Canvas SSO Issue

#21

@sschreurs,

I’m not sure if you’re still having issues with this, but I resolved an SSO issue today that involved steps that are not in the current guide, you may have the same problem:

https://forum.cubewise.com/t/unknown-sso-error/1095

Jack

#22

Hi
I will have a look to this also.
Thanks

#23

Hi Al

Back again with another issue with SSO configuration.
After setting up the new server at the customer, I have now as error
“No Access Control Allow Origin” header is present on the requested source.

All requested files seem to be ok. When looking at the console, I’ve got dimensions and batch errors. When SSO is set on false, I can connect but with the same dimensions and batch errors.

IMG_1126
IMG_1126.jpg2557×2237 1.48 MB

#24

@sschreurs,

In our experience the “No Access Control Allow Origin” error usually points towards something being incorrectly configured on the BI server, or in the Canvas header.script.init file.

What’s in your Canvas header.script.init file and your variables_TM1.xml file on the BI server?

Jack

#25

Hi @jtuckerman,

here are the various files:

image003

image002-1
image002-1.png739×291 84.7 KB
image001
image001.png718×316 82.2 KB
image004
image004.png795×623 184 KB

#26

@sschreurs,

I see you’ve got the samples in there, does that work OK (with SSO).

Jack

#27

@sschreurs,

I think the problem is that you are missing a final / after your instance names in variables_TM1.

(last 2 entries).

Jack

#28

I’ve tested this but it doesn’t work with adding a final /

#29

@sschreurs

You shouldn’t need the “#” after the canvas port (8080) in your variables_TM1 either.

It should read the same way as the samples URL, i.e. server/port/app/

Jack

#30

Hi @sschreurs,

How was it? Looking at the configuration, it is highly likely because of the number 80:

image
image.jpg826×653 241 KB

YOu do not need the port 80 as by default, http is through port 80. That goes for https (443).

Although they are the same, the browser, specifically through JS still treats them as different domains.


Paul

#31

Hi @plim,

Both proposed solution doesn’t work but by modifying the port 80, I do not have the No Access Control Allow Origin” error anymore:

SSO
SSO.jpeg2468×800 284 KB

#32

@sschreurs

That error looks like this https://forum.cubewise.com/t/unknown-sso-error/1095/2

Jack

#33

Hi Jack,
I’m running into exactly the same console message as you can see in the screenshot from Feb 19:
“No Access-Control-Allow-Origin …”

This happens since a major Windows upgrade (Windows-1709 Upgrade) which is currently rolled out in our company. On my own computer, which has not been updated yet, this error does not occur and Canvas just logs me in. But I’ve seen this issue now on two different computers that already received the update. I did not change anything in Canvas or TM1 configuration, but suddenly this error comes up.

Has anyone similar experiences after 1709 Windows update?

Any suggestion very welcome.
Andreas

#34

Hi @andreas.franke,

To further isolate the issue, can you check which URL on the console is this error occurring for? After that, compare it with the SSO URL in the header.script.init.ftl file. Note that the base URL has to be exactly the same, i.e. if the server is accessed via http://cognos01, then the url in the FTL file should have like http://cognos01 and not http://cognos01:80 .

The other area to check possibly is if the xdomain.canvas.html/js file in the Cognos BI server is accessible from the user’s PC. It might have been a security update prevents access for them. You can try to test this out from the browser and type http://cognos01/xdomain.canvas.html for example.


Paul


Paul

#35

Hi Paul,

the following console log occurs when I try to log in from a computer that already was updated:

image
image.png944×139 52.8 KB

Here are the relevant Canvas/BI configuration files:

image
image.png1357×568 18.6 KB

I can confirm that both xdomain.canvas.js and xdomain.canvas.html are accessible from the web browser via:
http://des41206.grtgroup.com/ibmcognos/xdomain.canvas.html
http://des41206.grtgroup.com/ibmcognos/xdomain.canvas.js

I restarted all servers involved and the complete Windows servers this morning to get rid of any problem that might occur due to a pending reboot on server side, but issue remained.

Any idea how to move on from here?

Thanks a lot,
Andreas

#36

Hi @andreas.franke,

How about the content of the header.script.init.ftl file? Also, what is the URL that you are using to access your Canvas?

The error seems to be connected to accessing the Canvas server first. Is it behind a load balancer or are you accessing it directly?


Paul

#37

Hi Paul,

sorry I missed that one, see contents below:

image
image.png783×175 3.79 KB

The URL is: http://des41206.grtgroup.com:8080/aims/#/reporting

I connect directly.

In parallel I opened a ticket for our internal IT service provider to check what else might have changed (policies e.g.) that might prevent the cross-site request. But I do not expect any useful answer from that request. Do you have a chance to test a similar setup on a Windows 10 computer using Edge and the 1709 update installed.

Andreas

#38

Hi @andreas.franke,

Another area we could check is via browsers:

Can you try it with Chrome? Looking at the error screenshot, I would assume that it was IE/Edge.

Then another area we could check is if Cognos BI is able to redirect to Canvas. From your browser, look out under Network tab, that URL that reads has the cognos/cgi-bin in its path. This is a long URL, so once you find it, copy and paste that into the browser address bar and press enter.

Does the above redirect you into your Canvas application with a CAMPassport into the URL now?


Paul

#39

Hi Paul,

I just installed Chrome on the updated workstation and will continue debugging with this one instead of Edge. Error looks the same, although somewhat more detailed:

image
image.png956×243 11.6 KB

Remark: I had to switch to a different Canvas application (ODC instead of AIMS) because I had to switch off single sign on for the AIMS application in order to provide a workaround for the users. Besides that, error message and sympton (no login) is the same, so let’s continue with this one.

The redirection URL that I found in the network tab is the following:
http://des41206.grtgroup.com/ibmcognos/cgi-bin/cognos.cgi?b_action=xts.run&m=portal/bridge.xts&CAMNamespace=grtgroup.com&c_env=portal/variables_TM1.xml&c_mode=get&c_cmd=http://des41206.grtgroup.com:8080/odc/

I copied it into a new browser tab and hit enter.

It first redirects me to the following URL:

http://des41206.grtgroup.com:8080/odc/?cam_passport=MTsxMDE6YmJhOTZiNDUtZWQzYS05MTgyLWU2MDktNDkxNDM5MjgxYmUxOjE0ODg4NTIxNzA7MDszOzA7&CAMNamespace=grtgroup.com

Then after a few seconds, it again redirects me to:

http://des41206.grtgroup.com:8080/odc/?cam_passport=MTsxMDE6YmJhOTZiNDUtZWQzYS05MTgyLWU2MDktNDkxNDM5MjgxYmUxOjE0ODg4NTIxNzA7MDszOzA7&CAMNamespace=grtgroup.com#/cashflowkpi

That is strange, as it redirects me to another Canvas site within the same application (“cashflowkpi”). Not sure where this 2nd redirect is coming from. However, the page still won’t log me in, again resulting in the same error I came up with initially:

image
image.png1011×185 8.25 KB

However, coming back to your question: yes, it redirects me to my Canvas application with a CAMPasswort in the URL.

Andreas

#40

Hi @andreas.franke,

Thanks for those details! It is great that the URL has redirected to Canvas with the CAMPassport.

Please contact your local Cubewise office so that they can create a ticket for the issue that you are experiencing.


Cheers!
Paul