openid connect

When configuring an OpenID namespace, some information is required in order to complete. For this article, I will be utilizing the OKTA OpenID Connect namespace as an example, but other configurations are fairly similar. I will also show some typical errors encountered and how to resolve them.

Cognos OpenID Connect Namespace Configuration

When configuring an OpenID Connect namespace in Cognos Analytics, you will need to provide the following:

  • The provider type for OpenID Connect
  • A namespace ID
  • A Discovery Endpoint URL, Client Identifier, and OpenID Connect Client Secret (these can be provided by the OIDC admin)
  • If the Discovery Endpoint URL uses a non-standard SSL Certificate Authority, you will also need a root certificate to import in the Cognos key store
  • A Return URL, which is the Cognos Gateway URL

 

To configure an OIDC namespace, follow the following steps:

  • On the Content Manager node of your Cognos Analytics environment, launch Cognos Configuration. Make sure to launch by using the “Run as Administrator” option.
  • In Cognos Configuration, under Security, right click on Authentication, and select New Resource, Namespace.
  • When the “New Resource – Namespace” window opens, give the new namespace a distinctive name, select OpenID Connect as the Type (Group), then Type for the provider, and click OK. In this example, we’re using the OKTA provider.

 

openid connect

 

  • Once you are back in the Namespace Resource Properties window, complete all the following fields as shown in the screenshot below:
    • Namespace ID – Here it is Realogy
    • Discovery Endpoint – Provided by OIDC Admin
    • Client Identifier – Provided by OIDC Admin
    • OpenID Connect Client Secret – Provided by OIDC Admin
    • Return URL – Cognos Analytics Gateway URL

 

openid connect

 

  • Once you have all the information entered, click on the Save icon in Cognos Configuration to save your changes.
  • Click Next to validate the configuration.
    • If you receive an error (exclamation point) when testing, and have verified all other information is correct, it is likely an issue with the SSL certificate not being in the Cognos Analytics key store. If that is an issue, the trusted root for the SSL certificate authority will need to be imported into the Cognos Analytics key store. Steps for this are provided below.

 

openid connect

 

  • If the test validates successfully (green checks for both) you can close Cognos Configuration and the OpenID Connect Namespace is ready for use.

Once the namespace has been configured and you can authenticate, you are then able to import and configure Cognos security based on users from the OIDC namespace.

Importing Trusted Root Certificate for OIDC Provider URL

In most cases, you may need to import the SSL certificate for the OIDC Discovery Endpoint URL.

To do that, you will need to copy the root cert from the link provided. In the example case, the SSL certificate for the OKTA OIDC provider is from the DigiCert certificate authority.

You can either obtain the root certificate from the certificate authority itself, or in come cases, it can be just as easy to copy/export it from the link in IE as a Base-64 encoded X.509 (.cer) file. Once you have the root certificate, you can import it to the Cognos Analytics key store as follows:

  • Open a command prompt as Administrator, change to the <Cognos Install Path>\bin directory.
  • Run the following command (replacing with the path and filename of the rootca file):

 

ThirdPartyCertificateTool.bat -java:local -T -i -r e:\DigiCertrootcafile.cer -p NoPassWordSet

 

After you import the certificate, relaunch Cognos Configuration and retest the namespace to verify it connects successfully. If it does, you are ready to use the namespace.

 

Below are some additional resources and information on OIDC and Cognos Analytics support for OIDC that you might find useful:

 

 

 

cognos analytics information

 

 

About Ironside

Ironside was founded in 1999 as an enterprise data and analytics solution provider and system integrator. Our clients hire us to acquire, enrich and measure their data so they can make smarter, better decisions about their business. No matter your industry or specific business challenges, Ironside has the experience, perspective and agility to help transform your analytic environment.