Administration: How to setup and authenticate via OIDC OKTA integration with AD on-premise and Cognos Analytics 11 R9+

Blog Home > Administration: How to setup and authenticate via OIDC OKTA integration with AD on-premise and Cognos Analytics 11 R9+

Administration: How to setup and authenticate via OIDC OKTA integration with AD on-premise and Cognos Analytics 11 R9+

 

Introduction

The purpose here is to leverage the integration of OKTA integrated with AD on-premise allowing both AD and OKTA users to successfully authenticate from Cognos Analytics using a SINGLE namespace. The steps below are in simplistic yet “hands-on” to walk through each step,  assuming that the audience is now able to create an OKTA namespace with OIDC.

Environment

  • OKTA Organisation
  • AD on-Premise: CASUPPORT.SUPPORT2016.AD.HURSLEY.IBM.COM
  • Server: Cognos Analytics 11 R9

Steps

  1. Assume OKTA application has been setup according to the following article.
  2. Access the OKTA Dashboard, switch to Classic UI and select from the Directory menu, click Directory Integrations.
    image001
  3. Select Add Active Directory or Add AD Domain/Agent image003
  4. Click Add AD Domain/Agent and then click Active Directory
  5. Now download the AD Agent by clicking Download Agent.
    image006
  6. Save the installation file on any server that is part of the AD Domain
    image008
  7. Run the installation
    image010 image012
  8. Specify the FULL DomainDNS – CASUPPORT.support2016.ad.hursley.ibm.com
    image014 image016
    Select either Create or use the OktaService account (recommended) or Use an alternative account that I specify. Here despite the option to create a new service account, the installation detected that the OktaService account already existed otherwise it would create the account and request a password.
    image018 image020
    Type the password and click NextClick Next

    image022

    The type of OKTA customer domain depends on the OKTA Access URL. In this example it’s:

    https://dev-170098-admin.oktapreview.com/dev/console

    So, the entries should be as follows:

    image024 image026

    Click Next

    Log in using the okta account

    Type in the okta admin account (admin) and password then click Sign In.

    Click Allow Access and then Finish.
    image028 image030

  9. Log into OKTA and go to DirectoryDirectory Integrations and click Active Directory.
    image032
  10. Select which OUs to sync users from:
    image034
  11. Select the OUs to sync Groups fromNB: Selections are based on AD Hierarchy Structure defined
    image036
  12. Select the Okta username format. The options are sAMAccountName or UPN.
    image038
  13. Click Next and then click Next to initiate the import.
    image040
  14. In Section 3Select the attributes to build your Okta User Profile leave the defaults and select Next.
    image042
  15. Click Import.
    image044
  16. Since this is the first time select Full Import and click Import.
    image046 image048
    Import completed successfully
    image050
    Select the AD users and select Confirm Assignments
    image052
  17. Click Auto-activate users after confirmation and click Confirm.
    image054
  18. Click People to view the list of imported AD users
    image056
    In this example the AD user TM1USER (tm1@casupport.support2016.ad.hursley.ibm.com) will be used to demonstrate the login using both AD and OKTA using the same OIDC Namespace for OKTA
  19. Assign an AD and OKTA user to the ApplicationFrom the Dashboard select Application and then click the application link followed by selecting the Assignments tab and select Assign button.
    image058
    Select the user in this case TM1USER (AD user) and OKTA user (email address)Then click Assign Applications button and the click Assign. The AD user info appears

    image060

    then click Save and Go Back and then Done. Repeat for the okta user email account.

     

    Authenticate now with the AD user

    image062

    image064

    Authenticate with an OKTA user
    image066
    image068

    Both belonging to the same namespace

    image070

Group/Role Management

Combining both type of users into a Cognos Group

Create a Cognos Group and add BOTH users (AD and Okta) as members

As an example create a Group called “OKTA-AD-Group” from the Cognos Namespace and then add both members to the group.

image072