Setting up SSO with CAM and Canvas

This document will guide you to configure Single Sign On with CAM Security. Before proceeding, ensure that the user is able to go to http://<host>:<port>/ibmcognos using his/her PC, without being prompt for a username and password. Note also this only works with Internet Explorer and Chrome due to security configuration.

To setup SSO with CAM and Canvas, you will first need to make some changes to Cognos BI/Analytics and then make some changes into Canvas.

1. Cognos BI

Update variables_TM1.xml to add the url of your Canvas application. For example, if you have a Canvas application (folder name in CWAS/webapps folder) named "finance-canvas", and you are still using the default port of "8080" for Canvas, then the URL entry will look like:

<url>http://localhost:8080/finance-canvas/</url>

Copy the js and the html file inside ../webapps/<canvas app>/assets/sso and place them into the WebContent folder of your Cognos BI installation.

Open up xdomain.canvas.html file and add your Canvas origin and port. By default, you will see below:

<!DOCTYPE HTML>
<script src="xdomain.canvas.js"></script>
<script>
    xdomain.masters({
      "http://localhost:8080": "/*"
    });
</script>

If you will access your Canvas application through an FQDN named SERVER-PROD for example, and on port 9555, add the following entry:

<!DOCTYPE HTML>
<script src="xdomain.canvas.js"></script>
<script>
    xdomain.masters({
      "http://localhost:8080": "/*",
      "http://SERVER-PROD:9555": "/*"
    });
</script>

Should you have Cognos Application Firewall enabled, you may need to update the "Valid domains and hosts" property to add your Canvas server. This property is usually found when you click on the following:

Cognos CAF.png

Click on the Edit icon on the Value box:

Edit Icon.PNG

To add your Canvas server (still using the SERVER-PROD:9555) on the window that will pop-up. The entry looks like this:

Cognos CAF.png

For further details on this Valid domains and hosts, check out this article by IBM.

2. Setup Canvas v3 and later versions

If you are using Canvas v2.0.7 or previous versions, jump this section, this section is only for Canvas v3.0 and later versions.

In Canvas v3, setting up SSO has been simplified. With v3, you just need to add to the instances.json, canNamespaces and useSSOWithCAM parameter as below:

[
    {
        "name":"dev",
        "restUri":"https://localhost:8881",
        "tm1WebUri":"http://localhost:9510/tm1web",
        "chartColorScheme":["#FB6900", "#F63700", "#004853", "#007E80", "#00B9BD"]      
      
        "camNamespaces":["AD_SERVER_LOCAL"],
        "useSSOWithCAM":true
    }
]

Save and Restart your Canvas application via Cubewise Application Server.

2. Setup with Canvas v2.0.7 and previous versions

Update instances.json file and add the following last 3 properties:

[
    {
        "name":"dev",
        "restUri":"https://localhost:8881",
        "tm1WebUri":"http://localhost:9510/tm1web",
        "chartColorScheme":["#FB6900", "#F63700", "#004853", "#007E80", "#00B9BD"]      
      
        "clientCAMURI":"http://localhost/ibmcognos/cgi-bin/cognos.cgi",
        "camNamespaces":["AD_SERVER_LOCAL"],
        "useSSOWithCAM":true
    }
]

Lastly, open up the WEB-INF/pages/header.script.init.ftl file and update the following section accordingly:

// For SSO Configuration
ssoSlaves = {
  "http://localhost": "/ibmcognos/xdomain.canvas.html"
};

The format of the above is <origin>:<path to the xdomain.canvas.html> file. Note that the <origin> should be the same as the origin you have configured on your clientCAMURI property. This will be: http://localhost/ibmcognos/cgi-bin/cognos.cgi.

Save and Restart your Canvas application via Cubewise Application Server.