Cognos Analytics

Connect, learn, and share with thousands of IBM Cognos Analytics users!

View Only

Back to Blog List

Administration: How to include AD Groups Claim integrated in OKTA with User’s Identity via Cognos Analytics

By ANTONIO MARZIANO posted Mon September 17, 2018 03:05 AM

The purpose of this article is providing a step by step guide in pass-through AD Groups that are associated with a user’s identity. However, there are some assumptions that must be made and these are:

The OKTA OpenID Namespace has been successfully setup and user are able to authenticate to Cognos Analytics.See https://www.ibm.com/communities/analytics/cognos-analytics-blog/administration-how-to-setup-openid-connect-using-okta-identity-provider-with-cognos-analytics-release-8/
OKTA integration with AD (On-Premise) has been setup to authenticate to Cognos Analytics:
See: https://www.ibm.com/communities/analytics/cognos-analytics-blog/administration-how-to-setup-and-authenticate-via-oidc-okta-integration-with-ad-on-premise-and-cognos-analytics-11-r9/

When AD users log into Cognos Analytics via the OKTA OpenID Connect Namespace, the AD groups are not exposed in the user’s identity. So, how can the group memberships be passed through to Cognos?

Basically, the steps involves, creating a custom claim with a specific filter function, identify the applicationid and the list of AD Groupids requested to include in the whitelist

Here are the steps:

Navigate to the OKTA Application, ‘Sign On’ tab
Scroll down to ‘OpenID Connect Token’ section and click on “Edit”. Then modify the ‘Groups claim expressions’ and add the following:
getFilteredGroups(app.profile.groupwhitelist, "group.name", 100)
Click ‘Save’
Create a custom group claim : https://developer.okta.com/docs/how-to/creating-token-with-groups-claim#step-three-configure-a-custom-claim-for-your-groups-custom-authorization-server
Switch to Developers Console and click on ‘API’ – ‘ Authorization Servers’
NB: If an Authorization Server does NOT exist, then click on ‘Add Authorization Server’
Click on “default” link and select ‘Claims’ then click “Add Claims”
Next, using POSTMAN RESTAPI Tool available as a standalone or addon for Chrome:
Chrome : https://chrome.google.com/webstore/detail/postman/fhbjgbiflinjbdggehcddcbncdddomop?hl=en

Standalone : https://www.getpostman.com/

Download Collections : https://developer.okta.com/reference/postman_collections/
Next setup POSTMAN environment
Generate the API Key value by clicking on the ‘Token’ tab and then ‘Create Token’ button
Add the api key value to the POSTMAN environment variables
Next we need to identify the id of all the AD groups that need to be added to the groupwhitelist in the following json:
'{

    "name": "oidc_client",

    "label": "

    "status": "ACTIVE",

    "signOnMode": "OPENID_CONNECT",

    "profile": {

        "groupwhitelist": ["

        ]

    }

}'
To identify the GroupIDs of all the AD Groups using POSTMAN use the following RESTAPI:
https://dev-297076-admin.oktapreview.com/api/v1/groups?filter=type%20eq%20%22APP_GROUP%22
Now, pick out all the Active Directory Groupids to add to the Custom Group Claim’s whitelist.
To POST the whitelist, we need the applicationID so use the following endpoint:
https://dev-297076-admin.oktapreview.com/api/v1/apps
Grab the applicationid, together with the groupid’s and construct the following:
Example of adding multiple AD groups to the whitelist
Next add an AD user to the AD groups as needed and then log into CA 11 OKTA namespace as that AD user and select the User icon - ‘My preferences’ – ‘Personal’ – ‘Groups and Roles’ and see the list of Group Claims: