dennis_reinhardt
Frequent contributor

(FNMS 2020 R2) How to setup/use Cognos Analytics with SAML authentication

Jump to solution

System information:

  • FNMS 2020 R2 incl. Analytics (On-Premise)
  • 4 tier architecture (Web, Processing, DB, Analytics Server)
  • FNMS uses SAML for authentication via customer's own IDP

------------

We are looking for colleagues who already have experience with the connection of SAML to Analytics for authentication, since we are unfortunately not successful with the documents from the documentation.

For SAML and FNMS the documentation is very good and the configuration is comprehensible. For the setup of SAML in connection with Cognos Analytics, there is unfortunately only a hint that you select the SAML Authenticaton in the "Flexera Report Designer Package Import Utility" and update the configuration.

2021-06-07 09_47_49-FlexNet Manager Suite 2020 R2 Installation Guide (On Premises) - Installing FNMS.png

Unfortunately we lack transparency what is happening in the background now?
When setting up FNMS and SAML, an XML had to be exchanged with the IDP and the corresponding configuration had to be done in webui.config (kento.auth) - all this does not seem to be necessary with Analytics - but how should Cognos then communicate with the SAML IDP?

Thanks for your support and greetings,
Dennis

1 Solution

Enclosed is an update and a note to adjust the Flexera documentation if necessary. As described in the documentation, it is recommended to take over the FNMS SAML settings from the web.config 1:1 ("Edit the web.config file using the same values noted in step 2 and 4 above.") . Unfortunately, according to our current experience, this is not quite correct. For each web application a separate IDP identityID must be requested, for this reason the simple transfer of the data leads to an error.

Requesting a new entityID for the IDP and updating the config , solved the issue

 

If your implementation uses Flexera Analytics, configure the separate web.config file for your Flexera Analytics server.
Flexera Analytics is visible by navigating to Reports > Analytics. If this is present:

- Switch to your Cognos server.
- Flexera Analytics (Cognos) is likely to reside on a separate server. For SAML-based single sign-on to work, the Cognos server and web application server must be in the same domain.
- In your flat text editor, open the local web.config file for the Cognos server.
- The default location (on Windows) is <drive>:\Program Files\ibm\cognos\analytics\cgi-bin.
- Edit the web.config file using the same values noted in step 2 and 4 above. 

 

 

@kent-au, @WheresThePizza or @ChrisG : Can you confirm this and do you think a change in the wording of the documentation is appropriate?

 

View solution in original post

2 Replies
dennis_reinhardt
Frequent contributor

Hi,

we have made small progress, but continue to have problems with SAML authentication. As described in the FNMS documentation on Analytics and SAML, we have copied the corresponding configurations of FNMS SAML into the web.config of Analytics.

When the Analytics Server is called, communication with the IDP also begins and an initial request for access data (PKI) is made. We have recorded the communication with a SAML tracer and found an error here, including a error message from the IDP (IBM F5)

  • open https://analytics.server/ibmcognos/bi
  • request for access data (PKI) done
  • Browser Error IBM F5 - FBTSML218E The specification for the SAML2.AssertionConsumerService endpoint are not valid
  • Chrome SAML2 Trace

 

<saml2p:AuthnRequest 
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" 
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" 
    ID="id9a3d3ee252d74447b32d7562e73fe***" 
    Version="2.0" 
    IssueInstant="2021-09-05T21:11:44Z" 
    Destination="https://idp-url/isam/sps/idpextqs/saml20/login" 
    AssertionConsumerServiceURL="https://analytics-url/ibmcognos/sso/AuthServices/Acs">
    <saml2:Issuer>https://fnms-url/Suite</saml2:Issuer>
</saml2p:AuthnRequest>

 

 

If I have seen it correctly in IIS, Cognos itself does not provide an Authentication ACS endpoint to match information regarding the login, for that the FNMS ACS should be used. Attached is the <kentor.authServices> snippet from Cognos web.config

 

<kentor.authServices 
 entityId="https://fnms-url/Suite" 
 returnUrl="https://fnms-url/Suite/AuthServices" 
 authenticateRequestSigningBehavior="Never" 
 minIncomingSigningAlgorithm="sha1">
                               
  <identityProviders>
     <add entityId="https://idp-url/isam/sps/idpextqs/saml20"
          signOnUrl="https://idp-url/isam/sps/idpextqs/saml20/login"
          allowUnsolicitedAuthnResponse="true"
          binding="HttpPost"
          loadMetadata="true"
          metadataLocation="C:\Program Files\ibm\cognos\idpextqs_metadata.xml"> 
          </add>
      </identityProviders>
<serviceCertificates>
</serviceCertificates>
</kentor.authServices>

 

Do any of you have a hint on how to get Cognos to use the correct Autnetication ACS endpoint. I'm also looking for a way to activate debuggin for Cognos SAML as it is possible for the FNMS weui.log (Maybe @kent-au or @fnishikado @fnishikado1 )

FNMS in combination with SAML2 and the IDP Works without problems.

Thanks and Best, Dennis

 


Enclosed is an update and a note to adjust the Flexera documentation if necessary. As described in the documentation, it is recommended to take over the FNMS SAML settings from the web.config 1:1 ("Edit the web.config file using the same values noted in step 2 and 4 above.") . Unfortunately, according to our current experience, this is not quite correct. For each web application a separate IDP identityID must be requested, for this reason the simple transfer of the data leads to an error.

Requesting a new entityID for the IDP and updating the config , solved the issue

 

If your implementation uses Flexera Analytics, configure the separate web.config file for your Flexera Analytics server.
Flexera Analytics is visible by navigating to Reports > Analytics. If this is present:

- Switch to your Cognos server.
- Flexera Analytics (Cognos) is likely to reside on a separate server. For SAML-based single sign-on to work, the Cognos server and web application server must be in the same domain.
- In your flat text editor, open the local web.config file for the Cognos server.
- The default location (on Windows) is <drive>:\Program Files\ibm\cognos\analytics\cgi-bin.
- Edit the web.config file using the same values noted in step 2 and 4 above. 

 

 

@kent-au, @WheresThePizza or @ChrisG : Can you confirm this and do you think a change in the wording of the documentation is appropriate?

 

View solution in original post