Cognos Analytics

 View Only
Expand all | Collapse all

Anyone using OpenID Connect with Cognos

  • 1.  Anyone using OpenID Connect with Cognos

    Posted Wed April 10, 2024 04:30 PM

    Anyone using OpenID Connect with Cognos? Can you let me know if you got it to work or could not get it to work and what was your Cognos version. Back in 2019 we tried very hard to get it to work (we support several different version of Cognos 11) and could not. Wondering if we should give it another try.



    ------------------------------
    brenda grossnickle
    BI Programmer Analyst
    FIS
    ------------------------------


  • 2.  RE: Anyone using OpenID Connect with Cognos

    Posted Thu April 11, 2024 09:07 AM

    Hi Brenda,

    We recently got OIDC working both for Cognos 11.1.7 and Cognos 11.2.4

    It took a lot of work and time to make this happen; but IBM was extremely helpful. I can't offer higher praise

    The biggest challenge for us was that unlike at IBM, the same person is not both an Azure administrator and a Cognos administrator. Three way webex sessions were necessary with IBM, me (the Cognos administrator) and our Azure administrator. In the end, the biggest challenge was on the Azure side, although (of course) once figured out, it seems much more trivial. We were also concerned about network security limitations at one point, but that proved unfounded in our case

    The other challenge for us was that in moving to OIDC, we moved to a new namespace, meaning that everyone basically was assigned a brand new Cognos account. I manually moved everyone's My Content and carefully granted the right roles and groups. This worked for us manually because we only have 91 users and people's use of Cognos is limited and there are limited variations in security. 

    Another challenge is that because everyone was granted a new account, their recent activity disappeared. My solution to that was creating a spreadsheet of who had run what most recently and where that is located

    In our case, this work was totally worth it to improve security. MFA is now possible. The LDAP protocol is no longer used; and we are in a better place vis-a-vis penetration testing done annually. Improving security is never ending

    Happy to answer more questions

    Sincerely

    Michael Sullivan

    msulliva@northshore.edu



    ------------------------------
    Michael Sullivan
    ------------------------------



  • 3.  RE: Anyone using OpenID Connect with Cognos

    Posted Thu April 11, 2024 10:32 AM

    Thanks for the info. 

    With the new namespace, did everyone lose the ownership of their objects - reports, schedules, jobs, etc? How did you get a list of recent activity?



    ------------------------------
    brenda grossnickle
    BI Programmer Analyst
    FIS
    ------------------------------



  • 4.  RE: Anyone using OpenID Connect with Cognos

    Posted Fri April 12, 2024 10:42 AM

    In regards to the MRU (Most Recently Used) retention (via Excel). Should the need ever arise again, I'd encourage anyone (especially if you have lots of accounts) to write a relatively simple javascript program that each user could run to export their MRUs to a flat file and then import them once the new account is created. The network (ajax) request to fetch(GET) and set(PUT) MRUs can be seen in the browser debug console.  Then, it's just a matter of saving the GET request to a file and importing the file back in with a PUT request. 






  • 5.  RE: Anyone using OpenID Connect with Cognos

    Posted Tue April 16, 2024 09:23 AM
    Thanks, Shawn

    Ah How logical - I'm sure that might help other people, and you'd think it would work where I am  :)

    But both the politics and the level of  end-user "technical" ability where I work make that unviable

    No place is perfect though - I'm not complaining - truly - I'm happy where I am

    Happy Tuesday!

    Mike

    P.S. It would be great though, if IBM offered some more automatic way to change namespaces and authentication systems. When I approached them years ago about an earlier conversion to on premise AD, I was told that using the SDK myself or hiring them to do the conversion were options. Neither was viable for me. I learned then that the internals of IBM's architecture make conversion tricky. I had hoped that internally there might have been pointers to a single value that itself then would correlate to the id in the external authentication system. That would mean not changing the pointers but just the single value. That wasn't the case, the identifier was (is, i guess?) repeated over and over again internally. It would need to be changed in a great many places

    Mike Sullivan





  • 6.  RE: Anyone using OpenID Connect with Cognos

    Posted Tue April 16, 2024 10:02 AM

    Hi Mike,

    In terms of technical ability for the average person to write a javascript program to export/import MRUs... can appreciate that most would lack the ability. The good news is I plan to publish a simple extension to achieve this in the Accelerator catalog. The extension will also provide the same support for importing/exporting favourites.

