Configuring an OpenID Connect namespace

To use an OpenID Connect identity provider with IBM® Cognos® Analytics, you must configure an OpenID Connect namespace.

If you use IBMid as your OpenID Connect identity provider, see Managing OpenID connect namespaces for more information.

If users have authentication problems after you successfully configured your OpenID Connect namespace, use diagnostic logging in the Manage component of Cognos Analytics to troubleshoot issues. You need to create a new logging topic that is based on the predefined AAA topic. Modify the AAA logging topic by adding the following code to it:

"loggerDefinitions": [
"loggerName": "",
"level": "DEBUG",
"additivity": true
"topicName": "OIDC"

For more information on diagnostic logging, see Logging types and files.


  1. Open IBM Cognos Configuration on your Content Manager computer.
  2. Under Security > Authentication, right-click and select New resource > Namespace.
  3. For Type (Group), select OpenID connect.
  4. For Type, select one of the identity providers from the drop-down list that includes the supported identity providers.
  5. Type the namespace name in the Name field, and then click OK.

    The new namespace is added in the Explorer pane under Security > Authentication, and its properties are displayed in the properties pane.

  6. Specify values for the namespace properties.
    Tip: Information about each property is displayed in the user interface when you click the property.
    • The Namespace ID is used in the CAMID.
    • Specify values for Discovery Endpoint, Client Identifier, and OpenID Connect client secret, as suggested by your OpenID Connect administrator.
    • If you are using a forward proxy to configure a tunnel between Cognos Analytics and the OIDC namespace,
      1. Select Advanced properties and then click the edit icon the edit icon.

      2. Set the following name/value pair:
        • Name: https_proxy
        • Value: proxy_server:port

          where proxy_server is the fully qualified name of the proxy server

      3. Right-click the namespace and select Test to confirm that the namespace is working.
      4. Confirm that the Cognos Analytics server is tunneling through the proxy:
        • Stop the service on the proxy server.
        • Right-click the namespace and select Test.

          The test should fail because tunneling is turned off.

    • Update the Return URL with your gateway or dispatcher URL, as shown in the following example:


      If you use a load balancer in your environment, include the load balancer DNS entry in the Return URL in front of the gateway or dispatcher nodes, as shown in the following example:

      In this example, the Cognos Analytics gateway is installed on the web server.

      If you are using a set of dispatcher nodes behind the load balancer where the Cognos Analytics gateway is not installed on the web server, the Return URL might look as follows:

    Tip: The Multitenancy properties do not need to be specified now.
  7. Import the OpenID Connect root certificate authority certificate into the Cognos Analytics keystore by using the Third-Party Certificate Tool.
    • On UNIX or Linux® operating systems, type -i -T -r cert.cer -p NoPassWordSet
    • On Windows operating systems, type ThirdPartyCertificateTool.bat -i -T -r cert.cer -p NoPassWordSet
    Tip: Replace the cert variable with the name of the certificate file that is used by your OpenID Connect identity provider. For IBMid, the file name is blueid.cer.
    The command imports the contents into the CAMKeystore file in the certs directory by using the specified password.
  8. Perform the same configuration steps on your backup Content Manager computer.
  9. Restart the IBM Cognos service on the Content Manager and the backup Content Manager computers.


All users who are registered with your OpenID Connect identity provider should now have access to Cognos Analytics.