Cognos SSO

Niva Agmon niva.agmon at
Fri Feb 9 12:36:05 EST 2018

Thanks a lot Robert!

I definitely prefer using Shib rather than CAS.   Will forward this to our Cognos people to see if they think it's doable on their end.


From: users [mailto:users-bounces at] On Behalf Of Robert Bradley
Sent: Tuesday, February 6, 2018 6:44 PM
To: users at
Subject: Re: Cognos SSO

Hash: SHA512

On 06/02/2018 17:55, Niva Agmon wrote:
> Hello, > > Does anyone have experience setting up SSO with Cognos? We're trying > to setup cas protocol SSO with apache, but I don't think Cognos is > seeing the Remote_user that is being released through Apache, and > it's not clear what it's looking for. > > Cognos-analyticsv11.7 Shib v3.3.1 > > Any information/tip will be greatly appreciated! > > Thanks, Niva
Resurrecting a response I started to write a year ago when Sheffield asked about Cognos and SSO but never got around to completing*...

It's been a while since I did this, but I shall see how much I remember.

The setup we used here in Oxford had Cognos, Shibboleth and IIS running on Windows
Server.  The Shibboleth part was straightforward enough, in that the
Shibboleth SP software was used to protect the Cognos "application" (URL
path) in IIS.  A Cognos LDAP provider was then set up and set to use
REMOTE_USER, as per:

For the authorization and user management portion, Cognos has to use an
LDAP directory to store user information.  This is configured in a
similar way to:

This LDAP directory must contain *accounts* as opposed to *people*, otherwise bad things happen - namely Cognos picking the first username returned in the LDAP search and requiring that in the REMOTE_USER variable.  You probably need to set up a certificate store for Cognos using the NSS certificate store tools (libnss3-tools on Debian; your distro/OS may vary) so Cognos can verify the LDAPS SSL certificate.

In our case, we use OpenLDAP (running on Linux) as our authorization
directory, so the actual LDAP query and attributes are somewhat
different to an Active Directory setup, but the basic principle is the same.  It won't apply for your use case, but for IIS, I seem to
recall having to use HTTP_REMOTE_USER for the substitution variable in Cognos as opposed to REMOTE_USER.

* If nomit is lurking here, please accept my apologies for the lost/very delayed response!

- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list