Cognos Analytics

 View Only

Administration: How to setup and authenticate via OIDC OKTA integration with AD on-premise and Cognos Analytics 11 R9+

By ANTONIO MARZIANO posted Thu November 07, 2019 03:35 PM



The purpose here is to leverage the integration of OKTA integrated with AD on-premise allowing both AD and OKTA users to successfully authenticate from Cognos Analytics using a SINGLE namespace. The steps below are in simplistic yet “hands-on” to walk through each step,  assuming that the audience is now able to create an OKTA namespace with OIDC.


    • OKTA Organisation


    • Server: Cognos Analytics 11 R9


    1. Assume OKTA application has been setup according to the following article.

    1. Access the OKTA Dashboard, switch to Classic UI and select from the Directory menu, click Directory Integrations.

    1. Select Add Active Directory or Add AD Domain/Agent 

    1. Click Add AD Domain/Agent and then click Active Directory

    1. Now download the AD Agent by clicking Download Agent.

    1. Save the installation file on any server that is part of the AD Domain

    1. Run the installation

    1. Specify the FULL DomainDNS -
      Select either Create or use the OktaService account (recommended) or Use an alternative account that I specify. Here despite the option to create a new service account, the installation detected that the OktaService account already existed otherwise it would create the account and request a password.
      Type the password and click NextClick Next

      The type of OKTA customer domain depends on the OKTA Access URL. In this example it's:

      So, the entries should be as follows:


      Click Next

      Log in using the okta account

      Type in the okta admin account (admin) and password then click Sign In.

      Click Allow Access and then Finish.

    1. Log into OKTA and go to DirectoryDirectory Integrations and click Active Directory.

    1. Select which OUs to sync users from:

    1. Select the OUs to sync Groups fromNB: Selections are based on AD Hierarchy Structure defined

    1. Select the Okta username format. The options are sAMAccountName or UPN.

    1. Click Next and then click Next to initiate the import.

    1. In Section 3Select the attributes to build your Okta User Profile leave the defaults and select Next.

    1. Click Import.

    1. Since this is the first time select Full Import and click Import.
      Import completed successfully

      Select the AD users and select Confirm Assignments

    1. Click Auto-activate users after confirmation and click Confirm.

    1. Click People to view the list of imported AD users

      In this example the AD user TM1USER ( will be used to demonstrate the login using both AD and OKTA using the same OIDC Namespace for OKTA

    1. Assign an AD and OKTA user to the ApplicationFrom the Dashboard select Application and then click the application link followed by selecting the Assignments tab and select Assign button.

      Select the user in this case TM1USER (AD user) and OKTA user (email address)Then click Assign Applications button and the click Assign. The AD user info appears

      then click Save and Go Back and then Done. Repeat for the okta user email account.


      Authenticate now with the AD user

      Authenticate with an OKTA user

      Both belonging to the same namespace

Group/Role Management

Combining both type of users into a Cognos Group

Create a Cognos Group and add BOTH users (AD and Okta) as members

As an example create a Group called “OKTA-AD-Group” from the Cognos Namespace and then add both members to the group.

Additional Information:
In 11.1.4+ there are 4 new advanced configuration items:

authorizeEPAddParms (authorize redirect)
pgTokenEPAddParms (on password grant flow to the token endpoint)
rtTokenEPAddParms (on refresh token flow to the token endpoint)
codeTokenEPAddParms (on authorization code flow to the token endpoint)

This allows you to control exactly what addition parameters are added and specifically to which endpoints. Given the "resource" parameter could be represented using the new advanced configuration items, the value let's you put whatever you want in the URL... as a consequence, the value must include the &, the parameter name, and the parameter value which MUST be url encode e.g.

name    value
authorizeEPAddParms  &resource=HTTPS%3A%2F%2FADFS_SERVER