Cognos SSO
Robert Bradley
robert.bradley at it.ox.ac.uk
Tue Feb 6 18:43:53 EST 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 06/02/2018 17:55, Niva Agmon wrote:
> Hello, > > Does anyone have experience setting up SSO with Cognos? We're
trying > to setup cas protocol SSO with apache, but I don't think Cognos
is > seeing the Remote_user that is being released through Apache, and >
it's not clear what it's looking for. > > Cognos-analyticsv11.7 Shib
v3.3.1 > > Any information/tip will be greatly appreciated! > > Thanks,
Niva
Resurrecting a response I started to write a year ago when Sheffield
asked about Cognos and SSO but never got around to completing*...
It's been a while since I did this, but I shall see how much I remember.
The setup we used here in Oxford had Cognos, Shibboleth and IIS running
on Windows
Server. The Shibboleth part was straightforward enough, in that the
Shibboleth SP software was used to protect the Cognos "application" (URL
path) in IIS. A Cognos LDAP provider was then set up and set to use
REMOTE_USER, as per:
http://www.ibm.com/support/knowledgecenter/SSEP7J_10.2.2/com.ibm.swg.ba.cognos.inst_cr_winux.10.2.2.doc/t_stp_sso_active_drctry_remote_user.html
For the authorization and user management portion, Cognos has to use an
LDAP directory to store user information. This is configured in a
similar way to:
http://www.ibm.com/support/knowledgecenter/SSEP7J_10.2.2/com.ibm.swg.ba.cognos.inst_cr_winux.10.2.2.doc/t_active_dir_mapping_with_ldap.html#Active_Dir_mapping_with_LDAP
This LDAP directory must contain *accounts* as opposed to *people*,
otherwise bad things happen - namely Cognos picking the first username
returned in the LDAP search and requiring that in the REMOTE_USER
variable. You probably need to set up a certificate store for Cognos
using the NSS certificate store tools (libnss3-tools on Debian; your
distro/OS may vary) so Cognos can verify the LDAPS SSL certificate.
In our case, we use OpenLDAP (running on Linux) as our authorization
directory, so the actual LDAP query and attributes are somewhat
different to an Active Directory setup, but the basic principle is the
same. It won't apply for your use case, but for IIS, I seem to
recall having to use HTTP_REMOTE_USER for the substitution variable in
Cognos as opposed to REMOTE_USER.
* If nomit is lurking here, please accept my apologies for the lost/very
delayed response!
- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEF5njrcJ8GSlvJxYXYr9RdlnwCToFAlp6PakbHHJvYmVydC5i
cmFkbGV5QGl0Lm94LmFjLnVrAAoJEGK/UXZZ8Ak6dN0P/RqXxrPCL14o1sN2WHvl
laFptBYA6oYbG7rmbpQSPxN5MF2gBKQAj9f04xeKiEJqFcje+mgUDd7aUyA0jDkG
mea3Nx8nZhoOXgt/Q9pRczHZmQlCmAmQilRtVCxFa0/5LZqOmE4gSKH6jLUMIQ+Z
A+nb6QsZjwp4ZnXt3sVwJvIeWAUI33QGgEeEeuA/CHF0nOXsFCDV9oHnP7qIx5/6
+XMyG6hWZvJbTEcit3UDdTjlo+O67xDo59AeAED8VFeQ9Fk0JFMiCGLvB9j1sF0t
B+lJxhZrkiaOi08d73ul3hvSu7XFNGBZmky7/CedNPnl1CacvSlD2M5b7R+XGP0+
ZRMqsoJD1zSbqOp1AJy7avPJ2p428FZ6VokaGE264M2kaAMZIHxspYX97Wla+5Ig
ipmYwv2PyFGY7y9enbg3QsJP+4aTKj0qGpl/v5LNs+bPXmt/PYCZpavwHzoj3ueC
9Tq9iIIDjl2tUGhsh9+gRjAg/DWyENtsQB7DFQ8ShZIt1CWfl+ee20WJrkU5gtbE
Zj+IruDGVO0G65/OCSs52RmPKHgxdPhQ/xPpUn7a7AAJKscTK3fDHPQ6Ja4hy2Cy
QvKj5GByeldDGsJ8ZPkaRKMLiwQTeCCwuQIqBpVTQoLggnzWjuyXPakAb0vZMF3U
hi1DyVCz0nEN8lpvgjdv5bCd
=f2Ck
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180206/1fc2b1fb/attachment.html>
More information about the users
mailing list