OpenID Connect authentication provider

OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It is used for federated identity and authentication with multiple applications that use the same identity provider. OpenID Connect is the preferred web-based authentication provider if you want to federate IBM® Cognos® Analytics with other applications.

OpenID Connect is a modern standard that incorporates the OpenID and OAuth 2.0 standards. It is supported for both on-premises and Cloud installations of Cognos Analytics.

Cognos Analytics supports the following types of OpenID Connect identity providers:

  • ADFS (Active Directory Federation Services)
  • Azure AD (Active Directory)
  • Google
  • IBMid (IBM identity provider)
  • OKTA
  • Ping
  • SalesForce
  • SiteMinder
Tip: Contact the identity provider administrator in your organization, or the sales and support organization, to find out which product version you should use.

OpenID Connect Authentication Proxy Applies to version 11.0.10 and subsequent versions unless specifically overridden

Cognos Analytics now provides another provider type, 'OpenID Connect Authentication Proxy' in Cognos Configuration. This menu offers the option to have Trusted Signon Provider (TSP) for OpenID connect. Similar to OpenID Connect entries, you will see the list of Identity Providers currently supported.

Additional configuration setting entries under Advanced Properties are now visible. You will need to configure the claim you want passed to the real provider as well as the namespace ID of the real provider.

  • Identity claim name: Specifies the name of the claim that will be provided to the target namespace (for example. John Doe)
  • Trusted environment name: Specifies the environment variable name that will be used to transfer the claim to the target namespace (for example. REMOTE_USER)
  • Redirect namespace ID: Specifies the namespace ID that will be invoked with the claim obtained from the OpenID identity provider (for example. LDAP)

Leveraging the identity provider single sign-on

If your OpenID Connect identity provider supports single sign-on and two-factor authentication, Cognos Analytics can leverage this functionality.

If the identity provider does not support single sign-on, when a user makes an authentication request to Cognos Analytics, the user is redirected to the OpenID Connect identity provider logon page. After providing the required information, the user is redirected back to Cognos Analytics with an authorization code that is redeemed for an ID token that contains the identity of the user. The user can then access Cognos Analytics.

If the identity provider supports single sign-on, the user receives the ID token when making the authentication request to Cognos Analytics, and can immediately access the application.

Federating IBMid with SAML 2.0 identity providers

IBMid is the IBM OpenID Connect identity provider. If your identity provider (IdP) does not support OpenID Connect, but supports SAML 2.0, you can use IBMid to configure an OpenID Connect namespace as your authentication provider in Cognos Analytics. Simply, choose IBMid as your identity provider when configuring the OpenID Connect namespace.

With this namespace configuration, you can federate Cognos Analytics with most SAML 2.0 identity providers. As a result, when users log on to Cognos Analytics, they are redirected to the IBMid sign-on page where they type their email address. If the email address is recognized by IBMid, the users are redirected to their organization SAML 2.0 identity provider logon page. In this page, the users complete the authentication process by providing their credentials. Then, they can access Cognos Analytics.