Cognos Analytics

 View Only
Expand all | Collapse all

Anyone using OpenID Connect with Cognos

  • 1.  Anyone using OpenID Connect with Cognos

    Posted Wed April 10, 2024 04:30 PM

    Anyone using OpenID Connect with Cognos? Can you let me know if you got it to work or could not get it to work and what was your Cognos version. Back in 2019 we tried very hard to get it to work (we support several different version of Cognos 11) and could not. Wondering if we should give it another try.



    ------------------------------
    brenda grossnickle
    BI Programmer Analyst
    FIS
    ------------------------------


  • 2.  RE: Anyone using OpenID Connect with Cognos

    Posted Thu April 11, 2024 09:07 AM

    Hi Brenda,

    We recently got OIDC working both for Cognos 11.1.7 and Cognos 11.2.4

    It took a lot of work and time to make this happen; but IBM was extremely helpful. I can't offer higher praise

    The biggest challenge for us was that unlike at IBM, the same person is not both an Azure administrator and a Cognos administrator. Three way webex sessions were necessary with IBM, me (the Cognos administrator) and our Azure administrator. In the end, the biggest challenge was on the Azure side, although (of course) once figured out, it seems much more trivial. We were also concerned about network security limitations at one point, but that proved unfounded in our case

    The other challenge for us was that in moving to OIDC, we moved to a new namespace, meaning that everyone basically was assigned a brand new Cognos account. I manually moved everyone's My Content and carefully granted the right roles and groups. This worked for us manually because we only have 91 users and people's use of Cognos is limited and there are limited variations in security. 

    Another challenge is that because everyone was granted a new account, their recent activity disappeared. My solution to that was creating a spreadsheet of who had run what most recently and where that is located

    In our case, this work was totally worth it to improve security. MFA is now possible. The LDAP protocol is no longer used; and we are in a better place vis-a-vis penetration testing done annually. Improving security is never ending

    Happy to answer more questions

    Sincerely

    Michael Sullivan

    msulliva@northshore.edu



    ------------------------------
    Michael Sullivan
    ------------------------------



  • 3.  RE: Anyone using OpenID Connect with Cognos

    Posted Thu April 11, 2024 10:32 AM

    Thanks for the info. 

    With the new namespace, did everyone lose the ownership of their objects - reports, schedules, jobs, etc? How did you get a list of recent activity?



    ------------------------------
    brenda grossnickle
    BI Programmer Analyst
    FIS
    ------------------------------



  • 4.  RE: Anyone using OpenID Connect with Cognos

    Posted Fri April 12, 2024 10:42 AM

    In regards to the MRU (Most Recently Used) retention (via Excel). Should the need ever arise again, I'd encourage anyone (especially if you have lots of accounts) to write a relatively simple javascript program that each user could run to export their MRUs to a flat file and then import them once the new account is created. The network (ajax) request to fetch(GET) and set(PUT) MRUs can be seen in the browser debug console.  Then, it's just a matter of saving the GET request to a file and importing the file back in with a PUT request. 






  • 5.  RE: Anyone using OpenID Connect with Cognos

    Posted Tue April 16, 2024 09:23 AM
    Thanks, Shawn

    Ah How logical - I'm sure that might help other people, and you'd think it would work where I am  :)

    But both the politics and the level of  end-user "technical" ability where I work make that unviable

    No place is perfect though - I'm not complaining - truly - I'm happy where I am

    Happy Tuesday!

    Mike

    P.S. It would be great though, if IBM offered some more automatic way to change namespaces and authentication systems. When I approached them years ago about an earlier conversion to on premise AD, I was told that using the SDK myself or hiring them to do the conversion were options. Neither was viable for me. I learned then that the internals of IBM's architecture make conversion tricky. I had hoped that internally there might have been pointers to a single value that itself then would correlate to the id in the external authentication system. That would mean not changing the pointers but just the single value. That wasn't the case, the identifier was (is, i guess?) repeated over and over again internally. It would need to be changed in a great many places

    Mike Sullivan





  • 6.  RE: Anyone using OpenID Connect with Cognos

    Posted Tue April 16, 2024 10:02 AM

    Hi Mike,

    In terms of technical ability for the average person to write a javascript program to export/import MRUs... can appreciate that most would lack the ability. The good news is I plan to publish a simple extension to achieve this in the Accelerator catalog. The extension will also provide the same support for importing/exporting favourites.

    Since the tool is geared towards the actual user (and not an admin)... namespace complexities are removed since the same import/export url exists regardlesss of which user uses it.

    In regards to your "PS" comments, I am not fully aware/"in the loop" of the challenges you are referring to. But, if you have not done so already, I would encourage you to submit an enhancement request. I'd be interesting in learning more about the challenge you have and seeing if there are some ways to help overcome these challenges.
    If an enhancement request exists, please share the link so I can take a peek at the details. Thx.




    ------------------------------
    Shawn Crook
    ------------------------------



  • 7.  RE: Anyone using OpenID Connect with Cognos

    Posted Thu April 25, 2024 09:19 AM