How to setup Single Sign On with Canvas


#41

All,
when I can CA + SSO, I didn’t faced any issues with TM1Web. But now with CA+SSL+SSO I cannot retrieve instance list.

Regarding Canvas:
I found out something interesting. If I open firstly the Cognos Portal URL in the browser (SSO works fine there) and then I open Canvas Samples – it works.
Any idea why it may happen?


#42

Hi All,
finally we are really close from setting everything up and closing this task.

Last issue we face is following. If I try to connect to Samples I cannot see the request for CAM_Passport at all. However, if I open in the same browser the Cognos BI portal (logged in with SSO) and then refresh Samples url - the request for CAM_Passport is there and I’m in with SSO.

Have you had an issue like that? Any suggestions how to fix it?

Cheers,
Maurycy


#43

Hi @mmioduski,

The request for CAM_Passport is triggered if there is a TM1 request on the page, and that request has returned a 401 HTTP Status Code.

Can you see these requests on the Network tab on the page where you are at? If not, can you try to navigate to a page where there is a TM1 requests of data?

The request for CAM_Passport is not always the first request it will do. It will always check first if it can communicate with TM1. Only if it returns the 401 then will it try to communicate with CAM. This is on the assumption that the instance is configured to do so - useSSOwithCAM is true, and there is a clientCAMUri.

Can you help verify the network requests?

Also check the instances.json that it is retrieving, and help verify that you are in the Canvas app you have configured for SSO. Lookout for this request and its content:


Paul


#44

Hi @plim,
I tried to open a sample page with the DB retrieve.

The network tab looks as follows:


The last message is the AuthenticationService that I’m getting.

Once I opened the Cognos BI, then for the sample page in Canvas Network tab looks as follows (I see CAM_Passport request):

I am just wondering… could it be related to the self-signing SSL certificate on the Cognos BI server? Maybe it allows me to see the data, because for the first time in Cognos BI website I must click that I want to continue with not secure message:
image

Cheers,
Maurycy


#45

Hi Maurycy,

That could be a possibility. And it is also possible that the browser is blocking the request altogether since it is not a secure certificate.

The AuthenticateService line you have highlighted is definitely not in the login mechanism of Canvas. Same goes for the common,js, util.js and stats.js. This seems like the sceupts loaded by Chrome when an insecure connections is detected.

You can try this out:

The main thing would be to be able to make Chrome or a browser open the site, without it being flagged as insecure.

Otherwise, if I remember correctly, SSO was configured successfully on that server already with an http only connection.

There are also some sites that offers temporary SSL Certificate signing that might help on this one.

Is the https a necessary setup? If so, can you get a valid certificate to use instead?

Check also if it might be easier to configure IE to accept self signed certificate, and then try to use Canvas there instead.

Cheers!
Paul


#46

Hi @plim,
so I tested your suggestions.
The Chrome thing didn’t help with Canvas (even though I’m able to get to the Cognos BI website without being prompt about invalid cert).

In the current setup everything works with the SSL, because I’m using RestAPI with SSL and therefore I must use CAM also with SSL.

The same issue happens in IE.

Cheers,
Maurycy


#47

Hi @mmioduski,

Using REST API with SSL does not necessarily mean you need Canvas and Cognos in HTTPS too.

The SSO setup was actually based off the following:

TM1 REST API - https
Cognos - http
Canvas - http

If it is not neccessary to have the HTTPS on the Cognos BI server then please do change it to just use its default configuration(http).

Let us know how it goes.


Paul


#48

Hi, We are running into the same error setting up SSL using Canvas/CAM.

libs.2.0.7.js:1 Possibly unhandled rejection: {“data”:"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<head xmlns:fault=“http://developer.cognos.com/schemas/xts/portal/iFaultHandler/1/”>

I was wondering if you ever found a resolution for it? We need SSL working between Canvas and BI, it is an IT requirement from us that all sites we run be https.

Thanks,
Chet


#49

Dear @chet_watkins
do you use signed certifcated for Cognos BI? (the easiest way to check it is to go to the browser and open the Cognos Portal - if you see the red certificate error saying it’s unsecure)

In our case the problem was caused by a self-signing certificate (this caused also the unsecure cert. message in the browser). This unsecured connection was blocked by Canvas and therefore we couldn’t have got the SSO working properly. To solved the problem we requested properly signed certificates and installed them on the IIS (we used it for Cognos Gateway).

Please let me know if this helps in your case.

Regards,
Maurycy


#50

We use signed certs. The site shows secure with SSO on or off, but it is only when sso is off that we can actually sign in. With sso on we get the error discussed above. Our Cognos BI does use Okta for authentication now, so I am not sure if that might be causing issues, but so does out TM1 servers/webs through BI and they log in fine.


#51

Hi @chet_watkins,

Thanks for the additional details. We are preparing and testing a build, that will reduce the steps that is needed to enable SSO on Canvas with CAM.

In relation to this topic, this should in theory help as well with this issue with the SSL certs.

We will keep you posted on this. Just doing a few more tests on the build.


Paul


#52

Thank you Paul, we are looking forward to it. We have our first apps going live now and the loss of SSO going SSL has not been ideal.