Administration: How to setup and authenticate via OIDC OKTA integration with AD on-premise and Cognos Analytics 11 R9+

Blog Home > Administration: How to setup and authenticate via OIDC OKTA integration with AD on-premise and Cognos Analytics 11 R9+

Administration: How to setup and authenticate via OIDC OKTA integration with AD on-premise and Cognos Analytics 11 R9+



The purpose here is to leverage the integration of OKTA integrated with AD on-premise allowing both AD and OKTA users to successfully authenticate from Cognos Analytics using a SINGLE namespace. The steps below are in simplistic yet “hands-on” to walk through each step,  assuming that the audience is now able to create an OKTA namespace with OIDC.


  • OKTA Organisation
  • Server: Cognos Analytics 11 R9


  1. Assume OKTA application has been setup according to the following article.
  2. Access the OKTA Dashboard, switch to Classic UI and select from the Directory menu, click Directory Integrations.
  3. Select Add Active Directory or Add AD Domain/Agent image003
  4. Click Add AD Domain/Agent and then click Active Directory
  5. Now download the AD Agent by clicking Download Agent.
  6. Save the installation file on any server that is part of the AD Domain
  7. Run the installation
    image010 image012
  8. Specify the FULL DomainDNS –
    image014 image016
    Select either Create or use the OktaService account (recommended) or Use an alternative account that I specify. Here despite the option to create a new service account, the installation detected that the OktaService account already existed otherwise it would create the account and request a password.
    image018 image020
    Type the password and click NextClick Next


    The type of OKTA customer domain depends on the OKTA Access URL. In this example it’s:

    So, the entries should be as follows:

    image024 image026

    Click Next

    Log in using the okta account

    Type in the okta admin account (admin) and password then click Sign In.

    Click Allow Access and then Finish.
    image028 image030

  9. Log into OKTA and go to DirectoryDirectory Integrations and click Active Directory.
  10. Select which OUs to sync users from:
  11. Select the OUs to sync Groups fromNB: Selections are based on AD Hierarchy Structure defined
  12. Select the Okta username format. The options are sAMAccountName or UPN.
  13. Click Next and then click Next to initiate the import.
  14. In Section 3Select the attributes to build your Okta User Profile leave the defaults and select Next.
  15. Click Import.
  16. Since this is the first time select Full Import and click Import.
    image046 image048
    Import completed successfully
    Select the AD users and select Confirm Assignments
  17. Click Auto-activate users after confirmation and click Confirm.
  18. Click People to view the list of imported AD users
    In this example the AD user TM1USER ( will be used to demonstrate the login using both AD and OKTA using the same OIDC Namespace for OKTA
  19. Assign an AD and OKTA user to the ApplicationFrom the Dashboard select Application and then click the application link followed by selecting the Assignments tab and select Assign button.
    Select the user in this case TM1USER (AD user) and OKTA user (email address)Then click Assign Applications button and the click Assign. The AD user info appears


    then click Save and Go Back and then Done. Repeat for the okta user email account.


    Authenticate now with the AD user



    Authenticate with an OKTA user

    Both belonging to the same namespace


Group/Role Management

Combining both type of users into a Cognos Group

Create a Cognos Group and add BOTH users (AD and Okta) as members

As an example create a Group called “OKTA-AD-Group” from the Cognos Namespace and then add both members to the group.