Cognos Analytics

 View Only

Administration: Cognos Analytics Authentication with OneLogin OpenID

By ANTONIO MARZIANO posted Sat February 16, 2019 10:05 AM

  
The purpose of this article is to provide a step-by-step guide on setting up OneLogin OpenID authentication with Cognos Analytics.
First step is to sign-up for a developer's account here  : https://www.onelogin.com/developer-signup
Assuming its setup correctly, then next step are to provision an OneLogin OIDC application.

Next is to follow these steps:

1. Log into OneLogin Administration



2. Click on "Administration"



3. Click on "Apps" and "Company Apps" or "Add Apps"



4. Search for 'oidc' and select the 'OpenId Connect (OIDC)' application



5. Give the application a name e.g. 'CASUPPORT' and click "Save". You will notice when you go back into that application that a series of tabs appear



6. Click on "Configuration" and update the 'Redirect URI's' with the Cognos Analytics Server URI



7. Click on "SSO" to capture the clientID and generate a client  secret. Make sure the 'Application Type' is "Web" and "Authentication Method" is "Basic". To generate the client secret click on "Show Client Secret" link.



8. To view the Discovery Endpoint URI click on "OpenID Provider Configuration Information" link

https://ibm-casupport-dev.onelogin.com/oidc/.well-known/openid-configuration

9. Create a new user and fill in the details





10. Click "SAVE" and then "Applications"



11. Click on the "Default" policy and then "SAVE"




12. Click on "MORE ACTIONS" and select "Change Password"


13. Provide a temporary password and then force the user to change it:


14. Confirm the user is added to the application being provisioned



At this point moving over to Cognos Analyics, created a new Generic Namespace for OpenID with the following entries:



15. Import the CA Root Certificate by downloading it

16. Run the following command line from the CA installation:

..\bin>ThirdPartyCertificateTool.bat -i -T -r COMODORSACertificationAuthority.crt -p NoPassWordSet

17. Re-open Cognos Configuration and start

Then log in



Troubleshoot

If login fails with 'AAA-OIDC-0009 The provided credentials are invalid", this could mean the user doesnt have access to the application (OneLogin):


Check the users application section which here shows its not listed or granted:


Click on Roles / Default and then "SAVE USER" button. Go back to that section to confirm the application is listed:



Additional Information:

In 11.1.4+ there are 4 new advanced configuration items:

name
authorizeEPAddParms (authorize redirect)
pgTokenEPAddParms (on password grant flow to the token endpoint)
rtTokenEPAddParms (on refresh token flow to the token endpoint)
codeTokenEPAddParms (on authorization code flow to the token endpoint)

This allows you to control exactly what addition parameters are added and specifically to which endpoints. Given the "resource" parameter could be represented using the new advanced configuration items, the value let's you put whatever you want in the URL... as a consequence, the value must include the &, the parameter name, and the parameter value which MUST be url encode e.g.

name    value
authorizeEPAddParms  &resource=HTTPS%3A%2F%2FADFS_SERVER





#Administration
#CognosAnalyticswithWatson
#home
#LearnCognosAnalytics
0 comments
62 views

Permalink