Administration: How to setup #Cognos Analytics OpenID Authentication Proxy federating with Active Directory and LDAP over AD

Blog Home > Administration: How to setup #Cognos Analytics OpenID Authentication Proxy federating with Active Directory and LDAP over AD

Administration: How to setup #Cognos Analytics OpenID Authentication Proxy federating with Active Directory and LDAP over AD

The purpose of this document is to walk through step-by-step in setting up OpenID Authentication Proxy Federation with Active Directory and with LDAP over Active Directory Namespaces. The following is an actual lab setup:

Environment:
Active Directory: Windows 2016
Domain: CASUPPORT
Cognos Analytics 11 R10+
OS: Windows 2016
Identity Provider: OKTA

Before we start, it’s important to assume that users can successfully authentication independently with OKTA, AD or LDAP over AD configured with their Cognos Analytics environment (See Appendix A) via SSO (if enabled)
Below is a list of the preconfigured namespaces that will be federated using OpenID Authentication Proxy:

Environment: Gateway URL

CA_Gateway_URL1

NB: Gateway Configuration in this scenario must be setup successfully.

OKTA: OKTA-DEV

OKTA_Namespace1

AD: AD2016

AD_Namespace1

LDAP: ADLDAP

LDAP_Over_AD_Namespace

Configuration for OpenID Authentication Proxy and LDAP over AD Namespace

Steps are as follows:

Open Cognos Configuration and Create a new Namespace

TSP-ADLDAP_part1

Fill in the same details as for the OKTA Namespace i.e. Discovery Endpoint, ClientID, Client Secret and Return URL.

TSP-ADLDAP_part3

The important parts are:
Identity claim name
Trusted environment name: REMOTE_USER (Default)
Redirect namespace ID: <Federating to the LDAP over AD Namespace>

So here are how those 3 fields are mapped:

Mapping

Identity claim name: sAMAccountName
Trusted environment name: REMOTE_USER
Redirect namespace ID: ADLDAP

REMOTE_USER variable is required for SSO via Gateway

Configuration for OpenID Authentication Proxy and AD Namespace

1.Open Cognos Configuration and Create a new Namespace

TSP-AD2016

2. Fill in the same details as for the OKTA Namespace i.e. Discovery Endpoint, ClientID, Client Secret and Return URL.

TSP-AD2016_v3

With regards to the Identity claim name field for AD it’s important that the correct “common” attribute (claim) is found that contains the user name.

So, if you review the Discovery Endpoint Document list of “Claims Supported”:

https://dev-297076-admin.oktapreview.com:443/.well-known/openid-configuration

you will see the “name” claim. Then review the list of attributes for any authenticating user in AD and locate the “name” attribute.

See below:

AD_Claim_Mapping

TSP-AD2016_v4

Identity claim name: Specifies the name of the claim that will be provided to the target namespace.
A string that represents the name of the claim from the id_token that will be provided to the target namespace. So here it’s the “name” claim from the id_token that will be passed to the “target namespace” (AD2016) which also has a “name” attribute which exists for all users.

3.Save and restart

Switch on OIDC Tracing via the Custom Topics you will see the decoded id_token you will see the “name” claim:

TSP_ID_TOKEN_v1

Additional Information

Appendix A: