The purpose here is to leverage the integration of OKTA integrated with AD on-premise allowing both AD and OKTA users to successfully authenticate from Cognos Analytics using a SINGLE namespace. The steps below are in simplistic yet “hands-on” to walk through each step, assuming that the audience is now able to create an OKTA namespace with OIDC.
- OKTA Organisation
- AD on-Premise: CASUPPORT.SUPPORT2016.AD.HURSLEY.IBM.COM
- Server: Cognos Analytics 11 R9
- Assume OKTA application has been setup according to the following article.
- Access the OKTA Dashboard, switch to Classic UI and select from the Directory menu, click Directory Integrations.
- Select Add Active Directory or Add AD Domain/Agent
- Click Add AD Domain/Agent and then click Active Directory
- Now download the AD Agent by clicking Download Agent.
- Save the installation file on any server that is part of the AD Domain
- Run the installation
- Specify the FULL DomainDNS – CASUPPORT.support2016.ad.hursley.ibm.com
Select either Create or use the OktaService account (recommended) or Use an alternative account that I specify. Here despite the option to create a new service account, the installation detected that the OktaService account already existed otherwise it would create the account and request a password.
Type the password and click NextClick Next
The type of OKTA customer domain depends on the OKTA Access URL. In this example it’s:
So, the entries should be as follows:
Log in using the okta account
Type in the okta admin account (admin) and password then click Sign In.
Click Allow Access and then Finish.
- Log into OKTA and go to Directory, Directory Integrations and click Active Directory.
- Select which OUs to sync users from:
- Select the OUs to sync Groups fromNB: Selections are based on AD Hierarchy Structure defined
- Select the Okta username format. The options are sAMAccountName or UPN.
- Click Next and then click Next to initiate the import.
- In Section 3, Select the attributes to build your Okta User Profile leave the defaults and select Next.
- Click Import.
- Since this is the first time select Full Import and click Import.
Import completed successfully
Select the AD users and select Confirm Assignments
- Click Auto-activate users after confirmation and click Confirm.
- Click People to view the list of imported AD users
In this example the AD user TM1USER (firstname.lastname@example.org) will be used to demonstrate the login using both AD and OKTA using the same OIDC Namespace for OKTA
- Assign an AD and OKTA user to the ApplicationFrom the Dashboard select Application and then click the application link followed by selecting the Assignments tab and select Assign button.
Select the user in this case TM1USER (AD user) and OKTA user (email address)Then click Assign Applications button and the click Assign. The AD user info appears
then click Save and Go Back and then Done. Repeat for the okta user email account.
Authenticate now with the AD user
Authenticate with an OKTA user
Both belonging to the same namespace
Combining both type of users into a Cognos Group
Create a Cognos Group and add BOTH users (AD and Okta) as members
As an example create a Group called “OKTA-AD-Group” from the Cognos Namespace and then add both members to the group.