About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Cognos Analytics Authentication to OpenID Connect (OIDC) namespace by using SDK
IBM Cognos Analytics introduced support for two factor authentication protocol through OpenID Connect (OIDC) namespace. More information on Cognos OIDC configuration can be found here: Configuring an OpenID Connect namespace. Many Customers have existing automation applications or integrations through Cognos SDK or REST APIs. When moving to two factor authentication they struggle to implement logon to their OIDC namespace through the SDK. Depending on the OIDC provider, there are two main cases:
OIDC provider supports password grant, like OKTA:
Password grant type is a way to exchange a user's credentials for an access token. This case can implement regular SDK login() method, passing user's credentials (namespaceID, username, and password). This method is applicable for both namespace types "OpenID Connect" and "OpenID Connect Authentication Proxy".
Sample SDK (SOAP API) code:
public void logon(String namespaceID, String userID, String password){
StringBuffer credentialsXML = new StringBuffer();
credentialsXML.append("");
credentialsXML.append("").append(namespaceID).append("");
credentialsXML.append("").append(ConnectionHelper.xmlEncode(userID)).append("");
credentialsXML.append("").append(ConnectionHelper.xmlEncode(password)).append("");
credentialsXML.append("");
String credentials = credentialsXML.toString();
cmService.logon(new XmlEncodedXML(credentials), null);
. . .
}
OIDC provider does not support password grant, like IBMId.
In order to authenticate to the SDK, the login request will have to include the OIDC generated code, set in the bibus header of the logon request. Below is a sample Java code for authenticating to SDK using OIDC generated code:
public void logon(String namespaceID, String code, String redirect_uri) throws RemoteException
{
setHeaderValue(namespaceID, code, redirect_uri);
cmservice.query(new SearchPathMultipleObject("~"),
new PropEnum [] {PropEnum.storeID, PropEnum.defaultName},
new Sort[]{} , new QueryOptions());
}
private void setHeaderValue (String namespaceID, String code, String redirect_uri) {
BiBusHeader bibus = new BiBusHeader();
FormFieldVar newBiBusFormFieldVars[] = new FormFieldVar[4];
newBiBusFormFieldVars[0] = new FormFieldVar();
newBiBusFormFieldVars[0].setName("h_CAM_action");
newBiBusFormFieldVars[0].setValue("logonAs");
newBiBusFormFieldVars[1] = new FormFieldVar();
newBiBusFormFieldVars[1].setName("CAMNamespace");
newBiBusFormFieldVars[1].setValue(namespaceID);
newBiBusFormFieldVars[2] = new FormFieldVar();
newBiBusFormFieldVars[2].setName("code");
newBiBusFormFieldVars[2].setValue(code);
newBiBusFormFieldVars[3] = new FormFieldVar();
newBiBusFormFieldVars[3].setName("redirectURL");
newBiBusFormFieldVars[3].setValue(redirect_uri);
HdrSession hdrSession = new HdrSession();
hdrSession.setFormFieldVars(newBiBusFormFieldVars);
bibus.setHdrSession(hdrSession);
((Stub)this.cmService).setHeader("http://developer.cognos.com/schemas/bibus/3/", "biBusHeader", bibus);
}
Where:
- code is the code generated by the OIDC provider. The request to generate the code uses the same client_id and redirect_uri that are set for the OIDC namespace configuration in Cognos if the redirect_uri is not the same you will need to pass the redirect_uri value. The communication with OIDC provider to generate the code is prior to calling the logon method and depends on each provider, IBM Cloud Identity, OKTA, Microsoft identity platform, etc.
- redirect_uri if the code is generated using same client_id as the one configured in Cognos and a different redirect_uri then the redirect_uri need to be set in the header to successfully login.
- namespaceID is the ID of the OIDC namespace in Cognos Configuration.