analytics/configuration/samples/Authentication_en.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed Materials - Property of IBM

IBM Cognos Products: cclmcf

(C) Copyright IBM Corp. 2009, 2013

US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
===============================================================================================
Configuration samples for AAA. 
===============================================================================================
-->
<crn:parameters xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:crn="http://developer.cognos.com/schemas/crconfig/1/" xsi:schemaLocation="http://developer.cognos.com/schemas/crconfig/1/ cogstartup.xsd" version="175.0">
  <crn:parameter name="AAA" opaque="true">
    <crn:value>
      <!-- advancedProperties: Specifies a set of advanced properties. -->
      <!-- The user needs to provide the name and the value for each advanced property. -->
      <crn:parameter name="advancedProperties">
        <crn:value xsi:type="cfg:array"> 
        </crn:value>
      </crn:parameter>
      <crn:instances name="authProvider">
        <!--

===============================================================================
(Begin of) ActiveDirectory template
-->
        <crn:instance name="ActiveDirectory Name" class="ActiveDirectory">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- connection: Specifies the host name and port of the directory server. -->
          <!-- Use the following syntax to specify the host name and port for the directory 
     server:host:port; for example, localhost:389. Ensure that if you use a fully 
     qualified name for your computer that your DNS is set up to resolve it. If you 
     specifically wish to use SSL for the connection to the Active Directory Server, 
     the server name must match the name specified in the certificate and the server 
     port must be the SSL port. -->
          <crn:parameter name="connection">
            <crn:value xsi:type="cfg:hostPort"> 
            </crn:value>
          </crn:parameter>
          <!-- timeOut: Specifies the number of seconds permitted to perform a search 
     request. -->
          <!-- The product uses this value when it requests authentication from the namespace 
     on your directory server. The value depends on your reporting environment. If 
     the duration is exceeded, the search is timed out. The default value -1 
     indicates that the value on the LDAP server will be used. -->
          <!-- Units: sec -->
          <crn:parameter name="timeOut">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- sizeLimit: Specifies the maximum number of responses permitted for a search 
     request. -->
          <!-- The value depends on your environment. As a general rule, the minimum value 
     for this setting should be greater than the maximum number of groups or users 
     plus 100. When the size limit is reached the directory server stops searching. 
     The default value of -1 indicates that the value on the LDAP server will be 
     used. -->
          <!-- Units: entries -->
          <crn:parameter name="sizeLimit">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- bindCredentials: Specifies the credentials ( userID and password ) used to 
     bind to the Active Directory Server to find out the detail authentication 
     failure reason when the authentication failed. -->
          <!-- This value corresponds to an Active Directory Server user who has search and 
     read privilege to the user of the Active Directory Server. -->
          <crn:parameter name="bindCredentials">
            <crn:value xsi:type="cfg:credential" encrypted="false">
              <credential>
                <username>joe</username>
                <password>paranoid</password>
              </credential>
            </crn:value>
          </crn:parameter>
          <!-- RS_SPNName: Specifies the sAMAccountName of the user running Application Tier 
     Components. -->
          <!-- This value must be set if you are using Kerberos authentication with 
     constrained delegation and IBM Cognos BI is installed on Microsoft Windows 
     operating systems. -->
          <crn:parameter name="RS_SPNName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- DQ_SPNName: Specifies the full DQM Service Principal Name, exactly as it is in 
     the keytab file. -->
          <!-- This value must be set if you use Kerberos Authentication with Single Sign On 
     (Active Directory) for Dynamic Query Mode, and you don't create explicit 
     Kerberos Login Module configuration. DQM will create the configuration using 
     this value, and a default name and location for the keytab file - 
     configuration\ibmcognosba.keytab. -->
          <crn:parameter name="DQ_SPNName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) ActiveDirectory template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) Cognos template
-->
        <crn:instance name="Cognos Name" class="Cognos">
          <!-- allowAnon: Specifies whether anonymous access is allowed. -->
          <!-- By default, anonymous authentication process doesn't require the user to 
     provide logon credentials. The anonymous authentication uses a pre-defined 
     account under which all anonymous users are logged in. -->
          <crn:parameter name="allowAnon">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <crn:parameter name="disableCM">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) Cognos template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) CustomJava template
-->
        <crn:instance name="CustomJava Name" class="CustomJava">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- authModule: Specifies the Java class name of the authentication provider to 
     use for authentication. -->
          <!-- Set the value of this property to the name of your Java class name. This class 
     and its dependents must be in the Java CLASSPATH. -->
          <crn:parameter name="authModule">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) CustomJava template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) LDAP template
-->
        <crn:instance name="LDAP Name" class="LDAP">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- connection: Specifies the host name and port of the directory server. -->
          <!-- Use the following syntax to specify the host name and port for the directory 
     server: host:port; for example, localhost:389. Ensure that if you use a fully 
     qualified name for your computer that your DNS is set up to resolve it. 
