Cognos Analytics

Expand all | Collapse all

CA 11.1 vs Azure OpenID Authentication

  • 1.  CA 11.1 vs Azure OpenID Authentication

    Posted Wed June 24, 2020 12:59 PM

    Hi all,
    in a multiserver Cognos 11.1.6 environment (2 Dispatcher w/Cm win, 1 Dispatcher Linux, 2 GW win in https with a true certificate created for FQDN), we have configured main authentication system on MSAD and a new one as Open OID with Azure (MS Cloud).

    We followed carefully all the configuration steps on both platforms (app ID, directory ID,  secret key, and also installed shared certificates).

    When I try to login from GW, Cognos doesn't recognize any other Namespace to log in, even if I can see it (grey) in administration console.

    When I login through dispatcher (on port 9300) instead, the system asks me to select the Namespace I want to use to login.
    If I choose AzureAD, I'm asked for user id and password and then also if I want to remember my choice (so it seems that everything is correct).
    But when it's time to redirect to Return URL (https://gw:443/ibmcognos/bi/bi/completeAuth.jsp
    I receive back an authentication CA error message:  Selected Namespace not valid .....
    I've tried also to activate a specific debug log (json.xml), but I can't see anything strange...

    If I log in firstly on MSAD (always from dispatcher URL), I'm allowed to do the second login on Azure: but after the 3 previous steps (User, pswd, confirmation), I receive the same error. 

    May I use a script for Identity claim name properties??  such as:          ${replace(${environment("REMOTE_USER")}, "MyDomain\\","")}
    and what I have to set in redirect namespace ID?  Azure NS ID   or principal AD ID  ??

    Why gateways don't recognize the configured NS, while Dispatcher does?
    Could it be a problem with IIS rewrite rules?

    Any help is appreciated...

    Bruno



    ------------------------------
    Bruno Abuaf
    ------------------------------


  • 2.  RE: CA 11.1 vs Azure OpenID Authentication

    Posted 29 days ago
    Hi Bruno.

    Just wondering if you found a solution to this issue?
    We are facing a very similar problem with CA 11.1.7 and accessing dashboards via iframes.

    BR,
    Kasper

    ------------------------------
    Kasper Dueholm
    ------------------------------



  • 3.  RE: CA 11.1 vs Azure OpenID Authentication

    Posted 29 days ago
    Edited by Robert Hofstetter 29 days ago
    Bruno,

    I noticed the return URL seems to have /bi/bi in it. If that is not a typo then I would say there is definitely something wrong with either the rewrite rules or possibly the registration in Azure because that it what is directing back to that URL. It has been some time since I have tested using Azure OID but never had a problem with it. In case you hadn't found it here is a link to Antonio's step-by-step guide: How to setup Azure OIDC with Cognos Analytics Release R8+.

    ------------------------------
    Robert Hofstetter
    ------------------------------