Cognos Analytics

 View Only

Administration: Cognos Analytics authentication with AWS Cognito

By ANTONIO MARZIANO posted Thu February 07, 2019 09:03 AM

  

The purpose of this blog is to outline the step-by-step guide to setting up authentication with Cognos Analytics and AWS Cognito OpenID. A preliminary step is that you already have an AWS account.

Setup AWS Cognito

1. Sign in as root user (or super user )
2. Click on "Services" and navigate to "Cognito"

3. Click on "Manage User Pools" and "Create User Pool". Then provide a name to your User Pool

4. Click on "Step through settings" and select the authentication type and standard attributes like below:


5. Click "Next" until you see this page:


We will ignore MFA so delete the CASUPPORT-SMS-Role and select "No Verification" and click "Next Step" until the final page and click on "Create User Pool"

6. Click on "Domain Name" and create a unique domain and check whether its available by clicking on "Check Availability"


NB: The above step is optional

7. Click "Save Changes"



8. Now, create a Client App by clicking on "App clients" - "Add an app client"


9. Fill in the details and select the options below and click on "Create app client":


Click on "Show Details" to see the clientID and secret


10. Now to determine what the endpoint(s) are you need to find the ARN (Amazon Resource Name) from the General Settings:



So the Discovery Endpoint will be:

https://cognito-idp.us-east-1.amazonaws.com:443/us-east-1_n4teX7WNS/.well-known/openid-configuration

Check in the browser and the results should be something like:


11. Now to add the Redirect URL (callback URL) for your Cognos Analytics Server, click on General Settings - App Client Settings and fill in the URL like below:


NB: Make sure you select openid and profile are selected for "Allowed OAuth Scopes"

12. Next, create a user by clicking on General Settings - Users and Groups - New User


For this example no verification would be required so populate the details as required (below is an example):


Click on "Create user"



Setup Cognos Analytics Generic OpenID Namespace

1. Download the CA Root Certificate and import into the Keystore using the following command:

<installation>/bin/ThirdPartyCertificateTool.bat -i -T -r AmazonRootCA1.crt -p NoPassWordSet

2. Launch Cognos Configuration and create a new Generic OpenID Namespace
3. Populate the values/entries using the example below and test the namespace:




NB: Ensure the first 2 green checks are visible to confirm the namespace is valid.
4. Restart
5. Log in

Since this is the first time the user is logging in it forces to change the temporary password and request for further user details. See below:

Populate the details as follows:


Once completed the user will successfully authenticate and log into Cognos Analytics Portal:

AWS_Cognito_CA11.jpg


References:

AWS Cognito
https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html

Additional Information:

In 11.1.4+ there are 4 new advanced configuration items:

name
authorizeEPAddParms (authorize redirect)
pgTokenEPAddParms (on password grant flow to the token endpoint)
rtTokenEPAddParms (on refresh token flow to the token endpoint)
codeTokenEPAddParms (on authorization code flow to the token endpoint)

This allows you to control exactly what addition parameters are added and specifically to which endpoints. Given the "resource" parameter could be represented using the new advanced configuration items, the value let's you put whatever you want in the URL... as a consequence, the value must include the &, the parameter name, and the parameter value which MUST be url encode e.g.

name    value
authorizeEPAddParms  &resource=HTTPS%3A%2F%2FADFS_SERVER





#Administration
#CognosAnalyticswithWatson
#home
#LearnCognosAnalytics
0 comments
29 views

Permalink