Administration : How to setup ADFS OIDC with #Cognos Analytics Release R9+

Blog Home > Administration : How to setup ADFS OIDC with #Cognos Analytics Release R9+

Administration : How to setup ADFS OIDC with #Cognos Analytics Release R9+

The purpose of this blog is to appreciate the extent of which OIDC can be implemented across multiple Identity Providers supported by Cognos Analytics 11 R8+ which include ADFS (Active Directory Federation Services).

The steps below will outline the steps to creating an Application and configuring the Namespace Provider OpenID Connect using ADFS. This will allow federating users within the 2016 AD Domain environment.

Environment:
Windows 2016
CA 11 R9
Sub Domain: CASUPPORT
ADFS installed

Steps are as follows:

1. Create an ADFS application

1

2

2. Add the CALLBACK URI to the CA 11 Application

3

4

Click ‘NEXT’

3. Generate the Shared Secret

5

6

Client Secret – XW8CH_3qW__rl2t5UEElcm68MRk1Gq6J2doiYws5

Click ‘NEXT’

Summary Info
7

Click ‘NEXT’ and ‘CLOSE’

4. So we know have the required information to setup the OIDC and that is:

Client ID – 100f85d4-7ed8-4826-91b2-b8ad2021963d
Redirect URI – https://tm-win2016.CASUPPORT.support2016.ad.hursley.ibm.com:9300/bi/completeAuth.jsp
Client Secret – XW8CH_3qW__rl2t5UEElcm68MRk1Gq6J2doiYws5

5. To capture the Discovery Point, it’s simply the ADFS host where in this example it’s the same machine where CA11 is installed but can be on any server.

8

6. Now using the information captured from the ADFS Application, the details are used when creating the OIDC/ADFS Namespace. See below

9

7. Switch ALL the URI’s to use https

10

8. If the optional gateway is used then enable SSL at the gateway

11

9. Export the Issuer Certificate used for signing the webserver

12 13

10. Select ‘NEXT’ and select ‘Base-64 encoded X.509 (.CER)’

14

Give it any name and location

15

11. Click ‘NEXT’ and ‘FINISH’

Now, we need to import the exported certificate into the CAM Keystore using the following command line but first stop the service:

16

12. Start the service by opening the cognos configuration, save and start.

When you launch the browser and try to access the URI :
https://tm-win2016.casupport.support2016.ad.hursley.ibm.com:9300/bi/v1/disp

It appears there are issues with the certificate

17

Click on “Continue to this website (not recommended) and despite the certificate error, you successfully log in.

18 19

Click on ‘View certificates’

20

Click on “View Certificate” and then select “Install…” and select ‘Local Machine’ and select the ‘Trusted Root Certification Authorities’ Certificate Store.

21 22

Troubleshooting

When initially setting up the OIDC provider, saving/starting the configuration, the namespace will fail with the following exception:

23

This is due to the missing issuers certificate

If you switch to the optional gateway and change the Gateway URI to :

24 25

The problem is the callback URI doesn’t contain a gateway URI so to resolve this, make sure the call back URI exists in the ADFS Application and in the OIDC Provider Settings. See below:

26

Add the callback URI using the gateway
Modify the OIDC Provider Setting ‘Redirect URI’

27

Restart

28