Managing OpenID Connect namespaces

Use the OpenID Connect namespace type to implement OpenID Connect authentication for IBM® Cognos® Analytics.

Cognos Analytics supports the following OpenID Connect identity providers:

  • ADFS (Active Directory Federation Services)
  • Azure AD (Active Directory)
  • Generic
  • Google
  • IBM Cloud Identity
  • IBMid (IBM identity provider)
  • MS Identity
  • OKTA
  • Ping
  • SalesForce
  • SiteMinder

IBMid is the IBM Identity Service, a cloud-based identity access and management solution that provides identity and single sign-on services for IBM applications.

After an OpenID Connect namespace is configured in IBM Cognos Configuration, all OpenID Connect users have access to Cognos Analytics. When the users log on, their names are automatically shown in the namespace.

Note: To set up an OpenID Connect namespace successfully, ensure that the Content Manager computer can access the OIDC IDP (Identity Provider). In some cases, if there is a proxy between the Content Manager and the IDP, Content Manager will not be able to connect.

As a system administrator, you might need to restrict the number of users who can access the product based on the number of licenses or other factors. To do that, perform the following optional steps:

  • Add a limited number of users to the OpenID Connect namespace.

    See step3 below.

  • Add groups to the OpenID Connect namespace.

    See step 4 below.

  • Add the OpenID Connect users to groups or roles in the Cognos namespace.

    By using the Cognos groups and roles, you can quickly assign the required access permissions for different users.

  • In IBM Cognos Configuration, under Security > Authentication, set the Restrict access to members of the built-in namespace property to true.

    Only members of the built-in Cognos namespace can now access Cognos Analytics.

Procedure

  1. Log on to IBM Cognos Analytics as a system administrator.
  2. Log on to the OpenID Connect namespace.
  3. To add user accounts to the OpenID Connect namespace:
    1. Navigate to Manage > People > Accounts, and open the OpenID Connect namespace.
    2. To add an individual user account, follow these steps:
      • Click the New user icon New user icon.

        The Add users panel appears.

      • Enter a unique name in the Unique identifier field.

        For example, enter the user's email address.

      • In the Preferred Name field, enter the name that you want to appear in the namespace list.
      • Click Add.
      The Preferred Name value appears in the namespace list.
    3. To add multiple user accounts at once, you can import a .csv file specially formatted with account information:
      • Ensure that you created the .csv file that contains your user information.

        For more information, see Creating a .csv file containing user account information.

      • Click the Import icon import icon and then select Import users.
      • Double click the .csv file that has the user information.

        The file is uploaded and the defaultName values from the .csv file are listed in the OpenId Connect namespace.

        The same .csv file can be imported many times. If a defaultName value already exists in the namespace, the user account is updated. You can also repeat the import if previously imported entries look incorrect.

        Repeat this step for other files, if you have multiple files.

  4. To add groups to the OpenID Connect namespace:
    1. Navigate to Manage > People > Accounts, and open the OpenID Connect namespace.
    2. To add individual groups, follow these steps:
      • Click the New group icon New group icon.
      • Enter the name of the new group.
      The group name is listed in the namespace.
    3. To add multiple groups at once, you can import a .csv file specially formatted with group information:
      • Ensure that you created the .csv file that contains your group information.

        For more information, see Creating a .csv file containing group information.

      • Click the Import icon import icon and then select Import groups.
      • Double click the .csv file that has the group information.

        The file is uploaded and the defaultName values from the .csv file are listed in the OpenId Connect namespace. The same .csv file can be imported many times. If a group already exists in the namespace, the group is updated. You can also repeat the import if previously imported entries look incorrect.

        Repeat this step for other files, if you have multiple files.

  5. Add the OpenID Connect users to groups or roles in the Cognos namespace.
    1. Open the Cognos namespace, and find the group or role to which you would like to add users from the OpenID Connect namespace.
    2. From the group or role context menu Context menu icon, select View members.
    3. Click Add member iconSelect.
    4. In the Add members panel, select your OpenID Connect namespace, and then select the appropriate users. You can select multiple users at once.
    5. Click Add. The selected users are displayed on the Members tab.
    6. Repeat the steps to add the OpenID Connect users to other Cognos groups or roles.
    7. To import users from a .csv file, click Import, and select the file. For more information, see Creating a .csv file containing user account information.

      The same .csv file can be imported many times. If a user account already exists in the namespace, the account is updated. You can also repeat the import if previously imported entries look incorrect.

      Repeat this step for other files, if you have multiple files.

  6. Delete an entry by clicking Delete in the context menu Context menu icon next to the specific group, role, or folder.

Results

Users who use the OpenID Connect namespace to log on to Cognos Analytics are redirected to an external logon page where they can type their credentials. If the credentials are accepted, the users can access Cognos Analytics.