How to setup Single Sign On with Canvas


#21

Hi @plim,
I switched off HTTPS and tested again.

With parameter “useSSOWithCAM”:false I have to enter credentials (expected), but once it’s done I get a result without any errors.

Once the “useSSOWithCAM”:true I get following error and only the pop-up window with “Please wait” message:

Maurycy


#22

Hi @mmioduski,

Turning off that useSSOWithCAM is different from the https/http issue.

The https/http issue happens because the browser is trying to authenticate with the Cognos BI server directly. Whereas turning that flag off means, authentication will be handled by TM1.

The error that you have captured there now seems to be different from the last post you had. That usually happens when:

  1. You do not have the Canvas xdomain files in the Cognos BI server
  2. The URL in the xdomain configuration in the FTL file does not exactly match the host that you have in the clientCam URL in the instances.json file

Regarding point 2, if for example the clientCamUri is http://localhost:80/ibmcognos…, then the configuration must have the target host url exactly as it is - meaning it should have port 80 typed in as well -> http://localhost:80.


Paul


#23

For testing I configured Canvas, BI and TM1 to communicate only over HTTP.

I’ll test tomorrow points 1 and 2, but I’m almost sure it’s configured correcty in xdomain.

One more thing that I found out today is that the Cognos BI response returns an error: DPR-ERR-2079 (Firewall Security Rejection. Your request was rejected by the security firewall.). In order to solve it I set all the URIs settings to use the FQDN, added Valid domains and hosts and configured Domain in the Global Configuration - all found on IBM websites. However it still doesn’t work as expected.


#24

Hi @mmioduski,

Okay great! Then if you are still having an issue, can you post in here the contents of the following files:

  • header.script.init.ftl (the line of code that has ssoSlaves in particular)
  • instances.json (the property named clientCAMURI in particular)
  • xdomain,.canvas.html

These are the files where the SSO configuration for Canvas mostly depends on.

Cheers!

Paul


#25

Hey @mmioduski

Please see https://forum.cubewise.com/t/unknown-sso-error/1095/2

Jack


#26

Hi @jtuckerman,
I’ve seen your already and added servers to the “valid domains or hosts”. However, there must be still something wrong, because the request is blocked.

The “valid domains or hosts”:
image

And that’s the Chrome console error:


#27

@mmioduski

Did you restart the Cognos BI service?

Jack


#28

I think I know what’s the problem.

BI and Canvas are case sensitive. I changed all urls to use only small letters and it works on the server. I’ll keep you posted once I finish the configuration


#29

All,
I managed to configure SSO with Canvas. However, after configuring Cognos Analytics to work with SSL, I am getting following error:

Can this be caused by the self-signing certificate in CA? When I try to open Cognos Portal, I’m prompt about the certificate error.

Thanks a lot in advance,
Maurycy.


#30

Hi @mmioduski,

Could be, but it can also be because of the port (443) that was added into the clientCAMURI property. The port number 443 is already the default port used by browsers for HTTPS connections.

The most probable culprit for that block connection error with Cognos is the header.script.init.ftl's ssoSlaves property configuration not having the same base URL as the clientCAMURI in instances.json file.

So if you do not have the 443 in ssoSlaves, the instances.json file should not have it as well.

Can you have a check on those files?


Paul


#31

Hi @plim,
I had everywhere the port number 443 configured. Tried also without “:443”. Both test are unsucessfull.

Maurycy


#32

Hi @mmioduski,

What are the errors in the console now?

I am assuming that you can login okay with Architect on SSO?

Also, can you post in here the contents of the instances.json and header.script.init.ftl files.


Paul


#33

Hi @plim,
yes, I can login to the model using Architect (SSO and SSL works fine).
the error I’m getting is:
Possibly unhandled rejection: {"data":"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<head xmlns:fault=\"http://developer.cognos.com/schemas/xts/portal/iFaultHandler/1/\"><meta http-equiv=\"refresh\" content=\"0; URL=/ibmcognos/bi/?legacyLogin=%2fibmcognos%2fbi%2fv1%2fdisp%3f%26b_action%3dxts.run%26c_cmd%3dhttps%253a%252f%252fxe-s-tbmfe01t.xe.domain.com%253a8080%252fsamples%252f%26c_mode%3dget%26encoding%3dUTF-8%26m%3dportal%252fbridge.xts%26c_env%3dportal%252fvariables_TM1.xml\"/></head>","status":200,"config":{"method":"GET","transformRequest":[null],"transformResponse":[null],"jsonpCallbackParam":"callback","url":"https://xe-s-tbmdb01t.xe.domain.com:443/ibmcognos/bi/v1/disp?b_action=xts.run&m=portal/bridge.xts&CAMNamespace=domain.com&c_env=portal/variables_TM1.xml&c_mode=get&c_cmd=https://xe-s-tbmfe01t.xe.domain.com:8080/samples/","headers":{"Accept":"application/json, text/plain, */*"},"withCredentials":true},"statusText":"OK"}

