Canvas 3.0 SSO (with Reverse Proxy, hiding HTTP Port Number)

twong · August 30, 2018, 2:04am

Hi there,

I am trying to configure SSO as per document, but I am getting complain saying “The forward URL does not exist or it has failed validation”, is this normal?

What else should I configure? I have already done the configuration on tm1web.html, variables_tm1.xml, no luck neither, TM1Web, Perspective can connect normally.

instances.json (292 Bytes)
tm1web.html (7.9 KB)
variables_TM1.xml (1.3 KB)
Config.zip (5.6 KB)

One thing that is a little different is that this customer is forbidden to expose any IP address, machine name as well as port number, everything needs to be done via Reverse Proxy.

Any advice?

Regards

Tat

plim · August 30, 2018, 2:14am

Hi @twong,

That URL in the browser you have posted above should contain the URL that BI is trying to look for.

Look for that parameter in that long URL, and verify that it is in your variables_TM1.xml file.

–
Paul

twong · August 30, 2018, 2:20am

Definitely in it!

I have attached the variables_tm1.xml on my previous message.

plim · August 30, 2018, 2:51am

Hi @twong,

First, that page is definitely Cognos BI saying that the URL is not in its allowed. The areas to check for here now is logs in Cognos BI server about how it processes it.

Have you added the Canvas/Proxy server into the CAF configuration?

From Canvas point of view, it will just construct a URL and handover to that (the URL that you see from above). So from this point, it will be all BI that is processing the request. Canvas will only begin to handle it again once it comes back from Cognos BI with a CAM Passport in the URL.

–
Paul

twong · August 30, 2018, 3:00am

Hi Paul,

What you replied I have already went through, but let me try do it all over again.

Do you think the CAM is Cognos Analytics made any difference? I know the authentication method is different comparing to Cognos BI.

Regards

Tat

twong · August 30, 2018, 4:08am

Hi Paul,

I “think” I am right, Cognos Analytics does not support the old way of redirecting, the below is what I have extracted from the URL.

https://xxxx.mycompany.com/ibmcognos/bi/v1/disp?b_action=xts.run&m=portal/bridge.xts&CAMNamespace=APAC&c_env=portal/variables_TM1.xml&c_mode=get&c_cmd=https://xxxx.mycompany.cn.isn.corpintra.net

With Cognos Analytics, I think this has handled during the backend and I am only getting the CAM Passport in the URL during the authentication process.

Regards

Tat

plim · August 30, 2018, 4:27am

Hi @twong,

Sorry but I might have understood it differently. What do you mean that you only get the CAM Passport in the URL (for Canvas, that is all we need).

So does it work with the above URL?

–
Paul

twong · August 30, 2018, 4:35am

Hi Paul,

Even with referencing TM1Web URL, the above URL won’t work, that is the reason why the TM1Web URL now having the parameter of AdminHost and TM1Server.

In the old days, I can just use the above URL to do automatic login directly to the model, but now this trick no longer work.

I have extracted what is “redirected” in the URL, it looks like that for TM1Web:
https://xxx.mycompany.com/ibmcognos/bi/tm1/web/tm1web.html?cam_passport=MTsxMDE6YWQzNmI1OGUtNmQ4Mi1iMWMxLWFiYmEtYWE0MjJiZDVlMjc0OjMwMDYzODc4NDA7MDszOzA7&server=MyModel&ps=https%3A%2F%2Fmymodel-test.cn.isn.corpintra.net&pg=applications.jsp%3Ftm1server%3DMyModel&host=MyAdminHost

Regards

Tat

plim · August 30, 2018, 6:34am

Hi @twong,

If the above URL is the final one, then it should still be alright with Canvas as the cam_passport parameter is still in there. This is where the Canvas application is trying to get at. But as of previous post, Cognos BI / Analytics is not allowing it to be redirected.

What you can check though, if possible, is to grab what URL is tm1web passing the address bar prior to coming back with the above URL.

–
Paul