TM1 Rest API Powershell SSO connection

Post Reply
NZSheep
Posts: 2
Joined: Tue May 25, 2021 11:52 pm
OLAP Product: ???
Version: ???
Excel Version: 99999999999

TM1 Rest API Powershell SSO connection

Post by NZSheep »

Hi, we are having issues getting a connection working using Invoke-restmethod when connecting to TM1 which is configured to use SSO via CAM authentication.

If I try to use basic auth, like all the examples found on the net, I get a 401 unauthorized error, which makes sense.

I cannot find a single example on how to do auth with SSO, so I am stumbling around trying to create the correct headers based on this page:
https://www.ibm.com/docs/en/planning-an ... g-sessions

So my code looks something like this:

Code: Select all

$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("username:password:namespace"))

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add('WWW-Authenticate',("CAMPassport https://server1:443/ibmcognos/bi/v1/disp, CAMNamespace" ))
$headers.Add('Authorization',("CAMNamespace base64($base64AuthInfo)") )
$headers.Add('Accept','application/json')

$uri = "https://server2:12345/api/v1/activesession"

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

Invoke-RestMethod -Headers $headers -Method get -Uri $uri
Any help would be appreciated.
Top
ascheevel
Community Contributor
Posts: 312
Joined: Fri Feb 15, 2013 5:49 pm
OLAP Product: TM1
Version: PA 2.0.9.1
Excel Version: 365
Location: Minneapolis, USA

Re: TM1 Rest API Powershell SSO connection

Post by ascheevel »

There's 2 things wrong with the powershell code you posted:

1. your authorization header doesn't need "base64" around your $base64AuthInfo variable because you already converted the username:passwrod:namespace values to base64 above. Only include "base64" around the authorization variable if the values are not already converted to base64
2. your $uri variable needs to have ActiveSession capitalized, URLs are case sensitive

While not wrong, you shouldn't need the "Accept" and "WWW-Authenticate" headers. As you do more with the rest api in powershell, you will most likely at some point need a "Content-Type" header, particularly if you're going to POST. You can also use "user-agent" and "Tm1-SessionContext" headers to add some context to the connection when viewed in the threads monitor within PAW admin or TM1Top.


Code: Select all

$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("username:password:namespace"))

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

$headers.Add('Authorization',("CAMNamespace $base64AuthInfo") )

## optional context headers
$headers.add("user-agent","PowerShell")
$headers.add("TM1-SessionContext","PowerShell")

$uri = "https://server2:12345/api/v1/ActiveSession"

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

Invoke-RestMethod -Headers $headers -Method get -Uri $uri
Top
NZSheep
Posts: 2
Joined: Tue May 25, 2021 11:52 pm
OLAP Product: ???
Version: ???
Excel Version: 99999999999

Re: TM1 Rest API Powershell SSO connection

Post by NZSheep »

Thanks you were spot on! :D

And adding $headers.Add('Content-Type','application/json; charset=utf-8') was required for POST as you said.
Top
Wim Gielis
MVP
Posts: 3233
Joined: Mon Dec 29, 2008 6:26 pm
OLAP Product: TM1, Jedox
Version: PAL 2.1.5
Excel Version: Microsoft 365
Location: Brussels, Belgium
Contact:
Contact Wim Gielis

Re: TM1 Rest API Powershell SSO connection

Post by Wim Gielis »

Adding an option to have minimal metadata info can be useful too:

odata.metadata=minimal in the Content-Type header.
Or: odata.metadata=none
Best regards,

Wim Gielis

IBM Champion 2024-2025
Excel Most Valuable Professional, 2011-2014
https://www.wimgielis.com ==> 121 TM1 articles and a lot of custom code
Newest blog article: Deleting elements quickly
Top
Post Reply

Return to “IBM TM1, Planning Analytics, PAx and PAW”