     Otherwise, you can also use the IP address. -->
          <crn:parameter name="connection">
            <crn:value xsi:type="cfg:hostPort"> 
            </crn:value>
          </crn:parameter>
          <!-- baseDN: Specifies the base distinguished name of the LDAP server. -->
          <!-- The product uses the base DN to identify the top level of your directory 
     server structure. The root of the hierarchal directory structure is the 
     starting place for all searches. You restrict searches by specifying a base DN. 
     -->
          <crn:parameter name="baseDN">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- userLookup: Specifies the user lookup used for binding to the LDAP directory 
     server. -->
          <!-- Use this property to specify the string that is used to construct the fully 
     qualified DN for authentication. All instances of '${userID}' in this string 
     are replaced by the value typed in by the user at the logon prompt. If the 
     string does not begin with an open parenthesis, the result of the substitution 
     is assumed to be a DN which can be used for authentication.  For example, 
     'uid=${userID},ou=people, base DN', where base DN is the Base Distinguished 
     Name parameter value. If the value begins with an open parenthesis '(', the 
     result of the substitution is assumed to be a search filter. Before binding, 
     the provider uses the filter to get the DN for authentication. For example, 
     '(userPrincipalName=${userID})'. A filter should be used if you have a 
     hierarchical directory structure. -->
          <crn:parameter name="userLookup">
            <crn:value xsi:type="xsd:string">${userID}</crn:value>
          </crn:parameter>
          <!-- useExternalIdentity: Specifies whether to use the identity from an external 
     source for user authentication. -->
          <!-- If this property is set to true, the user is authenticated by an external 
     source and the user's identity is provided to the product from the external 
     source. For example, if SSL is configured to use client certificates, the Web 
     server sets the REMOTE_USER environment variable to the user's identity. If you 
     set this property to true, ensure that you set the "External Identity Mapping" 
     property. -->
          <crn:parameter name="useExternalIdentity">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- externalIdentityMapping: Specifies the mapping used to locate a user in the 
     LDAP directory server. -->
          <!-- This property is used only if you enable the "Use External identity" property. 
     This mapping is used to construct a DN or a search filter to locate a user in 
     the LDAP directory server. All instances of 
     '${environment("ENVIRONMENT_VARIABLE_NAME")' in this string are replaced by the 
     value of the environment variable provided by the Web server. If the string 
     does not begin with an open parenthesis, the result of the substitution is 
     assumed to be the user's DN. For example, 
     'uid=${environment("REMOTE_USER")},ou=people, base DN', where base DN is the 
     Base Distinguished Name parameter value. If the value begins with an open 
     parenthesis '(', the result of the substitution is assumed to be a search 
     filter. For example, '(userPrincipalName=${environment("REMOTE_USER")})'. Note 
     that you must either enable anonymous access to the LDAP directory server or 
     set the 'Bind user DN and password' property. -->
          <crn:parameter name="externalIdentityMapping">
            <crn:value xsi:type="xsd:string">${environment("REMOTE_USER")}</crn:value>
          </crn:parameter>
          <!-- bindCredentials: Specifies the credentials used for binding to the LDAP server 
     when performing a search using the user lookup property, or when performing all 
     operations using the external identity mapping. -->
          <!-- This value corresponds to an LDAP user who has read and search access to the 
     user branch of the LDAP directory server. -->
          <crn:parameter name="bindCredentials">
            <crn:value xsi:type="cfg:credential" encrypted="false">
              <credential>
                <username>joe</username>
                <password>paranoid</password>
              </credential>
            </crn:value>
          </crn:parameter>
          <!-- sizeLimit: Specifies the maximum number of responses permitted for a search 
     request. -->
          <!-- The value depends on your environment. As a general rule, the minimum value 
     for this setting should be greater than the maximum number of groups or users 
     plus 100. When the size limit is reached the directory server stops searching. 
