Support My IBM Log in

Cognos Analytics Authentication to OpenID Connect (OIDC) namespace by using SDK

IBM Cognos Analytics introduced support for two factor authentication protocol through OpenID Connect  (OIDC) namespace.  More information on Cognos OIDC configuration can be found here: Configuring an OpenID Connect namespace.  Many Customers have existing automation applications or integrations through Cognos SDK or REST APIs.  When moving to two factor authentication they struggle to implement logon to their OIDC namespace through the SDK.  Depending on the OIDC provider, there are two main cases:

OIDC provider supports password grant, like OKTA:

Password grant type is a way to exchange a user's credentials for an access token.  This case can implement regular SDK login() method, passing user's credentials (namespaceID, username, and password). This method is applicable for both namespace types "OpenID Connect" and "OpenID Connect Authentication Proxy".

Sample SDK (SOAP API) code:

public void logon(String namespaceID, String userID, String password){
      StringBuffer credentialsXML = new StringBuffer();                    
      credentialsXML.append("");
      credentialsXML.append("").append(namespaceID).append("");
      credentialsXML.append("").append(ConnectionHelper.xmlEncode(userID)).append("");
      credentialsXML.append("").append(ConnectionHelper.xmlEncode(password)).append("");
      credentialsXML.append("");
    
      String credentials = credentialsXML.toString();              
      cmService.logon(new XmlEncodedXML(credentials), null);           
      . . .            
}

OIDC provider does not support password grant, like IBMId.

In order to authenticate to the SDK, the login request will have to include the OIDC generated code, set in the bibus header of the logon request. Below is a sample Java code for authenticating to SDK using OIDC generated code:

public void logon(String namespaceID, String code, String redirect_uri)    throws RemoteException
{
    setHeaderValue(namespaceID, code, redirect_uri);
    cmservice.query(new SearchPathMultipleObject("~"), 
          new PropEnum [] {PropEnum.storeID, PropEnum.defaultName},
          new Sort[]{} , new QueryOptions());
}   
  
  
private void setHeaderValue (String namespaceID, String code, String redirect_uri) {
  
     BiBusHeader bibus = new BiBusHeader();          
     FormFieldVar newBiBusFormFieldVars[] = new FormFieldVar[4];
    
     newBiBusFormFieldVars[0] = new FormFieldVar();     
     newBiBusFormFieldVars[0].setName("h_CAM_action");     
     newBiBusFormFieldVars[0].setValue("logonAs");     
     newBiBusFormFieldVars[1] = new FormFieldVar();     
     newBiBusFormFieldVars[1].setName("CAMNamespace");     
     newBiBusFormFieldVars[1].setValue(namespaceID);     
     newBiBusFormFieldVars[2] = new FormFieldVar();     
     newBiBusFormFieldVars[2].setName("code");     
     newBiBusFormFieldVars[2].setValue(code);
     newBiBusFormFieldVars[3] = new FormFieldVar();
     newBiBusFormFieldVars[3].setName("redirectURL");
     newBiBusFormFieldVars[3].setValue(redirect_uri);

     HdrSession hdrSession = new HdrSession();     
     hdrSession.setFormFieldVars(newBiBusFormFieldVars);     
     bibus.setHdrSession(hdrSession);     
     
     ((Stub)this.cmService).setHeader("http://developer.cognos.com/schemas/bibus/3/", "biBusHeader", bibus);   
}
  
 

Where:

  • code is the code generated by the OIDC provider. The request to generate the code uses the same client_id and redirect_uri that are set for the OIDC namespace configuration in Cognos if the redirect_uri is not the same you will need to pass the redirect_uri value. The communication with OIDC provider to generate the code is prior to calling the logon method and depends on each provider, IBM Cloud IdentityOKTAMicrosoft identity platform, etc.
  • redirect_uri  if the code is generated using same client_id as the one configured in Cognos and a different redirect_uri then the redirect_uri need to be set in the header to successfully login.
  • namespaceID is the ID of the OIDC namespace in Cognos Configuration.
Overview Annual report Corporate social responsibility Financing Investor Newsroom Security, privacy & trust Senior leadership Careers with IBM Website Blog Publications Automotive Banking Consumer Goods Energy Government Healthcare Insurance Life Sciences Manufacturing Retail Telecommunications Travel Our strategic partners Find a partner Become a partner - Partner Plus Partner Plus log in IBM TechXChange Community LinkedIn X Instagram YouTube Subscription Center Participate in user experience research Podcasts Contact IBM Privacy Terms of use Accessibility United States — English