IBM Support

How to configure SSO (single sign on) for Controller with Cognos Analytics

Troubleshooting


Problem

Customer has integrated Controller with Cognos Analytics, so that Controller uses the same CAM security namespace. Customer would like to enable SSO.
For the avoidance of doubt, SSO means that users are not prompted to type in their username and password (when launching a Cognos product).
  • In other words, their Windows credentials are automatically sent to the Cognos product, so they never have to type in their username/password when they lauch the product (for example the Controller client).

Symptom

User is prompted to type in their username and password (after they launch Controller client).
  • Customer would like to change this so that users are never prompted to logon to Cognos (instead, they are automatically logged on with their Windows username).

Cause

If the user performs a default instalation ("Easy Install") of Cognos Analytics (CA) then it will not install the required BI gateway components:

This means that SSO (for CA) never works (because it will not link in with IIS).

Resolving The Problem

Perform all of the following:

(a) Ensure that you are using CA version CA 11.0.4 (or later)

(b) Make sure that your CA server has the 'Optional Gateway' component installed

  • IMPORTANT: This is not installed via a default installation!

(c) Configure the CA gateway components to integrate with Windows authentication, to give SSO

(d) Configure the client devices to automatically send their Windows credentials to the gateway website.

Steps:

1. Ensure that you have downloaded CA version 11.0.4 (or later)

2. Ensure that your CA server is a member of the relevant Active Directory domain

3. When you install CA, make sure that you choose a 'Custom' installation:


3. Inside the 'Choose Components' screen, select ALL of the components (including 'Optional Gateway')

4. Configure CA to use SSO

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


There are two methods to achieve this. Choose whichever method you prefer:


!! IMPORTANT !!
When using one of the above methods, you must obey the following rules:
(a) Always use FQDN (not NetBIOS name or IP address) values when configuring the relevant server name
(b) Always use lowercase characters for all of your URLs (website addresses), for example Rewrite URLs. For the reason why, see separate IBM Technote #6218316.
TIP: If you make a mistake (when configuring IIS) and want to 'reset' IIS back to the default settings, then use instructions inside separate IBM Technote #301009.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


5. Due to a limitation in Controller/CA, you must now reconfigure the Cognos Analytics 'logoff.xts' file.
  • For instructions, see separate IBM Technote #0884136.

6. Modify the settings inside 'Cognos Configuration' as appropriate

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For most environments, the following are correct:
  • In the Namespace add an advanced property:
    • Name : singleSignonOption
    • Value: IdentityMapping
  • Inside "Authentication" configure "Allow session information to be shared between client application" to be "True"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TIP: For more information on some of the settings you need to configure, see separate IBM Technote #1380099.

7. Configure the end user's Internet Explorer to be configured to 'Automatic logon with current username and password' (in the security zone that the web site belongs to)

  • For instructions, see separate IBM Technote #1380099.


8. Test that the client machine successfully has SSO on the CA gateway, by launching a link similar to: http://[servername]/ibmcognos/
  • Make sure that the user is automatically authenticated (not asked to logon)
  • This will validate that SSO is working for CA via IIS

9. Launch 'Controller Configuration' and ensure:
  • 'Server authentication' is set to CAM
  • Report server (and Dispatcher URI) settings are similar to:

NOTE: The report server URL is slightly different from how it looks when integrating Controller with Cognos BI.

10. Finally, test that Controller SSO works OK by launching Controller.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"ARM Category":[{"code":"a8m0z000000GoLUAA0","label":"CAM"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
28 August 2020

UID

swg22002465

Page Feedback