Cognos and Portal Single Sign-Off

A previous post created a single sign-on solution between Cognos and Portal. But what about when the user wants to logoff.  Should the user be logged out of both Portal and Cognos? From discussion with one partner, the answer is, “Yes.”

To create a complete single sign-off solution, we need to:

  • Logoff in Portal – clearing the LTPAToken and session cookies
  • Logoff in Cognos – clearing the CAM passport

Rather than create a custom solution, we’ll delegate the logoff behavior to the respective applications.  This is done by redirecting the user’s browser to the appropriate logoff URL.  For example, when the user clicks “Logout” in Portal, Portal handles the logout behavior and then redirects the user to the logout URL of Cognos.  And vice versa.

There’s a supported mechanism in both products to do exactly this.  See the redirect.logout settings in Portal and the seemingly non-existent Cognos documentation here or user suggestions here.

Configure Portal

  1. Log into Portal’s WebSphere Console.
  2. Access the WP_ConfigService resource environment provider under Resources -> Resource Environment Providers -> WP_ConfigService -> Customer Properties.
  3. Add the following entries:
    1. redirect.logout=true
    2. redirect.logout.url=http://cognos.demos.ibm.com:9300/p2pd/servlet/dispatch/ext?b_action=xts.run&m=portal/cc.xts&gohome=#
  4. Save.
  5. Restart Portal.

You can locate the Cognos “Log Off” URL by simply inspecting the href of the “Log Off” link in the Cognos user interface.

Configure Cognos

  1. Update the \c10_64\templates\ps\system.xml file.
    1. Set <logoff enabled=”true“>
    2. Specify a URL in between the <redirect-url> tags.
  2. Run cogconfig.
  3. Add the domain from step 1B in the IBM Cognos Application Firewall “Valid domains or hosts” setting.
  4. Restart Cognos.

Cognos App Firewall

My system.xml is the following.

 <logoff enabled="true">
 <!-- URL to direct to upon logoff. Note: the 'redirect-url' url specified is subject to validation at runtime -->
 <redirect-url>http://portal.demos.ibm.com/wps/myportal/ctcdemo/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8zigw0MTJycDB0N3J0MDA08LQ393PxMfQ1Ngsz0wwkpiAJKG-AAjgZA_VGElBTkRhikOyoqAgDTiNm7/dz/d5/L3dDb1ZJQSEhL3dPb0JKTnNBLzRFS2lqaFVNV0hFIS9FYXhVaEZlVTFHUS8xL2xv/</redirect-url>
 </logoff>

Your redirect URL will likely be different.  Again, you can find one by logging into Portal and inspecting the logout link.  The link you see is the current page with an encoded POC action telling Portal to logout.  An alternative suggestion is to create a hidden page in Portal, and use this as the designated redirect URL.  In doing so, you might prevent someone from inadvertently deleting the redirect URL’s page and causing the processes to fail.

1 thought on “Cognos and Portal Single Sign-Off”

Leave a Reply

Your email address will not be published.