Cognos SSO

Niva Agmon niva.agmon at temple.edu
Fri Feb 9 12:36:05 EST 2018 

Thanks a lot Robert!

I definitely prefer using Shib rather than CAS.   Will forward this to our Cognos people to see if they think it's doable on their end.

Niva


From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Robert Bradley
Sent: Tuesday, February 6, 2018 6:44 PM
To: users at shibboleth.net
Subject: Re: Cognos SSO


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/02/2018 17:55, Niva Agmon wrote:
> Hello, > > Does anyone have experience setting up SSO with Cognos? We're trying > to setup cas protocol SSO with apache, but I don't think Cognos is > seeing the Remote_user that is being released through Apache, and > it's not clear what it's looking for. > > Cognos-analyticsv11.7 Shib v3.3.1 > > Any information/tip will be greatly appreciated! > > Thanks, Niva
Resurrecting a response I started to write a year ago when Sheffield asked about Cognos and SSO but never got around to completing*...

It's been a while since I did this, but I shall see how much I remember.

The setup we used here in Oxford had Cognos, Shibboleth and IIS running on Windows
Server.  The Shibboleth part was straightforward enough, in that the
Shibboleth SP software was used to protect the Cognos "application" (URL
path) in IIS.  A Cognos LDAP provider was then set up and set to use
REMOTE_USER, as per:

http://www.ibm.com/support/knowledgecenter/SSEP7J_10.2.2/com.ibm.swg.ba.cognos.inst_cr_winux.10.2.2.doc/t_stp_sso_active_drctry_remote_user.html

For the authorization and user management portion, Cognos has to use an
LDAP directory to store user information.  This is configured in a
similar way to:

http://www.ibm.com/support/knowledgecenter/SSEP7J_10.2.2/com.ibm.swg.ba.cognos.inst_cr_winux.10.2.2.doc/t_active_dir_mapping_with_ldap.html#Active_Dir_mapping_with_LDAP

This LDAP directory must contain *accounts* as opposed to *people*, otherwise bad things happen - namely Cognos picking the first username returned in the LDAP search and requiring that in the REMOTE_USER variable.  You probably need to set up a certificate store for Cognos using the NSS certificate store tools (libnss3-tools on Debian; your distro/OS may vary) so Cognos can verify the LDAPS SSL certificate.

In our case, we use OpenLDAP (running on Linux) as our authorization
directory, so the actual LDAP query and attributes are somewhat
different to an Active Directory setup, but the basic principle is the same.  It won't apply for your use case, but for IIS, I seem to
recall having to use HTTP_REMOTE_USER for the substitution variable in Cognos as opposed to REMOTE_USER.

* If nomit is lurking here, please accept my apologies for the lost/very delayed response!

- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCgA5FiEEF5njrcJ8GSlvJxYXYr9RdlnwCToFAlp6PakbHHJvYmVydC5i
cmFkbGV5QGl0Lm94LmFjLnVrAAoJEGK/UXZZ8Ak6dN0P/RqXxrPCL14o1sN2WHvl
laFptBYA6oYbG7rmbpQSPxN5MF2gBKQAj9f04xeKiEJqFcje+mgUDd7aUyA0jDkG
mea3Nx8nZhoOXgt/Q9pRczHZmQlCmAmQilRtVCxFa0/5LZqOmE4gSKH6jLUMIQ+Z
A+nb6QsZjwp4ZnXt3sVwJvIeWAUI33QGgEeEeuA/CHF0nOXsFCDV9oHnP7qIx5/6
+XMyG6hWZvJbTEcit3UDdTjlo+O67xDo59AeAED8VFeQ9Fk0JFMiCGLvB9j1sF0t
B+lJxhZrkiaOi08d73ul3hvSu7XFNGBZmky7/CedNPnl1CacvSlD2M5b7R+XGP0+
ZRMqsoJD1zSbqOp1AJy7avPJ2p428FZ6VokaGE264M2kaAMZIHxspYX97Wla+5Ig
ipmYwv2PyFGY7y9enbg3QsJP+4aTKj0qGpl/v5LNs+bPXmt/PYCZpavwHzoj3ueC
9Tq9iIIDjl2tUGhsh9+gRjAg/DWyENtsQB7DFQ8ShZIt1CWfl+ee20WJrkU5gtbE
Zj+IruDGVO0G65/OCSs52RmPKHgxdPhQ/xPpUn7a7AAJKscTK3fDHPQ6Ja4hy2Cy
QvKj5GByeldDGsJ8ZPkaRKMLiwQTeCCwuQIqBpVTQoLggnzWjuyXPakAb0vZMF3U
hi1DyVCz0nEN8lpvgjdv5bCd
=f2Ck
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180209/d543c9e5/attachment.html>

More information about the users mailing list