IBM Cognos 8 – Custom Authentication Provider

In the past we have introduced the IBM Cognos SDK family of products in our article IBM Cognos SDK: Bridging the Gaps providing you with a glimpse of the potential methods for utilizing the SDK to further the standard Cognos suite. Today let’s take a closer look at one of special SDK toolsets – the Custom Authentication Provider (CAP). What is an IBM Cognos Custom Authentication Provider?

As you know IBM Cognos 8 products support the following authentication providers:

  • IBM Cognos Series 7 namespaces
  • LDAP version 3 directory servers
  • Windows native security (NTLM)
  • SAP BW
  • Active Directory Server
  • Computer Associates eTrust SiteMinder (with LDAP and/or NTLM user directories)

Having invested significantly in your organizations or products security infrastructure, it can often be cause for concern if your organization’s security authentication provider does not appear on this list So what are your options? Do you ask your IT department to switch to a Active Directory Server so that the IBM Cognos application can be secured? Most likely you will be laughed out of the room as changing your security infrastructure is one of the most costly and time consuming IT tasks. Luckily, IBM Cognos has provided the tool to solve your authentication issues – Custom Authentication Provider. The Custom Authentication Provider is a java language specific interface that allows you to completely leverage your existing security model while integrating into the Cognos application to secure Cognos BI content with the default capabilities in Cognos Connection.

The Architecture

Depending on your requirements, you can implement a full authentication provider or trusted signon provider through the IBM Cognos Custom Authentication Provider API.

A full authentication provider implements all the functionality that the IBM Cognos Server needs to communicate with an authentication source.

CAP provides the following:

  • A user authentication process using external authentication sources.
  • Namespace searches – the searches can retrieve namespace objects and their properties, as required by the IBM Cognos Application. The objects can be users, groups, or roles, which are then used for authorization purposes in the Cognos namespace.
  • Trusted credentials management.
  • Authentication provider configuration.

The following diagram illustrates the IBM Cognos 8 security architecture when a full authentication provider is in place:

A trusted signon provider is used when IBM Cognos only needs to identify a user based on the session information from an authentication mechanism. After the user is identified, a full authentication provider will be then called to perform the BI content authorization. A namespace for a trusted signon provider can be configured so that it is not selectable for authentication, this will prevent it from being presented to users in the list of available namespaces on the Cognos standard logon page.

The following diagram shows the IBM Cognos 8 security architecture trusted signon provider is implemented.

How to Develop and IBM Cognos Custom Authentication Provider

Similar to any other IBM Cognos SDK application development, you will need the IBM Cognos SDK component installed (licensed material), and a Java SDK 1.5 or above environment for developing the Custom Authentication Provider for IBM Cognos 8.4. If you are going to create a full authentication provider application, the following tasks will be involved:

  • Defining user authentication.
  • Defining namespace searches.
  • Managing trusted credentials.
  • Configuring the namespace interface.
  • Initializing the authentication source.
  • Creating a manifest for the jar file.

For creating a trusted signon provider application, the following will be required:

  • Understanding the single signon functionality (very important).
  • Configuring the namespace interface.
  • Creating a manifest for the jar file.
  • Registering an authentication listener.

In some cases, you may also want to create a custom logon page so that the default IBM Cognos logon page will be bypassed.

For more information please see IBM Cognos Custom Authentication Provider Developer Guide and related materials.


The IBM Cognos 8 Custom Authentication Provider SDK allows you to completely leverage your existing assets, whether you use a private model or leverage a third party security provider. This provider-based security API gives you the flexibility to easily implement single sign-on with a third party provider using your existing Authentication routine; or use a full provider API to develop an interface for a custom security model. With the IBM Cognos Authentication Provider SDK toolset, you can avoid the duplication and synchronization of security models required by other technologies which can significantly reduces the cost and time of changing your existing infrastructure. Security is the most important pieces of any systems environment and incorrect implementation will leave holes in your Cognos environment potentially causing the application to function incorrectly or inefficiently. Please contact us for any questions or issues related to developing a Custom Authentication Provider, our experienced SDK developers will help you design or diagnose a unique Custom Authentication Provide application for your particular environment.