cubewise-code
TM1py with Azure AD openID connect
I'm trying to use AzureAD openid connect as a namespace for Tm1. With the namespace I'm able to login to TM1Web, architect. But when I try to connect with Tm1py with the code mentioned below, we get the following error:
Version
- TM1py 1.4.1
- TM1 Server Version: PA 2.0.9
****** CODE ***** import getpass from distutils.util import strtobool
from TM1py.Services import TM1Service
Parameters for connection
user = emailid password = password namespace = AzureAD address = localhost gateway = port =50023 ssl = T
if len(namespace.strip()) == 0: namespace = None
if len(gateway.strip()) == 0: gateway = None
try: with TM1Service( address=address, port=port, user=user, password=password, namespace=namespace, gateway=gateway, ssl=ssl) as tm1: server_name = tm1.server.get_server_name() print("Connection to TM1 established!! your Servername is: {}".format(server_name)) except Exception as e: print("\nERROR:") print("\t" + str(e))
ERROR: Text: Status Code: 401 Reason: Unauthorized Headers: {'Content-Type': 'text/plain', 'Content-Length': '0', 'Connection': 'keep-alive', 'Set-Cookie': 'TM1SessionId=4YMrZHRqnt5zMyULs5muRrUSFhM; Path=/api/; HttpOnly; Secure', 'WWW-Authenticate': 'CAMPassport https://FQDN/ibmcognos/bi/v1/disp, CAMNamespace'}
Has anyone faced this issue?
Thanks!
Hi @pchuks23,
Are you using OpenID with CAM or without CAM? we don't support OpenID (without CAM) as an authentication mode for TM1 yet, even though the REST API already supports it.
on a side note. The code you posted is hard to read. When you post python code please wrap it ``` and make sure the indentation is right.
Hi @pchuks23,
Are you using OpenID with CAM or without CAM? we don't support OpenID (without CAM) as an authentication mode for TM1 yet, even though the REST API already supports it.
on a side note. The code you posted is hard to read. When you post python code please wrap it ``` and make sure the indentation is right.
Hi @MariusWirtz , We are using open ID with CAM. Testing the connection with check.py from the samples, with below inputs:
TM1 User (leave empty if SSO): Password (leave empty if SSO): CAM Namespace (leave empty if no CAM Security): AzureAD Address (leave empty if localhost): localhost ClientCAMURI (leave empty if no SSO): https://FQDN/ibmcognos/bi/v1/disp HTTP Port (Default 5000): 50023 SSL (Default T or F): T
We are getting the ERROR, Failed to authenticate through CAM. HTTP response does not contain 'cam_passport' cookie
If i specify the user name and password, then i get the below error:
ERROR: Text: Status Code: 401 Reason: Unauthorized Headers: {'Content-Type': 'text/plain', 'Content-Length': '0', 'Connection': 'keep-alive', 'Set-Cookie': 'TM1SessionId=Y6x0cK519LP7HxFVWOOTtd4SFhM; Path=/api/; HttpOnly; Secure', 'WWW-Authenticate': 'CAMPassport https://FQDN/ibmcognos/bi/v1/disp, CAMNamespace'}
Also, please note the connection is successful for the Active Directory namespace ie. without OpenID connect.
Thanks!
@pchuks23
does SSO work in TM1Web or architect?
Hi @MariusWirtz
Yes the SSO works in Tm1web and architect.
Hi,
just to confirm, you are saying that CAM SSO used to work before you moved to OpenID connect? I don't think I can do much without looking at it.
For the SSO authentication, we are using this library. https://github.com/brandond/requests-negotiate-sspi
You could try to parameterize the authentication differently here. https://github.com/cubewise-code/tm1py/blob/ca6c8abc6ae14944516911a4f61a4ad647202fb1/TM1py/Services/RestService.py#L393
if you take the code snipped from the function and build a reproducible case. Then you could report the issue here: https://github.com/brandond/requests-negotiate-sspi