Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Adding SingleSign-On to your IBM Cognos 8

Adding SingleSign-On to your IBM Cognos 8

|Views: 105|Likes:
Published by ccasey_rhoades
Adding SingleSign-On to your IBM Cognos 8
Adding SingleSign-On to your IBM Cognos 8

More info:

Published by: ccasey_rhoades on Nov 06, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





© Copyright IBM Corporation 2010TrademarksIBM Cognos Proven Practices: Adding Single Sign-On to your IBM Cognos 8 Custom Java AuthenticationProviderPage 1 of 16
IBM Cognos Proven Practices:Adding SingleSign-On to your IBM Cognos 8 Custom Java Authentication Provider
Nature of Document: Technique; Product(s): IBM Cognos 8;Area of Interest: Security; Version: 1.0
Cognos Proven Practices TeamCognos Proven Practices TeamIBMSkill Level: AdvancedDate: 28 Jul 2010This document describes how one can implement SSO to his Custom JavaAuthentication Provider by explaining the required concepts. This documentssupplements SDK documentation.View more content in this series
Custom Java Authentication Provider Developer Guide
which is part of thestandard IBM Cognos 8 SDK documentation delivers the main concepts requiredto code a Custom Java Authentication Provider (CJAP). It even describes whatauthentication can be based on and how to request additional information fromthe
entry point 
. However, the description is overly brief and lacks an example ofactually leveraging those techniques to add support for Single Sign-On (SSO) to afull Custom Java Authentication Provider. This however may be required to deliver acomprehensive solution to the client.In this document the background of the authentication process is provided along with descriptive information on how to use the provided SDK to handle SSO. As anexample SSO support will be added to the "JDBCSample" CJAP delivered as part ofthe SDK samples.
The concepts and backgrounds published in this document apply to all versions ofIBM Cognos 8.
IBM Cognos Proven Practices: Adding Single Sign-On to your IBM Cognos 8 Custom Java AuthenticationProviderPage 2 of 16
The code examples in this document were developed and tested using IBM Cognos8.4.1. While the author cannot guarantee that the code examples will work withoutadjustment he's not aware of any other technical prerequisites than recompile the(adjusted) source code of the JDBCSample with a proper JRE version to make thecode work in other versions of the product.
Exclusions and Exceptions
The document will not cover designing and coding Custom Java AuthenticationProviders (CJAP) in general. The only aspect covered herein will be adding supportfor Single Sign-on (SSO) to a full authentication provider.The use of the example code (JDBCSample) requires that the IBM Cognos 8 SDK isinstalled and licensed.It is expected that the reader is familiar with the CJAP SDK and Java programming.
Authentication in IBM Cognos 8
This chapter is going to provide a comprehensive description of the concepts andcomponents involved with the authentication process in IBM Cognos 8.
Requests and Sessions
Users (browsers) or code (an SDK application) send requests to IBM Cognos 8 byestablishing a HTTP session with a Cognos entry point (EP). Valid entry points areeither an IBM Cognos 8 Dispatcher accessed directly or, adhering to best practices,an IBM Cognos 8 Gateway deployed to a web server.Since IBM Cognos 8 is based on a
service oriented architecture
(SOA) the overallfunctionality provided by the Cognos system is implemented by a set of independentservices communicating externally and amongst each others using the SOAPprotocol. For this reason each request sent to an IBM Cognos 8 entry point will haveto be routed to some target service which can handle it. Each of the services makingup IBM Cognos 8 handles different types of requests and routing is one of the mainconcepts of the IBM Cognos 8 architecture.Routing is handled by the IBM Cognos 8 Dispatcher Service. Regardless whether arequest was sent to a Dispatcher directly or via a Gateway (each Gateway will relayit's request to a single Dispatcher denoted in it's configuration), it will be handledby an instance of Dispatcher Service on the accessed Dispatcher. The DispatcherService will create a new
if this is the first request received in that veryHTTP session. Next a
will be assigned to the request and both
are added to the request. All subsequent requests in the same HTTPsession can be identified now because they share the same
.As services are logically independent from each other practically all of them willrequire authentication before they will handle a request to prevent unintended
ibm.com/developerWorks/developerWorks®IBM Cognos Proven Practices: Adding Single Sign-On to your IBM Cognos 8 Custom Java AuthenticationProviderPage 3 of 16
access. Authentication in this context means, that the session the request is part of isauthenticated and hence the request originates from an authenticated sender.For IBM Cognos 8 authentication functionality is centrally offered by the ContentManager (CM) Service. Consequently all other IBM Cognos 8 services will employthe CM Service to verify session authentication or trigger authentication for yetunauthenticated sessions.As soon as a request is handled by an instance of Dispatcher Service that service will first of all check the authentication status for the given session. If the session wasnot authenticated yet the Dispatcher Service will employ the CM Service to run theauthentication process and pass off the request to it. The CM Service will pass on therequest to the Cognos Access Manager (CAM) component, a sub component of CM which handles authentication, authorization and administration (AAA) and encryption(CRP). It’s the AAA sub-component of CAM which will then employ
authentication providers
configured for IBM Cognos 8 to access authentication sources, to readinformation about a user from it and eventually authenticate the request and hencethe session.
Figure 1 schematics of authentication
If the authentication is successful the authentication information is persisted inContent Store and a reference is added to the session so subsequent requests won’tget passed to CAM as all services can deduct some reference to the authenticationinformation from the session directly now and have CM Service verify it whereapplicable.

Activity (3)

You've already reviewed this. Edit your review.
1 hundred reads
Madhes Analyst liked this
ccasey_rhoades liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->