Authentication Overview

Authentication Integration Overview

QueryVision offers many different Authentication options for Cognos and SharePoint. The following is a quick overview of the different options available. Details for setting up each option can be found as separate articles.

If you are unsure whether what you are trying to achieve is listed here you are always better off contacting us for details with your architecture.

Authentication can be broken down into 3 main types. Single Signon, Challenge & Response, and Service Account.

Single Signon (SSO)

There are a range of features that support logging onto Cognos from directly within SharePoint without any userid or password challenge. QueryVision has a number of different configurations to accommodate the wide range of architectures that may exist with different customers.

The setup for each solution varies but typically does not take more than half an hour, including some extra installation components on the Cognos server. However, the benefits are quite powerful. Some of the highlighted features are as follows:

  • Single Active Directory or Multiple Active Directory Domain support
  • Configurable Lookup feature, which enables mapping SharePoint authentication providers to Cognos Namespaces
  • Mapping of authentication providers to Cognos Namespaces can be many to many, or one to many
  • SharePoint authentication providers do not have to be the same as Cognos ones
  • SharePoint Claims Based Authentication support (CBA)
  • SharePoint Forms Based Authentication support (FBA)
  • Integration with external single sign on architectures such as (Ping Federate, SiteMinder etc.)
  • Support for SharePoint custom login pages (ability to define custom logic such as mapping to different Cognos instances or namespaces on the fly)

 

Summary of Single Signon Options Available

In order to determine which SSO configuration options will work in your environment, it is
important be able to answer the following questions:

  • Do you have a single Namespace or Multiple Namespaces configured within Cognos Configuration?
  • Do you have a single namespace or multiple namespaces configured for SSO?
  • Do any of your users get challenged by SharePoint for credentials or are they automatically logged on to SharePoint?

The answers to the above questions will determine which of the four different options you choose to configure within the product. The four different SSO options within the product:

  • Standard
  • Remote User Fixed
  • Remote User Lookup
  • Dynamic

Options AvailableSingle NamespaceMultiple NamespacesUser Token
Standard SSOFull SupportPrompted
Namespace1
Client Domain Used4
Remote User FixedFull SupportSupported for only one
Fixed Namespace2
Client Domain Used4
Remote User
Lookup
Full SupportFully Supported,
Namespace Lookup 3
Client Domain Used4
DynamicFull SupportFully Supported, user
directed to any
namespace through
lookup based on
server domain
Full Support,
SharePoint Server
Authenticated Domain
used5

1 Prompted Namespace:
Users will be prompted to select a namespace by Cognos.
2Fixed Namespace:
Users will always be logged into a fixed namespace as defined in the QueryVision configuration
file (qvtconfig.xml). Only one namespace is used for SSO through the web parts however,
multiple namespaces can be defined in Cognos Configuration.
3Namespace Lookup:
The appropriate Cognos Namespace to log into is looked up based on the user’s client domain.
4Client Domain:
The client domain refers to the domain that the user is logged onto in relation to Windows
desktop. This is not necessarily the same domain as that of SharePoint or Cognos. For
instance, an external user of the network could log onto Windows (client) on one domain, then
onto SharePoint and Cognos separately. Usually, within one network all of these domains are
the same.
5SharePoint Server Authenticated Domain:
The domain the user is authenticated against as it relates to SharePoint. If SharePoint
challenges a user for authentication, this domain refers to the user within that context.

Challenge & Response

For situations where you want to prompt users for their credentials this web part is recommended. This web part can be configured to connect to multiple Cognos instances and multiple Cognos Namespaces within each instance. Integration is achieved directly within a SharePoint page but the session persists across pages until the session expires or a user logs off. Users can log off manually or close their browser to end their session.

Service Account

The Service Account web part is used in much the same way as Challenge and Response except that a specific user account is used as a shared account. This is done in situations where you have a group of users with the same rights and privileges within Cognos. You can give them access to a group of reports/dashboards within SharePoint using a single web part, and not have to give them a userid and password.