The purpose of this article is to show "step by step" on how to populate the employeeID attribute (or any attributes) as an id_token claim and then using this claim to create a session parameter in Cognos Analytics Reporting to expose the data for reporting.
It will be assumed that AD On-Prem to AzureAD synchronisation is configured using the Azure AD Connect and that an Azure Application is already configured.
Environment:
Windows 2016 AD on-premise : CASUPPORT.SUPPORT2016.AD.HURSLEY.IBM.COM
AzureAD Domain : AZURECOGNOSLAB.onmicrosoft.com
OpenID Web Application : AZURECASUPPORT
Steps are as follows:
1. Launch Azure AD Connect
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/6b2029b0-5a6e-4bea-bbd0-e4734e353cc1.jpg)
2. Click on "Configure" and then "Customize synchronization options"
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/a3d6e2eb-56ca-477f-8ffc-1680c4fe5b11.jpg)
3. Click "Next" and provide Azure Credentials and continue clicking "Next" until you get to this screen
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/9b37fe6f-7bb7-442c-8417-c539956d1ace.jpg)
Select "Directory extension attribute sync" and click "Next" a couple of times until you get to this screen. Then scroll down the "Available Attributes" until you find "employeeID" and click across to select it.
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/897aea50-409b-4167-8788-8ad618643a37.jpg)
4. Click "Next" and then "Configure"
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/d25107e9-7cac-417a-b032-28da9700a42e.jpg)
5. Synchronisation has been completed
How to map the employeeid attribute as a claim to the id_token
1. Install PowerShell Modules for Azure :
https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids2. Enable the parameter ‘AcceptMappedClaims” from “null” to “true” by editing the manifest of the Azure Application
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/81ca07c3-365d-480c-930e-d6ae4392cb76.jpg)
3. Click "Save" and then locate the appID and make a note of it.
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/ca223070-7427-460f-b4e0-b28fba8cfb45.jpg)
4. Create a powershell script with the following code:
$claimsMappingPolicy = [ordered]@{
"ClaimsMappingPolicy" = [ordered]@{
"Version" = 1
"IncludeBasicClaimSet" = $true
"ClaimsSchema" = @(
[ordered]@{
"Source" = "user"
"ID" = "employeeid"
"JwtClaimType" = "employeeid"
}
)
}
}
$appID =
"<applicationID>" $policyName = "Add employeeid to JWT claims"
$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId `
| Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
if ($existingPolicies) {
$existingPolicies | Remove-AzureADPolicy
}
$policyDefinition = $claimsMappingPolicy | ConvertTo-Json -Depth 99 -Compress
$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Write-Output ("New claims mapping policy '{0}' set for app '{1}'." -f $policy.DisplayName, $sp.DisplayName)
5. Replace the variable value '$appID = "<applicationID>"' with the value captured from your manifest file. Example below:
$claimsMappingPolicy = [ordered]@{
"ClaimsMappingPolicy" = [ordered]@{
"Version" = 1
"IncludeBasicClaimSet" = $true
"ClaimsSchema" = @(
[ordered]@{
"Source" = "user"
"ID" = "employeeid"
"JwtClaimType" = "employeeid"
}
)
}
}
$appID = "
c347a7d0-ae9a-40e3-b41d-7f350162a3dd"
$policyName = "Add employeeid to JWT claims"
$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId `
| Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
if ($existingPolicies) {
$existingPolicies | Remove-AzureADPolicy
}
$policyDefinition = $claimsMappingPolicy | ConvertTo-Json -Depth 99 -Compress
$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Write-Output ("New claims mapping policy '{0}' set for app '{1}'." -f $policy.DisplayName, $sp.DisplayName)
6. Save it to the server running the Azure AD Connect as "AddEmployeeIDToJWTClaims.ps1"
7. Connect to the Azure Platform:
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/694a40db-fa4c-4b72-b0cb-e3e0d5d672f2.jpg)
8. Then run the above powershell script 'AddEmployeeIDToJWTClaims.ps1'
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/705b8e82-b922-473b-9a2a-60b43b29d0ab.jpg)
9. Now Check the AD user(s) employeeID attribute contains a value. See example below:
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/01cc084e-1741-44c8-8d64-02f4796a3659.jpg)
10. Open Cognos Analytics Configuration Manager and create a custom property name/value pair. See below:
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/67c391b0-0e44-48da-ad1e-950e5280e824.jpg)
11. Save and restart
12. With OIDC Tracing enabled log into CA with the Azure Namespace as an AD user i.e. user called "TM1". Check the OIDC trace for an id_token value and decode it. You will see the employeeid attribute has been passed in the token:
![](https://dw1.s81c.com/IMWUC/MessageImages/TinyMce/21dbd246-f7c7-4ac0-af87-084fe8118fa4.jpg)
13. Launch Cognos Analytics and create a new report and then insert a new dataitem with the following session parameter expression: #sq($account.parameters.employeeID)#
Save and execute the report. Here the data is pulled from the employeeid attribute:
![Capture.jpg](https://higherlogicdownload.s3.amazonaws.com/IMWUC/UploadedImages/0cc96e49-3b8d-4213-9f32-2b38698bfb54/Capture.jpg)
References:
https://community.ibm.com/community/user/businessanalytics/blogs/antonio-marziano/2018/09/05/administration-how-to-setup-azure-oidc-with-cognos#Administration#CognosAnalyticswithWatson#home#LearnCognosAnalytics