Any experience of integrating IBM Cognos with Shibboleth?

Bellina, Brendan bbellina at ucla.edu
Wed Jan 20 12:03:55 EST 2016


As described below we successfully Shibbed Cognos at USC several years
back using the technique described below. Initially we had been told that
we would need to purchase some additional component to leverage SSO, but
we determined that was false. We determined the LDAP requirements by using
the LDAP logs to see what the queries were. As I recall they expected the
service account used to be able to see the account ou as well as the
accounts within the ou. I think the underlying reason for the requirement
was that the same service account was also being used by their
administrator interface for user lookup which browsed through the account
ou. There was also a need for the administrator interface to be able to
see groups via the same LDAP service account.. Once we had the service
account set up with the right aci's Russ Beall was then able to get
Shibboleth working with it. That was several years ago though and I left
USC almost 2 years ago and I do not know the current situation.

I promised Steven Carmody from Brown University information on this some
time ago and thought I had sent him something about it but I do not know
if they acted on it and it may have been just in email and not a formal
write-up. So if you get stuck I suggest you reach out to Russ Beall at USC.

Regards,

Brendan Bellina
Identity Mgmt. Architect, IT Services, UCLA
✉ bbellina at ucla.edu   ☏ +1 310 206 3131



On 1/20/16, 4:28 AM, "users on behalf of Julian Williams"
<users-bounces at shibboleth.net on behalf of julian.williams at it.ox.ac.uk>
wrote:

>On 20/01/16 11:30, Peter Schober wrote:
>>
>> Someone kindly shared this some 5 years ago:
>>
>>> What they are able to do out of the box is get REMOTE_USER from
>>> Apache and then they do an LDAP query using a service account where
>>> uid=REMOTE_USER to get back all of the same attributes they would
>>> have retrieved if configured for LDP authN. So even with Shib the
>>> LDAP service account and set up is still basically the same and is
>>> required.
>
>Ah, I was wondering earlier this morning whether using a Shib SP might
>be possible.
>
>>
>> So if you actually wanted to federate the system with multiple SAML
>> IDPs (not sure to me from your question?) that *might* involve some
>> SDK and/or custom development by IBM (i.e., $$$, or £££ in your case).
>>
>
>Fortunately for this we only need to use one IdP. So no *extra* £££
>hopefully.
>
>> Otherwise using the Shibboleth SP for SSO and LDAP for data lookup
>> seems to be working fine, as long as you also have LDAP set up
>> correctly (the way Cognos wants it to be), which wasn't at all clear
>> itself.
>
>So we might not need this Motio CAP after all if we can use a standard
>Shib SP which we are used to supporting here. Great.
>Yes, what they can work with in terms of LDAP schema is something I need
>to investigate further as we don't have a typical schema here.
>
>Thanks that's very useful.
>
>Julian
>
>
>-- 
>Julian Williams (Systems Developer, Identity and Access Management)
>Systems Development and Support, IT Services, University of Oxford
>13 Banbury Road, Oxford OX2 6NN
>Tel: 01865 2 73249
>-- 
>To unsubscribe from this list send an email to
>users-unsubscribe at shibboleth.net



More information about the users mailing list