robert.bradley at it.ox.ac.uk
Tue Feb 6 18:43:53 EST 2018
-----BEGIN PGP SIGNED MESSAGE-----
On 06/02/2018 17:55, Niva Agmon wrote:
> Hello, > > Does anyone have experience setting up SSO with Cognos? We're
trying > to setup cas protocol SSO with apache, but I don't think Cognos
is > seeing the Remote_user that is being released through Apache, and >
it's not clear what it's looking for. > > Cognos-analyticsv11.7 Shib
v3.3.1 > > Any information/tip will be greatly appreciated! > > Thanks,
Resurrecting a response I started to write a year ago when Sheffield
asked about Cognos and SSO but never got around to completing*...
It's been a while since I did this, but I shall see how much I remember.
The setup we used here in Oxford had Cognos, Shibboleth and IIS running
Server. The Shibboleth part was straightforward enough, in that the
Shibboleth SP software was used to protect the Cognos "application" (URL
path) in IIS. A Cognos LDAP provider was then set up and set to use
REMOTE_USER, as per:
For the authorization and user management portion, Cognos has to use an
LDAP directory to store user information. This is configured in a
similar way to:
This LDAP directory must contain *accounts* as opposed to *people*,
otherwise bad things happen - namely Cognos picking the first username
returned in the LDAP search and requiring that in the REMOTE_USER
variable. You probably need to set up a certificate store for Cognos
using the NSS certificate store tools (libnss3-tools on Debian; your
distro/OS may vary) so Cognos can verify the LDAPS SSL certificate.
In our case, we use OpenLDAP (running on Linux) as our authorization
directory, so the actual LDAP query and attributes are somewhat
different to an Active Directory setup, but the basic principle is the
same. It won't apply for your use case, but for IIS, I seem to
recall having to use HTTP_REMOTE_USER for the substitution variable in
Cognos as opposed to REMOTE_USER.
* If nomit is lurking here, please accept my apologies for the lost/very
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users