Welcome to the IBM Community, a place to collaborate, share knowledge, & support one another in everyday challenges. Connect with your fellow members through forums, blogs, files, & face-to-face networking.
Log in
Search Options
Search Options
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Business Analytics
Topic groups
Cognos Analytics with Watson
Cognos Controller
IBM Spectrum Computing Group
Planning Analytics with Watson
My Groups
User groups
All User Groups
Events
Upcoming Business Analytics Events
On Demand Webinars
IBM Expert TV
Virtual Community Events
All IBM Community Events
Participate
Gamification Program
Post to Forum
Share a Resource
Share Your Expertise
Blogging on the Community
Connect with Business Analytics Users
All IBM Community Users
Resources
Community Front Porch
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Technology Zone
IBM Training
Marketplace
Marketplace
IBM Business Analytics Community
Connect, learn and share with over 100,000 users across the IBM Business Analytics Community.
Join / Log in
Explore BA Products
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Cognos Analytics with Watson
View Only
Group Home
Discussion
10.8K
Library
475
Blogs
571
Events
1
Members
4.9K
Back to Blog List
Administration - How to setup Azure OIDC with Cognos Analytics Release R8+
By
ANTONIO MARZIANO
posted
Wed September 05, 2018 01:25 PM
1
Like
Introduction
Here is another extended approach to providing easy step-by-step guide to setting up an OpenID Connect Namespace with AzureAD. The details below are more simplistic and cover the actual steps to provisioning an application and its registration followed by what details would be required to configure Cognos Analytics Authentication Provider Settings to successfully log in.
Environment
Azure Domain: AZURECOGNOSLAB.onmicrosoft.com
Display Name: COGNOSLAB
On-Premise: Cognos Analytics 11.0.9
Steps
Log in to https://portal.azure.com
Click
More services
Scroll down and click
App registrations
Click
New application registration
Type in a
Name
.
Application type
must be
Web app/API.
Sign-on URL is the entry point to CA11
https://IACSSUK16SRV2.CASUPPORT.SUPPORT2016.AD.HURSLEY.IBM.COM:9309/bi/v1/disp
Click
Create
Edit the Application by selecting
Settings
Click
Reply URLs
to add the Redirect URL
Add the Return URL
Click
Save
Then generate the Client Secret by clicking
Keys
Type in a description
Click
Save
and store the value somewhere as it’s a
once only
opportunity to capture it.
Next find the Tenant ID that will be required to update the Discovery Endpoint
Open the downloaded PortalDiagnostics.json file and locate the “tenants” element"tenants": [
{
"id": "
6b3ec521-c99e-4cc2-bd63-e79e654151da
",
"domainName": "AZURECOGNOSLAB.onmicrosoft.com",
"displayName": "COGNOSLAB",
"isSignedInTenant": true
}
Summary of all the required information to configure the OpenID Connect Namespace for Azure are:Tenant ID - 6b3ec521-c99e-4cc2-bd63-e79e654151da
Client ID - acd096fc-e0f8-4740-8267-18a947aa809e
Client Secret - WgYNsqAZfBa1DGtdEJRgAw9ap79WGKgs1BG9lnTaEH8=
Return URL https://IACSSUK16SRV2.CASUPPORT.SUPPORT2016.AD.HURSLEY.IBM.COM:9309/bi/completeAuth.jspNext, transfer the above configuration information into a new Azure OIDC Namespace
Create a new Namespace
Transfer the details as outlined in point 15 above
Discovery Endpoint is:
https://login.microsoftonline.com:443/
{tenantid}
/.well-known/openid-configurationReplace the ‘{tenanted}’ with the alpha-numeric captured from Step 14https://login.microsoftonline.com:443/
6b3ec521-c99e-4cc2-bd63-e79e654151da
/.well-known/openid-configurationPopulate the Client ID, OpenID Connect client secret value and Return URLSo, now the configuration looks like this:
NB: Make sure all URIs are switched from HTTP to HTTPS
Save the configuration and exit
but do not start
.
Download the certificate (issuer)
With your web browser access the discovery endpoint and download the issuer certificate:
https://login.microsoftonline.com:443/
6b3ec521-c99e-4cc2-bd63-e79e654151da
/.well-known/openid-configuration
Save the certificate (*.crt) in the CA installation
/bin64
directory
Open a command window and navigate to the
/bin
directory and execute the following command:
ThirdPartyCertificateTool.bat -i -T -r stamp2loginmicrosoftonlinecom.crt -p NoPassWordSet
Open Cognos Configuration and start the service.
Open CA11 URL and select the AzureAD namespace
Log in using the AzureAD user login.
Troubleshooting
Log in fails with the following error - CA Initialization Information Cannot login
Resolve by regenerating a new Client Secret Value (See step 11 above) and replace the existing entry in the Cognos Configuration Namespace:
Save and restart
Error during startup shows the following exception
Audit.RTUsage.cms.CAM.AAA.SRVC StartService NameSpace CAMID("AzureAD") Warning <exception><![CDATA[com.ibm.cognos.camaaa.internal.auth.exception.UnrecoverableException at com.ibm.cognos.camaaa.internal.customLegacy.exception.UnrecoverableExceptionConverter.convertException(UnrecoverableExceptionConverter.java:63) at com.ibm.cognos.camaaa.internal.OIDC.handler.OIDCHandler.init(OIDCHandler.java:57) at com.ibm.cognos.camaaa.internal.common.handler.HandlerFactoryImpl.initializeHandler(HandlerFactoryImpl.java:577) at com.ibm.cognos.camaaa.internal.common.handler.HandlerFactoryImpl.createHandler(HandlerFactoryImpl.java:324) at com.ibm.cognos.camaaa.internal.auth.handler.AuthHandler.populateHandler(AuthHandler.java:195) at
Resolved by ensuring the correct certificate chain is imported into the keystore (see step 19-21)
#Support
#Resources
#azure
#Tutorials
#LearnCognosAnalytics
#home
#administration
0 comments
246 views
Permalink
Business Analytics
Topic groups
Cognos Analytics with Watson
Cognos Controller
IBM Spectrum Computing Group
Planning Analytics with Watson
My Groups
User groups
All User Groups
Events
Upcoming Business Analytics Events
On Demand Webinars
IBM Expert TV
Virtual Community Events
All IBM Community Events
Participate
Gamification Program
Post to Forum
Share a Resource
Share Your Expertise
Blogging on the Community
Connect with Business Analytics Users
All IBM Community Users
Resources
Community Front Porch
IBM Champions
IBM Cloud Support
IBM Documentation
IBM Support
IBM Technology Zone
IBM Training
Marketplace
Marketplace
Copyright © 2019 IBM Business Analytics Community. All rights reserved.
Powered by Higher Logic