Setting up SSO with CAM and Canvas

This document will guide you to configure Single Sign On with CAM Security. Before proceeding, ensure that the user is able to go to http://<host>:<port>/ibmcognos using his/her PC, without being prompt for a username and password. Note also this only works with Internet Explorer and Chrome due to security configuration.

In order to configure SSO with CAM in Canvas, please follow these steps:

1. Cognos BI

Update variables_TM1.xml to add the url of your Canvas application. For example, if you have a Canvas application (folder name in CWAS/webapps folder) named "finance-canvas", and you are still using the default port of "8080" for Canvas, then the URL entry will look like:


Copy the js and the html file inside ../webapps/<canvas app>/assets/sso and place them into the WebContent folder of your Cognos BI installation.

Open up xdomain.canvas.html file and add your Canvas origin and port. By default, you will see below:

<script src="xdomain.canvas.js"></script>
      "http://localhost:8080": "/*"

If you will access your Canvas application through an FQDN named SERVER-PROD for example, and on port 9555, add the following entry:

<script src="xdomain.canvas.js"></script>
      "http://localhost:8080": "/*",
      "http://SERVER-PROD:9555": "/*"

Should you have Cognos Application Firewall enabled, you may need to update the "Valid domains and hosts" property to add your Canvas server. This property is usually found when you click on the following:

Cognos CAF.png

Click on the Edit icon on the Value box:

Edit Icon.PNG

To add your Canvas server (still using the SERVER-PROD:9555) on the window that will pop-up. The entry looks like this:

Cognos CAF.png

For further details on this Valid domains and hosts, check out this article by IBM.


Update instances.json file and add the following last 3 properties:

        "chartColorScheme":["#FB6900", "#F63700", "#004853", "#007E80", "#00B9BD"]      

Lastly, open up the WEB-INF/pages/header.script.init.ftl file and update the following section accordingly:

// For SSO Configuration
ssoSlaves = {
  "http://localhost": "/ibmcognos/xdomain.canvas.html"

The format of the above is <origin>:<path to the xdomain.canvas.html> file. Note that the <origin> should be the same as the origin you have configured on your clientCAMURI property. This will be: http://localhost/ibmcognos/cgi-bin/cognos.cgi.

Save and Restart your Canvas application via Cubewise Application Server.