Canvas SSO Issue

jtuckerman · 2018-01-09 20:01:50 UTC

I’m not sure if you’re still having issues with this, but I resolved an SSO issue today that involved steps that are not in the current guide, you may have the same problem:

https://forum.cubewise.com/t/unknown-sso-error/1095

Jack

sschreurs · 2018-01-09 20:25:06 UTC

Hi
I will have a look to this also.
Thanks

sschreurs · 2018-02-19 11:00:33 UTC

Hi Al

Back again with another issue with SSO configuration.
After setting up the new server at the customer, I have now as error
"No Access Control Allow Origin" header is present on the requested source.

All requested files seem to be ok. When looking at the console, I’ve got dimensions and batch errors. When SSO is set on false, I can connect but with the same dimensions and batch errors.

jtuckerman · 2018-02-19 11:41:29 UTC

@sschreurs,

In our experience the “No Access Control Allow Origin” error usually points towards something being incorrectly configured on the BI server, or in the Canvas header.script.init file.

What’s in your Canvas header.script.init file and your variables_TM1.xml file on the BI server?

Jack

sschreurs · 2018-02-19 11:51:26 UTC

Hi @jtuckerman,

here are the various files:

jtuckerman · 2018-02-19 11:53:56 UTC

@sschreurs,

I see you’ve got the samples in there, does that work OK (with SSO).

Jack

jtuckerman · 2018-02-19 12:00:26 UTC

@sschreurs,

I think the problem is that you are missing a final / after your instance names in variables_TM1.

(last 2 entries).

Jack

sschreurs · 2018-02-19 13:45:31 UTC

I’ve tested this but it doesn’t work with adding a final /

jtuckerman · 2018-02-19 13:59:52 UTC

@sschreurs

You shouldn’t need the “#” after the canvas port (8080) in your variables_TM1 either.

It should read the same way as the samples URL, i.e. server/port/app/

Jack

plim · 2018-02-19 22:18:40 UTC

Hi @sschreurs,

How was it? Looking at the configuration, it is highly likely because of the number 80:

YOu do not need the port 80 as by default, http is through port 80. That goes for https (443).

Although they are the same, the browser, specifically through JS still treats them as different domains.

–
Paul

sschreurs · 2018-02-20 08:03:13 UTC

Hi @plim,

Both proposed solution doesn’t work but by modifying the port 80, I do not have the No Access Control Allow Origin” error anymore:

jtuckerman · 2018-02-20 08:35:01 UTC

@sschreurs

That error looks like this https://forum.cubewise.com/t/unknown-sso-error/1095/2

Jack

andreas.franke · 2018-07-10 21:18:39 UTC

Hi Jack,
I’m running into exactly the same console message as you can see in the screenshot from Feb 19:
“No Access-Control-Allow-Origin …”

This happens since a major Windows upgrade (Windows-1709 Upgrade) which is currently rolled out in our company. On my own computer, which has not been updated yet, this error does not occur and Canvas just logs me in. But I’ve seen this issue now on two different computers that already received the update. I did not change anything in Canvas or TM1 configuration, but suddenly this error comes up.

Has anyone similar experiences after 1709 Windows update?

Any suggestion very welcome.
Andreas

plim · 2018-07-10 23:16:54 UTC

Hi @andreas.franke,

To further isolate the issue, can you check which URL on the console is this error occurring for? After that, compare it with the SSO URL in the header.script.init.ftl file. Note that the base URL has to be exactly the same, i.e. if the server is accessed via http://cognos01, then the url in the FTL file should have like http://cognos01 and not http://cognos01:80 .

The other area to check possibly is if the xdomain.canvas.html/js file in the Cognos BI server is accessible from the user’s PC. It might have been a security update prevents access for them. You can try to test this out from the browser and type http://cognos01/xdomain.canvas.html for example.

