How to setup SAP SSO with SAP BW datasource

Prompt for the data

The implemented enhancement provides the ability to have SSO to the datasource without the presence of an SAP Namespace in Cognos 8. This allows the users to avoid having to authenticate to multiple namespaces to run certain reports based off of SAP datasources. (ie. a situation where not all users have an SAP logon, but all users have an AD logon. When a SAP user wants to run a report, authentication to the portal occurs via AD, and the existing MYSAPSSO2 ticket is utilized for the actual datasource)

Requires at least Cognos (OP 8.3.833+)

1. MYSAPSSO2 ticket must exist for the user's session. In most cases this will occur by accessing Cognos 8 via the Netweaver EP.
2. All URIs need to be fully qualified ( This includes the Cognos 8 configuration as well as the Iview configuration within SAP EP (ie. CPS Connection Server URI)
3. Advanced parameter added to report service : RSVP.QUERYREQUEST.EXTRAINFO = TRUE

From Cognos Connection
1. select Launch --> Cognos Administration.
2. Select the Configuration tab
3. Select Dispatchers and Services
4. Under the Name column, select the dispatcher
5. To the far right of the Report Service, under the actions column, select the properties icon
6. Select the Settings tab
7. Within the Environment Category, to the far right under the value column, select edit. This will bring you to the advanced properties.
8. Check the box that states "Override the settings acquired from the parent entry
9. Enter the parameter here (Parameter: RSVP.QUERYREQUEST.EXTRAINFO ; value: TRUE)

Note: The datasource connection to SAP should be configured to use a non-existent signon object

Known limitations :

- Scheduling: since no credentials are stored, and Cognos 8 looks for the MSAPSSO2 ticket first, scheduling is not possible
- 'All or nothing': with the advanced parameter in place, the SSO credentials (MYSAPSSO2 ticket) will have precedence for every SAP datasource, regardless of whether there is a valid signon object. This can cause issues, if the credentials of the authenticated user do not permit access to a particular datasource required to run a report - it isn't possible to override the user's credentials with a static signon object. Obviously this scenario can be overcome to a degree in a multi-server scenario by setting up dispatcher routing