Canvas SSO Issue

Hi All

We try to setup SSO with CAM and encounter issue.
Currently, it looks like Canvas doesn’t recognize the user and since SSO is setup we do not find any application on the configuration page.

Any idea of what we are missing?

Thanks

Hi @sschreurs,

Can you provide more information? Canvas, TM1 and BU versions and what steps you have already taken.

Hi @tryan

Here are the details about version and the steps used for settings SSO.

TM1: Planning Analytics - Product Version. 11.1.00001.36
Cognos BI: Cognos Analytics 11.0.8
Canvas: 2.0.20171129

Steps for setting SSO:
1- Update variables_TM1.xml with the following setting:
<url>http://fritgcsdvtmw01.emea.loreal.intra:8080/samples</url>

2- Copy the file xdomain.canvas.html and xdomain.canvas.js in the WebContent folder under Cognos BI installation folder
`

`

3- Update of instances.json file with the following:
“clientCAMURI”:“http://FRITGCSDVCOG01.emea.loreal.intra:9300/bi/v1/disp”,
“camNamespaces”:[“LOREAL_AD”],
“useSSOWithCAM”:true

4- Update of header.script.init.ftl file:
// For SSO Configuration
ssoSlaves = {
http://FRITGCSDVCOG01.emea.loreal.intra”: “/ibmcognos/xdomain.canvas.html”
};

Config file TM1:
IntegratedSecurityMode=5
ServerName=Canvas Sample
DataBaseDirectory=.\Data
LoggingDirectory=.\Log
AdminHost=
PortNumber=12345
HttpPortNumber=8882
ParallelInteraction=T
MTQ=1
UseSSL=F
CertificateVersion=1

# ServerCAMURI
# Specifies the URI for the internal dispatcher that the TM1 server should use to connect to CAM. The URI is specified in the form http[s]://host IP address:port/p2pd/servlet/dispatch.
# Type: Optional, Static
# No default
# For example,
#
# http://10.121.25.121:9300/p2pd/servlet/dispatch
# or
# https://10.121.25.121:9300/p2pd/servlet/dispatch
ServerCAMURI=http://FRITGCSDVCOG01.emea.loreal.intra:9300/p2pd/servlet/dispatch
CAMPortalVariableFile=portal\variables_TM1.xml
ServerCAMURIRetryAttempts=6
 
# ClientCAMURI
# The URI for the IBM Cognos Server IBM Cognos Connection used to authenticate TM1 clients. The URI is specified in the form http[s]://host/cognos8/cgi-bin/cognos.cgi.
# Type: Optional, Static
# No default
# Example: http://10.121.25.121/cognos8/cgi-bin/cognos.cgi
ClientCAMURI=http://FRITGCSDVCOG01.emea.loreal.intra:9300/bi/v1/disp
 
# ClientPingCAMPassport
# Indicates the interval, in seconds, that a client should ping the CAM server to keep their passport alive.
# Type: Optional, Static
# If an error occurs or the passport expires the user will be disconnected from the TM1 server.
ClientPingCAMPassport=3600
IdleConnectionTimeOutSeconds=0

It looks like Canvas is not able to connect to the instance, as shown in my previous message.

Thanks

Hi @sschreurs,

Checkout the following:

  • Open up Chrome’s console, and look for any errors
  • Ensure that the instances.json is well-formed (properly formatted). There are a lot of sites that should help you out on this like this site.

As there are 5 instances, it could just be a missing comma when separating the instances.

Let us know how it goes.


Paul

Hi @plim

this is the error I get from the console in Chrome

Now, it seems to be able to connect to the instance but with an unrecognized SSL message

in the config file of the instances, the following settings are in:
UseSSL=F
CertificateVersion=1

any relation ?

Hi @sschreurs,

That usually is because of the https connection to the rest api of TM1. Seeing as you have it as not using SSL, that should not connect through https already.

Try to restart the Canvas Server. Check from the application log the URL it is trying to connect to. As for TM1, was it just updated without any server restart? Might need to restart TM1 for the updates to take effect for the SSL changes made.


Paul

both have been restarted.
Here is the application log file

application log.txt (941.6 KB)

and other point is that the TM1 instance in perspective or tm1web required to input user and password

Hi @sschreurs,

With regards to the above, it means, your TM1’s SSO is not properly setup. Note that it should be done first before Canvas can work.


Paul

Hey @sschreurs,

If you change useSSOWithCAM":true to false and get prompted in the same way as TM1web, that will further reinforce @plim comment.

Jack

Hi All

We still experience issue with the SSO setup.
Now all is working in Architect and in TM1 Web, but it doesn’t for Canvas.

When I try to log in, here is what I get:

Any idea of what I’m missing again?

@sschreurs,

In the network tab of google dev console you should be able to find the entry for the URL request to the BI gateway.

If you cut and paste that URL into a new browser window, what is returned?

Jack

@jtuckerman

I’ve taken the request url from the following tab (Network):

and when I use it in a new window, it returns the following:

@sschreurs,

Hey, are you able to post the contents of the variables_TM1.xml file on the Cognos BI server where the CAM namespace is configured?

Jack

I think is this one:

<?xml version="1.0" encoding="UTF-8"?>
<!--
 IBM Confidential

 OCO Source Materials

 BI and PM: tm1fragments

 (C) Copyright IBM Corp. 2008, 2009

 The source code for this program is not published or otherwise
 divested of its trade secrets, irrespective of what has been
 deposited with the U.S. Copyright Office.
-->
<!--
This file is referenced by the tm1s.cfg file when using CAM authentication.  The "localhost" string should be replaced
with the name of the server running TM1Web.
For java tm1web, the tm1web.html is accessed when the standalone tm1web uses cam authentication.
-->

<CRNenv>
	<urls>
		<url is-regex="true">http://localhost/TM1Web(/\([aAsS]\([A-Za-z0-9]+\)\))?/TM1WebLogin.aspx</url>
		<url is-regex="true">http://localhost/TM1Web(/\([aAsS]\([A-Za-z0-9]+\)\))?/TM1WebLoginHandler.aspx</url>
		<url is-regex="true">http://localhost/TM1Web(/\([aAsS]\([A-Za-z0-9]+\)\))?/TM1WebMain.aspx</url>
		<url>../tm1/web/tm1web.html</url> 
		<url>http://FRITGCSDVTMW01.emea.loreal.intra:8080/samples</url> 
	</urls>
	<cookies>
		<param name="cam_passport"/>
	</cookies>
</CRNenv>

@sschreurs,

Are you using the FQDN when you try to access 8080/samples?

Jack

I’m using: http://FRITGCSDVTMW01:8080/samples

@sschreurs,

What happens if you use the FQDN in a browser?

Jack

the same…

Hi @sschreurs,

You are closer to resolving it already. That error that you are seeing is because Canvas is able to communicate with Cognos BI, but Cognos BI just needs to be configured correctly.

Could you put a slash in front of the URL and test it again on the browser?

From this:

<url>http://FRITGCSDVTMW01.emea.loreal.intra:8080/samples</url>

It should look like this:

<url>http://FRITGCSDVTMW01.emea.loreal.intra:8080/samples/</url>

Test it out on the browser for both URLs and verify that both will be accepted (or the URL that will be used by the end-users will be accepted). So try it out using the link you had just copied before from the network tab, and then just replace the parameter value c_cmd to either http://FRITGCSDVTMW01.emea.loreal.intra:8080/samples/ or http://FRITGCSDVTMW01:8080/samples/

You may need to restart the Cognos BI server for this.

Let us know how it goes.


Paul