    Since the tool is geared towards the actual user (and not an admin)... namespace complexities are removed since the same import/export url exists regardlesss of which user uses it.

    In regards to your "PS" comments, I am not fully aware/"in the loop" of the challenges you are referring to. But, if you have not done so already, I would encourage you to submit an enhancement request. I'd be interesting in learning more about the challenge you have and seeing if there are some ways to help overcome these challenges.
    If an enhancement request exists, please share the link so I can take a peek at the details. Thx.




    ------------------------------
    Shawn Crook
    ------------------------------



  • 7.  RE: Anyone using OpenID Connect with Cognos

    Posted Thu April 25, 2024 09:19 AM

    What is the Accelerator catalog?



    ------------------------------
    brenda grossnickle
    BI Programmer Analyst
    FIS
    ------------------------------



  • 8.  RE: Anyone using OpenID Connect with Cognos

    Posted Thu April 25, 2024 11:09 AM

    https://accelerator.ca.analytics.ibm.com/bi



    ------------------------------
    Shawn Crook
    ------------------------------



  • 9.  RE: Anyone using OpenID Connect with Cognos

    Posted Thu April 25, 2024 12:20 PM

    wow, did not know that existed. lots of good information. can you let me know when you post the accelerator for saving MRU and Favorites? I looked for it but did not find.  



    ------------------------------
    brenda grossnickle
    BI Programmer Analyst
    FIS
    ------------------------------



  • 10.  RE: Anyone using OpenID Connect with Cognos

    Posted Thu April 11, 2024 09:23 AM

    Hi Brenda,

    I suggest you do a web search on "Tony Marziano Cognos OIDC". He has the best material I've seen on this subject, public or internal.

    Cheers,



    ------------------------------
    TREVOR COMEAU
    ------------------------------



  • 11.  RE: Anyone using OpenID Connect with Cognos

    IBM Champion
    Posted Mon May 06, 2024 05:58 AM

    Hello Brenda,

    We migrated from Siteminder to OIDC in 2019 using https://github.com/OpenIDC/mod_auth_openidc together with Apache and/or IHS webserver on linux, using CA 11.0.4, 11.1.7 and 11.2.1.

    We needed some changes in the mod_auth_openidc code to get IBM Cognos for Microsoft Office to work (see: https://github.com/OpenIDC/mod_auth_openidc/pull/479 )

    Authentication is done using the mod_auth_openidc module in Apache/IHS. The remote_user variable is used to transfer the logged user to the application server.

    We use a modified cJAP to authorize users against LDAP or Active Directory Servers. Inside the cJAP we rewrite the CAMID that is used inside Cognos in a way so that we do not have issues when changing namespace. 

    Especially the MS Active Directory returning hashed userIDs was an issue, which we could solve by "rewriting" the answer provided to Cognos to USERID@domain.net inside cJAP.

    Only issue remaining is that, whenever we hit the OIDC timeout, XHR requests from GlassUI are not honoring / understanding the 401 or 403 not authorized status code returned by the webserver, leaving the user with different error messages or blank screens depending on the "application" being used - means: Portal, ReportStudio, Dashboard ... all behave different when OIDC re-authentication is needed. Users are happy with simply reloading the browser window, whenever they experience such issue. We filed this EHR in IDEAS: https://ibm-data-and-ai.ideas.ibm.com/ideas/CAOP-I-2388 - probably needs some up-votes ;-) - to solve the described issue.

    The support of Mr. Zandvelt's company (https://www.openidc.com/) to the library provided on github is outstanding. I can only recommend this.

    We can provide docker-file for compiling the library. We can also help you with configuration and debugging, if you are using linux.

    best regards,

    Ralf



    ------------------------------
    Ralf Roeber
    https://linkedin.com/in/ralf-roeber/
    ------------------------------