI. This is part of core BI documentation, can become tricky here and there.
The AD provider configured in Cognos BI supports multiple domains in a single forest. So unless your users originate form multiple forests, this should be a straight forward setup.