Community
Search Options
Search Options
Log in
Skip to main content (Press Enter).
Sign in
Skip auxiliary navigation (Press Enter).
Community
Business Analytics
Topic groups
Cognos Analytics
Cognos Controller
Global Business Analytics
Planning Analytics
Groups
AI
Automation
Data
Security
Sustainability
Cloud
IBM Z & LinuxONE
Power
Storage
IBM Japan
All Groups
Champions
User groups
Business Analytics user groups
All user groups
Events
IBM TechXchange Conference
Upcoming Business Analytics events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Welcome Corner
Blogging in the Community
Directory
Community Leaders
Resources
Gamification
Marketplace
Marketplace
Business Analytics
Connect, learn and share with over 10000 users across the IBM Business Analytics.
Ask a question
Missed IBM TechXchange Dev Day: Virtual Agents? On-demand viewing is available
here
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Cognos Analytics
View Only
Group Home
Threads
15.2K
Library
670
Blogs
714
Events
1
Members
5.4K
Share
Administration: How to setup and authenticate via OIDC OKTA integration with AD on-premise and Cognos Analytics 11 R9+
By
ANTONIO MARZIANO
posted
Thu November 07, 2019 03:35 PM
0
Like
Introduction
The purpose here is to leverage the integration of OKTA integrated with AD on-premise allowing both AD and OKTA users to successfully authenticate from Cognos Analytics using a SINGLE namespace. The steps below are in simplistic yet “hands-on” to walk through each step, assuming that the audience is now able to create an OKTA namespace with OIDC.
Environment
OKTA Organisation
AD on-Premise: CASUPPORT.SUPPORT2016.AD.HURSLEY.IBM.COM
Server: Cognos Analytics 11 R9
Steps
Assume OKTA application has been setup according to the
following article
.
Access the OKTA Dashboard, switch to
Classic UI
and select from the Directory menu, click
Directory Integrations
.
Select
Add Active Directory
or
Add AD Domain/Agent
Click
Add AD Domain/Agent
and then click
Active Directory
Now download the AD Agent by clicking
Download Agent.
Save the installation file on any server that is part of the AD Domain
Run the installation
Specify the FULL DomainDNS - CASUPPORT.support2016.ad.hursley.ibm.com
Select either
Create or use the OktaService account (recommended)
or
Use an alternative account that I specify
. Here despite the option to create a new service account, the installation detected that the OktaService account already existed otherwise it would create the account and request a password.
Type the password and click
Next
Click
Next
The type of OKTA customer domain depends on the OKTA Access URL. In this example it's:
https://dev-170098-admin.oktapreview.com/dev/console
So, the entries should be as follows:
Click
Next
Log in using the okta account
Type in the okta admin account (admin) and password then click
Sign In
.
Click
Allow Access
and then
Finish
.
Log into OKTA and go to
Directory
,
Directory Integrations
and click
Active Directory
.
Select which OUs to sync users from:
Select the OUs to sync Groups fromNB: Selections are based on AD Hierarchy Structure defined
Select the Okta username format. The options are sAMAccountName or UPN.
Click
Next
and then click
Next
to initiate the import.
In
Section 3
,
Select the attributes to build your Okta User Profile
leave the defaults and select
Next.
Click
Import.
Since this is the first time select
Full Import
and click
Import
.
Import completed successfully
Select the AD users and select
Confirm Assignments
Click
Auto-activate users after confirmation
and click
Confirm
.
Click
People to view the list of imported AD users
In this example the AD user TM1USER (tm1@casupport.support2016.ad.hursley.ibm.com) will be used to demonstrate the login using both AD and OKTA using the same OIDC Namespace for OKTA
Assign an AD and OKTA user to the ApplicationFrom the Dashboard select
Application
and then click the application link followed by selecting the
Assignments
tab and select
Assign
button.
Select the user in this case TM1USER (AD user) and OKTA user (email address)Then click
Assign Applications
button and the click
Assign
. The AD user info appears
then click Save and Go Back and then Done. Repeat for the okta user email account.
Authenticate now with the AD user
Authenticate with an OKTA user
Both belonging to the same namespace
Group/Role Management
Combining both type of users into a Cognos Group
Create a Cognos Group and add BOTH users (AD and Okta) as members
As an example create a Group called “
OKTA-AD-Group
” from the Cognos Namespace and then add both members to the group.
Additional Information:
In 11.1.4+ there are 4 new advanced configuration items:
name
authorizeEPAddParms
(authorize redirect)
pgTokenEPAddParms
(on password grant flow to the token endpoint)
rtTokenEPAddParms
(on refresh token flow to the token endpoint)
codeTokenEPAddParms
(on authorization code flow to the token endpoint)
This allows you to control exactly what addition parameters are added and specifically to which endpoints. Given the "resource" parameter could be represented using the new advanced configuration items, the value let's you put whatever you want in the URL... as a consequence, the value must include the &, the parameter name, and the parameter value which MUST be url encode e.g.
name value
authorizeEPAddParms
&resource=HTTPS%3A%2F%2FADFS_SERVER
#Administration
#CognosAnalyticswithWatson
#home
#LearnCognosAnalytics
0 comments
144 views
Permalink
Community
Business Analytics
Topic groups
Cognos Analytics
Cognos Controller
Global Business Analytics
Planning Analytics
Groups
AI
Automation
Data
Security
Sustainability
Cloud
IBM Z & LinuxONE
Power
Storage
IBM Japan
All Groups
Champions
User groups
Business Analytics user groups
All user groups
Events
IBM TechXchange Conference
Upcoming Business Analytics events
IBM TechXchange Webinars
All IBM TechXchange Community Events
Participate
Welcome Corner
Blogging in the Community
Directory
Community Leaders
Resources
Gamification
Marketplace
Marketplace
Powered by Higher Logic
By
ANTONIO MARZIANO
posted