The instances.json looks as follows:
[
{
“name”:“dev”,

	"restUri":"https://xe-s-tbmdb01t.xe.domain.com:8882",
    
	"applyParenthesisFormatting":true,
    
	"chartColorScheme":["#848484"],

        "clientCAMURI":"https://xe-s-tbmdb01t.xe.domain.com:443/ibmcognos/bi/v1/disp",
        "camNamespaces":["domain.com"],
        "useSSOWithCAM":true


  }
]

and finally the header.script.init.ftl:

// For SSO Configuration
ssoSlaves = {
  "https://xe-s-tbmdb01t.xe.domain.com:443": "/ibmcognos/xdomain.canvas.html"
};

// ADD YOUR CUSTOM ANGULAR MODULES HERE
// i.e. for adding the module of ngFileUpload to make it available on your Canvas application
// customAngularModules.push('ngFileUpload');

Is there anything I’m doing wrongly?


#34

Hi @mmioduski,

The configurstion looks alright. Looking at the response, it looks like Cognos BI may need some additional check.

You could start looking at the console, network tab. Lookup for that request that connects to Cognos BI. Once you see that, copy that link and paste it on another Chrome tab. That should give you a better look at what the possible error is.

Ideally, once that is fixed, it should redirect it to the Canvas app with the CAM passport usually visible in the URL.

Check the error in the console too. Like if there is a no cross origin request error.

As a start, check to see if it is able to redirect it to the Canvas app if you just copy over that URL into a new tab.


Paul


#35

Hi @mmioduski,

In summary, looking at the response, there seems to be some issue in the Cognos BI / CA. The response posted above is returning an XML, instead of a normal HTML. Then, looking at the content, there is no visible CAMPassport within that too.

The Canvas configuration that you have looks alright already. So it should only be a matter of when CA’s response is fixed.

Here are the following items to check:

  1. Do check that Cognos BI is starting properly and no errors should be indicated in there as much as possible.

  2. Ensure that you can login automatically at least via Architect

  3. Set the instances.json file’s useSSOWithCAM property to false, and manually login by selecting the CAM Namespace, and then typing your username and password

  4. Set the instances.json file’s useSSOWithCAM property to true, then go to a Canvas page that has TM1 data to trigger the login - if there is still an issue logging in, open Chrome’s Developer Console (if available), and go to Network tab to look for the Cognos BI / CA link and check the response (this should at least have the CAMPassport content)
    4.1. To get a better look at the error, copy the link and paste it into another tab and see what the response is (it should redirect at least to your Canvas application)

  5. Check for any errors on the console (i.g. no access origin). If you have this, either the ssoSlaves may not have been configured properly with the correct URL or the URL of the Canvas application needs to be added into the Cognos Application Firewall’s list of allowed domains / URLs (please see Jack’s post on this thread)


Paul


#36

Hi @plim,
I did the following checks:

  1. no errors occur, starting Cognos BI is 100% successfull
  2. Yes, I can
  3. I can connect to Canvas Samples w/o SSO, simply by typing my AD credentials.
  4. I get the error:

4.1 When I copy & paste the the response URL, it redirects to the Canvas app and I’m logged in.
5. Jack’s suggestion was implemented.


#37

@mmioduski

Out of interest, can you connect OK to tm1web via SSO & Cognos Analytics with your current setup?

Jack


#38

Hi @mmioduski,

Thanks for the update! It was great that you found the fix and now Cognos Analytics is starting up without an issue and Architect can at least connect again and properly authorize without those errors.

Now we are left with what seems to be the new or error response by Cognos Analytics (item#4). Normally, the response is an HTML. But judging from the error posted, it looks like it posted an error - and is just returning a normal XML.

The contents of the XML does not return a CAMPassport as expected, but it seems to have a new bit of information similar to it - SecurityBlob.

We will check on the Canvas if it is possible to capture and be able to process that error. Reason for this is that it may be not all readable from the JavaScript side.

In the meantime, do check if you can configure or find out why Cognos Analytics is returning this faulty response as per the attribute it is header: xmlns:fault=“http://developer.cognos.com/schemas/xts/portal/iFaultHandler/1/. Also, check if it can be configured to return the above request normally.

Hi @jtuckerman,

Just would like to check, are you using Cognos Analytics or Cognos BI on your SSO implementation?


Paul


#39

@plim

Hey Paul,

I asked the question re: Cognos Analytics/tm1web because we recently tried to get Canvas & SSO working with CA and hit a brick wall - but in this case tm1web wasn’t working with SSO and they are currently resolving that first.

Jack


#40

Hi @jtuckerman,

Thanks for those information!

I was trying to gather more information on the Cognos Analytics on whether this is a new structure with that new parameter in the error response named SecurityBlob and was wondering if someone had the same issue.

So when you mentioned that brick wall with CA, is that the same issue as what @mmioduski has been seeing on the console errors?


Paul