 | |
| | Enable single signon between SAP and IBM Cognos 8 components |
To use an SAP server as your authentication provider, you must use a supported version of SAP BW. To review an up-to-date list of environments supported by IBM Cognos products, such as operating systems, patches, browsers, Web servers, directory servers, database servers, and application servers, visit the IBM Cognos Resource Center (http://www.ibm.com/software/data/support/cognos_crc.html). In addition, Content Manager must be installed on a non-Linux computer.
In SAP BW, you can assign users to user groups or roles or both. The SAP authentication provider uses only the roles.
The authorization rights required by the SAP user depend on who uses IBM Cognos 8 components, users or administrators.
The following authorization objects are required for any IBM Cognos user. Some of the values shown, such as *, are default values that you may want to modify for your environment.
Authorization object | Field | Value |
S_RFC Authorization check for RFC access | Activity | |
Name of RFC to be protected | RFC1 RS_UNIFICATION, SDTX, SH3A, SU_USER, SYST, SUSO | |
Type of RFC to be protected | FUGR | |
S_USER_GRP User Master Maintenance: User Groups | Activity | 03 |
Name of user group | * |
If users will perform administrative tasks and searches for users and roles, the following values must be added to the S_RFC authorization object in addition to the values listed above for IBM Cognos 8 users. Some of the values shown, such as *, are default values that you may want to modify for your environment.
Authorization object | Field | Value |
S_RFC Authorization check for RFC access | Activity | 16 |
RFC_NAME | PRGN_J2EE, SHSS, SOA3 | |
Type of RFC object to be protected | FUGR |
To configure connectivity between SAP BW and IBM Cognos 8 components on a UNIX operating system, ensure that you install the SAP shared library file (provided by SAP) and add it to the library path environment variable as follows:
Solaris
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<librfccm.so_directory>
HP-UX
SHLIB_PATH=$SHLIB_PATH:<librfccm.sl_directory>
AIX
LIBPATH=$LIBPATH:<librfc.a_directory>
To use SAP and to set up single signon, do the following:
Enable single signon between SAP and IBM Cognos 8 components
You can configure IBM Cognos 8 components to use an SAP server as the authentication source.
On the computer where you installed Content Manager, open IBM Cognos Configuration.
In the Explorer window, under Security, right-click Authentication, and click New resource, Namespace.
In the Name box, type a name for your authentication namespace.
In the Type list, click SAP and then click OK.
The new authentication provider resource appears in the Explorer window, under the Authentication component.
In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace.
Tip: Do not use colons (:) in the Namespace ID property.
Specify the values for all required properties to ensure that IBM Cognos 8 components can locate and use your existing authentication provider.
Depending on your environment, for the Host property, you may have to add the SAP router string to the SAP host name.
If the SAP system encodes the contents of cookies, enable the decode tickets feature:
In the Properties window, for Advanced properties, click the Value and then click the edit button.
Click Add.
Enter the name URLDecodeTickets and enter the value true
Click OK.
All SAP logon tickets will be decoded by the SAP namespace before establishing a connection.
From the File menu, click Save.
Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.
You can enable single signon between SAP Enterprise Portal and IBM Cognos 8 components as well as when using the external namespace function of the SAP BW data source connections. To do so, ensure that you set the following system parameters on the SAP BW server:
login/accept_sso2_ticket = 1
login/create_sso2_ticket = 1
login/ticket_expiration_time = 200
