Cognos Analytics

 View Only

Administration: Cognos Analytics Authentication with Google OpenID

By ANTONIO MARZIANO posted Sat May 18, 2019 11:42 AM

  
The purpose of this article is to not only outline the steps required to successfully setup Google OpenID Client but also to configure both a Google Native as well as a Generic Namespace.

Environment:
Windows 2016
Single Server
CA 11.1.x (applicable to 11.0.x)

Steps are as follows:

1. Access https://developers.google.com/identity/sign-in/web/sign-in
2. Click on 'Configure A Project' button
3. Select 'Create a new project'



4. Give the project a name and click 'Next'



5. Give the OAuth Client a name



6. In the section 'Configure your OAuth client' select 'Web Server' and add the CA redirect URI


Here the redirect URI is https://ca-oidc1.casupport.support2016.ad.hursley.ibm.com:9300/bi/completeAuth.jsp

7. On finish the clientID/secret will be displayed and can be downloaded in a json file.



8. Click on 'API Console' to see the OAuth Client details required to setup the Google Namespace





9. Collect the required information which are:

Discovery Endpoint URI : https://accounts.google.com:443/.well-known/openid-configuration
ClientID/Client Secret
Redirect URI: https://ca-oidc1.casupport.support2016.ad.hursley.ibm.com:9300/bi/completeAuth.jsp

NB: The redirect URI can be for both dispatcher or gateway

10. Download the CA Root Certificate (or Chain) by accessing the Discovery Endpoint URI and download the certificate. Then run the following command to import the certificate:

<installation>/bin/>ThirdPartyCertificateTool.bat -i -T -r <GoogleCAcert>.crt -p NoPassWordSet

Setup a Google OpenID Namespace in IBM Cognos Analytics

11. Create a new Namespace and Select 'OpenID' and Type 'Google'





12. Save and Restart (or Start)

The equivalent Generic Namespace that addresses the issue with scheduling/renewing credentials needs to be configured as below:



To add users (email accounts) to the Project/OAuth Client Application(s) within the Project CAOIDC:









Save and login.




Additional Information:
In 11.1.4+ there are 4 new advanced configuration items:

name
authorizeEPAddParms (authorize redirect)
pgTokenEPAddParms (on password grant flow to the token endpoint)
rtTokenEPAddParms (on refresh token flow to the token endpoint)
codeTokenEPAddParms (on authorization code flow to the token endpoint)

This allows you to control exactly what addition parameters are added and specifically to which endpoints. Given the "resource" parameter could be represented using the new advanced configuration items, the value let's you put whatever you want in the URL... as a consequence, the value must include the &, the parameter name, and the parameter value which MUST be url encode e.g.

name    value
authorizeEPAddParms  &resource=HTTPS%3A%2F%2FADFS_SERVER




#Administration
#CognosAnalyticswithWatson
#home
#LearnCognosAnalytics
1 comment
88 views

Permalink

Comments

Tue May 26, 2020 02:37 AM

Hi

I did the steps above but getting the following error when choosing the Google namespace.

CA Login Authentication Error
Call to IdP failed to get identity.

Any idea?

Thanks