–
Paul

andreas.franke · 2018-07-11 05:21:46 UTC

Hi Paul,

the following console log occurs when I try to log in from a computer that already was updated:

Here are the relevant Canvas/BI configuration files:

I can confirm that both xdomain.canvas.js and xdomain.canvas.html are accessible from the web browser via:
http://des41206.grtgroup.com/ibmcognos/xdomain.canvas.html
http://des41206.grtgroup.com/ibmcognos/xdomain.canvas.js

I restarted all servers involved and the complete Windows servers this morning to get rid of any problem that might occur due to a pending reboot on server side, but issue remained.

Any idea how to move on from here?

Thanks a lot,
Andreas

plim · 2018-07-11 06:01:41 UTC

Hi @andreas.franke,

How about the content of the header.script.init.ftl file? Also, what is the URL that you are using to access your Canvas?

The error seems to be connected to accessing the Canvas server first. Is it behind a load balancer or are you accessing it directly?

–
Paul

andreas.franke · 2018-07-11 06:29:55 UTC

Hi Paul,

sorry I missed that one, see contents below:

The URL is: http://des41206.grtgroup.com:8080/aims/#/reporting

I connect directly.

In parallel I opened a ticket for our internal IT service provider to check what else might have changed (policies e.g.) that might prevent the cross-site request. But I do not expect any useful answer from that request. Do you have a chance to test a similar setup on a Windows 10 computer using Edge and the 1709 update installed.

Andreas

plim · 2018-07-11 07:12:54 UTC

Hi @andreas.franke,

Another area we could check is via browsers:

Can you try it with Chrome? Looking at the error screenshot, I would assume that it was IE/Edge.

Then another area we could check is if Cognos BI is able to redirect to Canvas. From your browser, look out under Network tab, that URL that reads has the cognos/cgi-bin in its path. This is a long URL, so once you find it, copy and paste that into the browser address bar and press enter.

Does the above redirect you into your Canvas application with a CAMPassport into the URL now?

–
Paul

andreas.franke · 2018-07-11 08:22:04 UTC

Hi Paul,

I just installed Chrome on the updated workstation and will continue debugging with this one instead of Edge. Error looks the same, although somewhat more detailed:

Remark: I had to switch to a different Canvas application (ODC instead of AIMS) because I had to switch off single sign on for the AIMS application in order to provide a workaround for the users. Besides that, error message and sympton (no login) is the same, so let’s continue with this one.

The redirection URL that I found in the network tab is the following:
http://des41206.grtgroup.com/ibmcognos/cgi-bin/cognos.cgi?b_action=xts.run&m=portal/bridge.xts&CAMNamespace=grtgroup.com&c_env=portal/variables_TM1.xml&c_mode=get&c_cmd=http://des41206.grtgroup.com:8080/odc/

I copied it into a new browser tab and hit enter.

It first redirects me to the following URL:

http://des41206.grtgroup.com:8080/odc/?cam_passport=MTsxMDE6YmJhOTZiNDUtZWQzYS05MTgyLWU2MDktNDkxNDM5MjgxYmUxOjE0ODg4NTIxNzA7MDszOzA7&CAMNamespace=grtgroup.com

Then after a few seconds, it again redirects me to:

http://des41206.grtgroup.com:8080/odc/?cam_passport=MTsxMDE6YmJhOTZiNDUtZWQzYS05MTgyLWU2MDktNDkxNDM5MjgxYmUxOjE0ODg4NTIxNzA7MDszOzA7&CAMNamespace=grtgroup.com#/cashflowkpi

That is strange, as it redirects me to another Canvas site within the same application (“cashflowkpi”). Not sure where this 2nd redirect is coming from. However, the page still won’t log me in, again resulting in the same error I came up with initially:

However, coming back to your question: yes, it redirects me to my Canvas application with a CAMPasswort in the URL.

Andreas

plim · 2018-07-11 23:07:47 UTC

Hi @andreas.franke,

Thanks for those details! It is great that the URL has redirected to Canvas with the CAMPassport.

Please contact your local Cubewise office so that they can create a ticket for the issue that you are experiencing.

–
Cheers!
Paul