TM1 Forum

Discussing all things TM1, Planning Analytics, PAx and PAW
https://www.tm1forum.com/

TM1 Rest API Powershell SSO connection

https://www.tm1forum.com/viewtopic.php?t=15873

Page 1 of 1

TM1 Rest API Powershell SSO connection

Posted: Wed May 26, 2021 12:47 am
by NZSheep
Hi, we are having issues getting a connection working using Invoke-restmethod when connecting to TM1 which is configured to use SSO via CAM authentication.

If I try to use basic auth, like all the examples found on the net, I get a 401 unauthorized error, which makes sense.

I cannot find a single example on how to do auth with SSO, so I am stumbling around trying to create the correct headers based on this page:
https://www.ibm.com/docs/en/planning-an ... g-sessions

So my code looks something like this:

Code: Select all

$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("username:password:namespace"))

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add('WWW-Authenticate',("CAMPassport https://server1:443/ibmcognos/bi/v1/disp, CAMNamespace" ))
$headers.Add('Authorization',("CAMNamespace base64($base64AuthInfo)") )
$headers.Add('Accept','application/json')

$uri = "https://server2:12345/api/v1/activesession"

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

Invoke-RestMethod -Headers $headers -Method get -Uri $uri
Any help would be appreciated.

Re: TM1 Rest API Powershell SSO connection

Posted: Wed May 26, 2021 1:05 pm
by ascheevel
There's 2 things wrong with the powershell code you posted:

1. your authorization header doesn't need "base64" around your $base64AuthInfo variable because you already converted the username:passwrod:namespace values to base64 above. Only include "base64" around the authorization variable if the values are not already converted to base64
2. your $uri variable needs to have ActiveSession capitalized, URLs are case sensitive

While not wrong, you shouldn't need the "Accept" and "WWW-Authenticate" headers. As you do more with the rest api in powershell, you will most likely at some point need a "Content-Type" header, particularly if you're going to POST. You can also use "user-agent" and "Tm1-SessionContext" headers to add some context to the connection when viewed in the threads monitor within PAW admin or TM1Top.


Code: Select all

$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("username:password:namespace"))

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"

$headers.Add('Authorization',("CAMNamespace $base64AuthInfo") )

## optional context headers
$headers.add("user-agent","PowerShell")
$headers.add("TM1-SessionContext","PowerShell")

$uri = "https://server2:12345/api/v1/ActiveSession"

[Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls"

Invoke-RestMethod -Headers $headers -Method get -Uri $uri

Re: TM1 Rest API Powershell SSO connection

Posted: Wed May 26, 2021 11:53 pm
by NZSheep
Thanks you were spot on! :D

And adding $headers.Add('Content-Type','application/json; charset=utf-8') was required for POST as you said.

Re: TM1 Rest API Powershell SSO connection

Posted: Thu May 27, 2021 11:22 am
by Wim Gielis
Adding an option to have minimal metadata info can be useful too:

odata.metadata=minimal in the Content-Type header.
Or: odata.metadata=none
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited