Pulse CAM Gateway for instance configuration

Hi,

Haven’t really used this way to configure instance, and found it’s a little different than Pulse 5 per the link below,

There is no Process to keep alive and User Name in Pulse 6 now, do I need to put both or just one of them is enough,

Would like to know something more about how this way working and if any risk in this, ex. the cam_passport become invalid under some circumstance…etc.

Hi @vhsieh ,

The process is not needed anymore as Pulse is doing that natively/internally via the REST API.

As for how to use the above, the CAM Passport is the same as before, in that you can grab it yourself and paste it in there - or if you know of a CAM Gateway URL, then just put the URL there, and click on the Login button.

It will open up a new page and help you grab the CAM Passport. This is an example outcome using the CAM Gateway, after clicking the Login button:

image

Cheers!

Paul

Hi @plim ,

Thanks, another thing I’d like to know more is if any risk in this, could I treat this as a solution for some integration that requires MFA(ex. Azure/O365…etc.)

Hi @vhsieh,

Pulse just “uses” CAM to login, it is no knowledge of how CAM is configured. Using the gateway is probably the only option with MFA, to use that a person will need to click the “Login” button and then Pulse will grab the CAM passport. Pulse can’t just login in the background.

Hi @tryan ,

Thanks for your confirmation, for Azure(O365) integration, we will have another AD name space for Pulse and some background jobs normally, that’s why I am asking if I could use this way instead of creating another AD namespace.

Could I ask another question here, does Pulse support Azure+ADFS authentication, there will be no MFA required in intranet environment?

Hi @vhsieh,

Not sure there is a need to set up CAM namespace just for Pulse. I assume you are referring to CAM namespaces not an AD.

I am not sure what you are referring to with the reference to Azure+ADFS? Logging in to TM1? Pulse supports CAM, native TM1 security or IBM Cloud OAuth.

Hi @tryan ,

Thanks, let me describe it more clear, take our internal server as an example, in our CA server, I defined two namespaces, first and the primary one is Azure namespace(O365 login, users use this to access TM1), the second one is AD namespace.

for both Pulse authentication, log in to the portal and instance configuration, as I know so far, Azure is still not supported for Pulse because of MFA, so in order to get this working, especially in instance configuration, I created an AD account in TM1 and use this account for Pulse instance configuration to get it working.

for the Azure + ADFS question, it’s coming from one of our clients, my client told me their Azure integrated with ADFS, which means there is no MFA required in the intranet environment, so I am not sure if able to use Azure account(O365) for Pulse instance configuration in this kind of architecture.

Hi @vhsieh,

As I was saying in a previous post Pulse just connects to CAM it has no knowledge of how it authenticates a user. The idea behind CAM is that it does the authentication so any applications like TM1 or Cognos using it for authentication don’t need to worry about how it has been configured to do the actual authentication.

The CAM Gateway option in @plim’s post allows any of the authentication methods including single sign or MFA as a new browser window will open allowing the user to log in via CAM (which then redirects to Azure, Okta, etc). You need to add Pulse to the Cognos Application Firewall (CAF).

If you use the CAM namespace/user name/password option the namespace needs to allow it, i.e. not SSO or other methods. In this case Pulse sends the user name and password with the REST API requests.