Skip to main content

CAM passport authentication for IBM Planning Analytics (TM1) with MFA support

Project description

tm1-auth

A Python library for authenticating with IBM Planning Analytics (TM1) in environments that use Cognos Access Manager (CAM) with multi-factor authentication.

TM1py requires a cam_passport to connect to CAM-secured environments, but obtaining one programmatically is non-trivial when MFA is involved. tm1-auth handles the browser-based login flow for you and captures the passport automatically.


Features

  • Automated CAM passport retrieval via a browser login window
  • Works alongside TM1py — pass the retrieved passport directly to TM1Service
  • Supports system browsers (Edge, Chrome) as well as Playwright's bundled Chromium
  • Persistent passport caching via KeyringCache (OS credential manager)
  • In-memory passport caching via PassportCache
  • Cross-platform: Windows, macOS, Linux

Requirements

pip install playwright
python -m playwright install chromium

Installation

pip install tm1-auth

Quick start

from tm1_auth import get_cam_passport
from TM1py import TM1Service

passport = get_cam_passport(
    auth_url="https://your-cognos-server/ibmcognos/bi/v1/disp"
)

with TM1Service(address="your-tm1-server", port=5001,
                cam_passport=passport, ssl=True) as tm1:
    print(tm1.server.get_product_version())

A browser window opens, you complete the login flow (including MFA), and the passport is captured automatically. The window closes once the passport is detected.


Multiple environments

By default all calls share the same browser profile (~/.tm1_auth/browser_profile). Whether this is useful depends on your setup.

Isolated sessions — use when environments have different credentials, or you want explicit login control for each:

dev_passport = get_cam_passport(
    auth_url="https://dev-cognos/ibmcognos/bi/v1/disp",
    profile_dir="~/.tm1_auth/dev",
)

prd_passport = get_cam_passport(
    auth_url="https://prd-cognos/ibmcognos/bi/v1/disp",
    profile_dir="~/.tm1_auth/prd",
)

Each call gets its own browser session and will prompt for login independently.

Shared session — use when environments share the same identity provider and you want to avoid repeated logins:

dev_passport = get_cam_passport(
    auth_url="https://dev-cognos/ibmcognos/bi/v1/disp",
)

prd_passport = get_cam_passport(
    auth_url="https://prd-cognos/ibmcognos/bi/v1/disp",
)

Both calls use the default shared profile. If your identity provider supports SSO, the second call may complete without prompting for credentials or MFA again. This is not guaranteed — it depends entirely on your IdP configuration and session policies.


Caching passports

Persistent cache (recommended for IDE use)

KeyringCache stores passports in the OS credential manager (Windows Credential Manager, macOS Keychain, Linux Secret Service). Passports survive process restarts so the browser only opens when a passport has actually expired — not every time you run your script.

from tm1_auth import get_cam_passport, KeyringCache
from TM1py import TM1Service

cache    = KeyringCache()
auth_url = "https://your-cognos/ibmcognos/bi/v1/disp"

passport = cache.get(auth_url)
if not passport:
    passport = get_cam_passport(auth_url)
    cache.set(auth_url, passport)

with TM1Service(address="tm1-server", port=5001,
                cam_passport=passport, ssl=True) as tm1:
    print(tm1.server.get_product_version())

If a passport is rejected by TM1py, invalidate it and re-authenticate:

try:
    tm1 = TM1Service(address="tm1-server", port=5001,
                     cam_passport=passport, ssl=True)
except Exception:
    cache.invalidate(auth_url)
    passport = get_cam_passport(auth_url)
    cache.set(auth_url, passport)
    tm1 = TM1Service(address="tm1-server", port=5001,
                     cam_passport=passport, ssl=True)

In-memory cache

PassportCache is an alternative that keeps passports in memory only. Useful for long-running scripts that connect to TM1 multiple times in one session, but does not persist across process restarts.

from tm1_auth import get_cam_passport, PassportCache

cache = PassportCache(ttl_seconds=3600)

def get_passport(auth_url):
    passport = cache.get(auth_url)
    if not passport:
        passport = get_cam_passport(auth_url)
        cache.set(auth_url, passport)
    return passport

API reference

get_cam_passport

get_cam_passport(
    auth_url: str,
    profile_dir: str | None = None,
    timeout_seconds: int = 90,
    headless: bool = False,
    executable_path: str | None = None,
    verbose: bool = True,
) -> str
Parameter Description
auth_url The Cognos dispatcher URL (e.g. .../ibmcognos/bi/v1/disp)
profile_dir Persistent browser profile directory. Same directory = shared session. Different directories = isolated sessions. Defaults to ~/.tm1_auth/browser_profile.
timeout_seconds Seconds to wait for login before raising PassportTimeoutError. Default 90.
headless Run without a visible browser window. Not recommended for MFA flows. Default False.
executable_path Path to a specific browser executable. If not set, tries system Edge then Chrome then Playwright's bundled Chromium.
verbose Print progress messages to stdout. Default True.

Returns: The cam_passport cookie value as a string.

Raises:

  • AuthenticationError — browser failed to launch or could not navigate to the auth URL
  • PassportTimeoutError — no passport detected within timeout_seconds

KeyringCache

KeyringCache(service: str = "tm1-auth")

Persistent cache backed by the OS credential manager. Survives process restarts.

Method Description
get(auth_url) Return stored passport or None if not found
set(auth_url, passport) Store a passport in the OS credential manager
invalidate(auth_url) Remove a specific entry

PassportCache

PassportCache(ttl_seconds: int = 3600)

In-memory cache. Does not persist across process restarts.

Method Description
get(auth_url) Return cached passport or None if missing/expired
set(auth_url, passport) Cache a passport
invalidate(auth_url) Remove a specific entry
clear() Remove all entries

Exceptions

from tm1_auth.exceptions import AuthenticationError, PassportTimeoutError

Both inherit from AuthenticationError. Catch AuthenticationError to handle all auth failures, or the specific subclass for finer control.


Contributing

Contributions welcome. Please open an issue before submitting a pull request for significant changes.


Licence

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tm1_auth-0.1.3.tar.gz (12.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tm1_auth-0.1.3-py3-none-any.whl (10.1 kB view details)

Uploaded Python 3

File details

Details for the file tm1_auth-0.1.3.tar.gz.

File metadata

  • Download URL: tm1_auth-0.1.3.tar.gz
  • Upload date:
  • Size: 12.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for tm1_auth-0.1.3.tar.gz
Algorithm Hash digest
SHA256 fb59513ea41ab11ff8c402b3b639e3e9d68dd26fdcd61103f75a320900ef5ca1
MD5 291dc95c72eba014cfdc00fcfdd1846a
BLAKE2b-256 f8ed0f588882511d43a8b17e118dd2bb5dc24021ee2935d6971e3db76726b223

See more details on using hashes here.

File details

Details for the file tm1_auth-0.1.3-py3-none-any.whl.

File metadata

  • Download URL: tm1_auth-0.1.3-py3-none-any.whl
  • Upload date:
  • Size: 10.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.2

File hashes

Hashes for tm1_auth-0.1.3-py3-none-any.whl
Algorithm Hash digest
SHA256 ed929c24354b0a00fad32010ccf77e63ea29a200852f1809676dc61d4e9cbe47
MD5 e1fc2fbcee29473ddda9d1f70e7f1b5e
BLAKE2b-256 8bdf7aa17913b71b77483aed591a3efda584066c563d8ec59c9c9d64f7bd147e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page