Cognos Analytics

Administration - How to setup Azure OIDC with Cognos Analytics Release R8+

By ANTONIO MARZIANO posted Wed September 05, 2018 01:25 PM

  

Introduction


Here is another extended approach to providing easy step-by-step guide to setting up an OpenID Connect Namespace with AzureAD. The details below are more simplistic and cover the actual steps to provisioning an application and its registration followed by what details would be required to configure Cognos Analytics Authentication Provider Settings to successfully log in.

Environment


Azure Domain: AZURECOGNOSLAB.onmicrosoft.com
Display Name: COGNOSLAB
On-Premise: Cognos Analytics 11.0.9

Steps



    1. Log in to https://portal.azure.com

    1. Click More services

    1. Scroll down and click App registrations


    1. Click New application registration


    1. Type in a NameApplication type must be Web app/API.

      Sign-on URL is the entry point to CA11
      https://IACSSUK16SRV2.CASUPPORT.SUPPORT2016.AD.HURSLEY.IBM.COM:9309/bi/v1/disp

    1. Click Create

    1. Edit the Application by selecting Settings


    1. Click Reply URLs to add the Redirect URL

    1. Add the Return URL

    1. Click Save

    1. Then generate the Client Secret by clicking Keys


    1. Type in a description

    1. Click Save and store the value somewhere as it’s a once only opportunity to capture it.

    1. Next find the Tenant ID that will be required to update the Discovery Endpoint

      Open the downloaded PortalDiagnostics.json file and locate the “tenants” element"tenants": [
      {
      "id": "6b3ec521-c99e-4cc2-bd63-e79e654151da",
      "domainName": "AZURECOGNOSLAB.onmicrosoft.com",
      "displayName": "COGNOSLAB",
      "isSignedInTenant": true
      }

    1. Summary of all the required information to configure the OpenID Connect Namespace for Azure are:Tenant ID - 6b3ec521-c99e-4cc2-bd63-e79e654151da
      Client ID - acd096fc-e0f8-4740-8267-18a947aa809e

      Client Secret - WgYNsqAZfBa1DGtdEJRgAw9ap79WGKgs1BG9lnTaEH8=
      Return URL https://IACSSUK16SRV2.CASUPPORT.SUPPORT2016.AD.HURSLEY.IBM.COM:9309/bi/completeAuth.jspNext, transfer the above configuration information into a new Azure OIDC Namespace

    1. Create a new Namespace

    1. Transfer the details as outlined in point 15 above
      Discovery Endpoint is:
      https://login.microsoftonline.com:443/{tenantid}/.well-known/openid-configurationReplace the ‘{tenanted}’ with the alpha-numeric captured from Step 14https://login.microsoftonline.com:443/6b3ec521-c99e-4cc2-bd63-e79e654151da/.well-known/openid-configurationPopulate the Client ID, OpenID Connect client secret value and Return URLSo, now the configuration looks like this:NB: Make sure all URIs are switched from HTTP to HTTPS

    1. Save the configuration and exit but do not start.

    1. Download the certificate (issuer)
      With your web browser access the discovery endpoint  and download the issuer certificate:
      https://login.microsoftonline.com:443/6b3ec521-c99e-4cc2-bd63-e79e654151da/.well-known/openid-configuration




    1. Save the certificate (*.crt) in the CA installation /bin64 directory

    1. Open a command window and navigate to the /bin directory and execute the following command:
      ThirdPartyCertificateTool.bat -i -T -r stamp2loginmicrosoftonlinecom.crt -p NoPassWordSet

    1. Open Cognos Configuration and start the service.

    1. Open CA11 URL and select the AzureAD namespace

    1. Log in using the AzureAD user login.



Troubleshooting


Log in fails with the following error - CA Initialization Information Cannot login



Resolve by regenerating a new Client Secret Value (See step 11 above) and replace the existing entry in the Cognos Configuration Namespace:



Save and restart

Error during startup shows the following exception

Audit.RTUsage.cms.CAM.AAA.SRVC    StartService    NameSpace    CAMID("AzureAD")    Warning        <exception><![CDATA[com.ibm.cognos.camaaa.internal.auth.exception.UnrecoverableException      at com.ibm.cognos.camaaa.internal.customLegacy.exception.UnrecoverableExceptionConverter.convertException(UnrecoverableExceptionConverter.java:63)      at com.ibm.cognos.camaaa.internal.OIDC.handler.OIDCHandler.init(OIDCHandler.java:57)      at com.ibm.cognos.camaaa.internal.common.handler.HandlerFactoryImpl.initializeHandler(HandlerFactoryImpl.java:577)      at com.ibm.cognos.camaaa.internal.common.handler.HandlerFactoryImpl.createHandler(HandlerFactoryImpl.java:324)      at com.ibm.cognos.camaaa.internal.auth.handler.AuthHandler.populateHandler(AuthHandler.java:195)      at

Resolved by ensuring the correct certificate chain is imported into the keystore (see step 19-21)

 
#Support
#Resources
#azure
#Tutorials
#LearnCognosAnalytics
#home
#administration
0 comments
212 views

Permalink