, Active Directory , or NTLM namespace. In this case, verify the Agent
Configuration Object properties in eTrust SiteMinder Policy Server.
Ensure that SetRemoteUser is activated.You can configure IBM Cognos 8 components to use a Netegrity SiteMinder namespace as the authentication source, provided that you installed Content Manager on a non-Linux computer.
To configure an authentication provider in an eTrust SiteMinder environment, you configure an LDAP, NTLM, or Netegrity SiteMinder namespace depending on your eTrust SiteMinder configuration. Supported eTrust SiteMinder configurations are LDAP, Active Directory Server, and NTLM user directories.
Note: The authentication provider uses an eTrust SiteMinder SDK to implement a custom agent. The custom agent deployment requires that you set the Agent Properties in the eTrust SiteMinder Policy server administration console to support 4.x agents.
If you plan to run IBM Cognos 8 products within a 64-bit application server, you cannot configure a Netegrity SiteMinder namespace as your authentication source.
If you configured eTrust SiteMinder for more than one user directory, you must use the Netegrity SiteMinder namespace. After configuring the Netegrity SiteMinder namespace in IBM Cognos 8, you must also add a corresponding LDAP, Active Directory Server, or NTLM namespace to the IBM Cognos configuration for each user directory defined in eTrust SiteMinder.
When configuring a corresponding LDAP namespace, ensure that the External identity mapping property is enabled and that you include the token REMOTE_USER in the value for the property. This does not mean that you must configure eTrust SiteMinder to set REMOTE_USER. The IBM Cognos Netegrity SiteMinder namespace passes user information internally to the corresponding LDAP namespace when it receives successful user identification from the eTrust SiteMinder environment.
When configuring a corresponding Active Directory namespace, ensure that the singleSignOnOption property is set to IdentityMapping. The IBM Cognos Netegrity SiteMinder namespace passes user information internally to the corresponding LDAP namespace using the REMOTE_USER environment variable when it receives successful user identification from the eTrust SiteMinder environment. For more information, see Enabling Single Signon Between Active Directory Server and IBM Cognos 8 Components.
If eTrust SiteMinder is configured with only one user directory, the Netegrity SiteMinder namespace is not required. You can use the user directory as your authentication source by configuring the appropriate namespace, or you can configure the eTrust SiteMinder provider with one user directory. For example, if the eTrust SiteMinder user directory is NTML, you can configure IBM Cognos 8 components with an NTLM namespace or configure IBM Cognos 8 components with one Netegrity SiteMinder namespace, referring to one user directory that is an NTLM namespace.
If the eTrust SiteMinder user directory is Active Directory, you can use an Active Directory namespace or an LDAP namespace that is configured for use with Active Directory.
If you want to use the user directory as your authentication
source directly instead of configuring a Netegrity SiteMinder namespace,
configure the appropriate LDAP , Active Directory , or NTLM namespace. In this case, verify the Agent
Configuration Object properties in eTrust SiteMinder Policy Server.
Ensure that SetRemoteUser is activated.
When configuring the LDAP namespace, in this case, ensure that the External identity mapping property is enabled and that you include the token REMOTE_USER in the value for the property.
When configuring the Active Directory namespace, in this case, ensure that the singleSignOnOption property is set to IdentityMapping. For more information, see Enabling Single Signon Between Active Directory Server and IBM Cognos 8 Components.
To use an eTrust SiteMinder namespace and to set up single signon, do the following:
You can hide the namespace from users during login .
If you configured eTrust SiteMinder for more than one user directory, you must use the Netegrity SiteMinder namespace. After adding the Netegrity SiteMinder namespace, you must also add a corresponding LDAP or NTLM namespace for each user directory.
You can also configure an Netegrity SiteMinder namespace if users are stored in
an LDAP server
an NTLM server
an Active Directory server
On the computer where you installed Content Manager, open IBM Cognos Configuration.
In the Explorer window, under Security, right-click Authentication, and click New resource, Namespace.
In the Name box, type a name for your authentication namespace.
In the Type list, click the Netegrity SiteMinder namespace and then click OK.
The new authentication provider resource appears in the Explorer window, under the Authentication component.
In the Properties window, for the NamespaceID property, specify a unique identifier for the namespace.
Tip: Do not use colons (:) in the Namespace ID property.
Specify the values for all other required properties to ensure that IBM Cognos 8 components can locate and use your existing authentication provider.
In the Explorer window, under Security, Authentication, right-click the namespace and click New resource, SiteMinder Policy Server.
In the Name box, type a name for the policy server and click OK.
In the Properties window, specify the Host property and any other property values you want to change.
In the Explorer window, right-click the new SiteMinder Policy Server and click New resource, User directory.
Tip: Configure a user directory for each user directory in the SiteMinder policy server.
In the Name box, type a name for the user directory and click OK.
Important: The name of the user directory must match the name that appears on the policy server.
In the Properties window, type a value for the Namespace ID reference property.
From the File menu, click Save.
Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.
Configure a corresponding LDAP, Active Directory, or NTLM namespace for each LDAP, Active Directory, or NTLM user directory.
Important: Ensure that you use the same value for the Namespace ID property that you use for the Namespace ID property for the Netegrity SiteMinder namespace.
If you use an SSL connection to the directory server, you must appropriately configure the Cognos namespace for the user directory.
For more information, see Configure an LDAP Namespace.
By configuring single signon, you are not prompted to reenter authentication information.
IBM Cognos 8 components automatically refer to the eTrust SiteMinder session cookie for user session data.
If the eTrust SiteMinder user directory is LDAP or Active Directory, you must configure the eTrust SiteMinder user directory to use external identity mapping to the REMOTE_USER environment variable.
If the eTrust SiteMinder user directory is NTLM, Integrated Windows Authentication is used for single signon and no additional configuration is required.
Ensure that eTrust SiteMinder is configured correctly to protect the IBM Cognos Web alias.
Use the test tool provided with eTrust SiteMinder to verify that the resource is protected, authenticated, and authorized. For more information, see your eTrust SiteMinder documentation.
You can hide namespaces from users during login. You can have trusted signon namespaces without showing them on the namespace selection list that is presented when users login.
For example, you may want to integrate single signon across systems but maintain the ability for customers to authenticate directly to IBM Cognos 8 without being prompted to choose a namespace.
On each computer where you configured an eTrust SiteMinder authentication provider, open IBM Cognos Configuration.
In the Explorer window, under Security,, Authentication, click the Netegrity Siteminder authentication provider.
In the Properties window, click the box next to Selectable for authentication and then click False.
From the File menu, click Save.
The namespace is not shown on the selection list that is presented at login.