     The default value of -1 indicates that the value on the LDAP server will be 
     used. -->
          <!-- Units: entries -->
          <crn:parameter name="sizeLimit">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- timeOut: Specifies the number of seconds permitted to perform a search 
     request. -->
          <!-- The product uses this value when it requests authentication from the namespace 
     on your directory server. The value depends on your reporting environment. If 
     the duration is exceeded, the search is timed out. The default value -1 
     indicates that the value on the LDAP server will be used. -->
          <!-- Units: sec -->
          <crn:parameter name="timeOut">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- useBindCredentialsForSearch: Specifies whether to use the bind credentials to 
     perform a search. -->
          <!-- This property only affects users who don't use the external identity mapping. 
     If this property is set to true, the bind credentials provided in the namespace 
     configuration will be used to perform a search in the LDAP directory server. If 
     this flag is false or bind credentials are not presented, the authenticated 
     user credentials will be used for searching. -->
          <crn:parameter name="useBindCredentialsForSearch">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- allowEmptyPswd: Specifies whether empty passwords are allowed for user 
     authentication. -->
          <!-- Set this property to true only if you specifically wish to allow empty 
     passwords. When a user is not required to specify a password, he is 
     authenticated as an anonymous user on the LDAP namespace, but as a named user 
     on the Cognos namespace. Requiring passwords for authentication increases 
     security and makes it more difficult to forge identities. By default, this 
     property is set to false. -->
          <crn:parameter name="allowEmptyPswd">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- camidAttribute: Specifies the value used to uniquely identify objects stored 
     in the LDAP directory server. -->
          <!-- Specify either an attribute name or the value of 'dn' to use as the unique 
     identifier. If an attribute is used, it must exist for all objects, such as 
     users, groups, folders. If the 'dn' is used, more resources are used as you 
     search deeper in the LDAP directory server hierarchy and policies may be 
     affected if the 'dn' is renamed. -->
          <crn:parameter name="camidAttribute">
            <crn:value xsi:type="xsd:string">dn</crn:value>
          </crn:parameter>
          <!-- dataEncoding: Specifies the encoding of the data stored in the LDAP directory 
     server. -->
          <!-- If this property is set to an encoding other than UTF-8, then the data is 
     converted from UTF-8 to the encoding you specify. The encoding must follow IANA 
     (RFC 1700) or MIME character set specifications. For example, use windows-1252, 
     iso-8859-1, iso-8859-15, Shift_JIS, utf-16, or utf-8. -->
          <crn:parameter name="dataEncoding">
            <crn:value xsi:type="xsd:string">UTF-8</crn:value>
          </crn:parameter>
          <!-- sslCertificateDatabase: Specifies the location of the certificate database 
     used by the directory server for SSL connections. -->
          <!-- Use this property to point to the location of the SSL certificate database for 
     your LDAP server. -->
          <crn:parameter name="sslCertificateDatabase">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- folderObjectClass: Specifies the name of the LDAP object class used to 
     identify a folder. -->
          <crn:parameter name="folderObjectClass">
            <crn:value xsi:type="xsd:string">organizationalunit</crn:value>
          </crn:parameter>
          <!-- folderDescription: Specifies the LDAP attribute used for the "description" 
     property of a folder. -->
          <crn:parameter name="folderDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- folderName: Specifies the LDAP attribute used for the "name" property of a 
     folder. -->
          <crn:parameter name="folderName">
            <crn:value xsi:type="xsd:string">ou</crn:value>
          </crn:parameter>
          <!-- groupObjectClass: Specifies the name of the LDAP object class used to identify 
     a group. -->
          <crn:parameter name="groupObjectClass">
            <crn:value xsi:type="xsd:string">groupofuniquenames</crn:value>
          </crn:parameter>
          <!-- groupDescription: Specifies the LDAP attribute used for the "description" 
     property of a group. -->
          <crn:parameter name="groupDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- groupMembers: Specifies the LDAP attribute used to identify the members of a 
     group. -->
          <crn:parameter name="groupMembers">
            <crn:value xsi:type="xsd:string">uniquemember</crn:value>
          </crn:parameter>
          <!-- groupName: Specifies the LDAP attribute used for the "name" property of a 
     group. -->
          <crn:parameter name="groupName">
            <crn:value xsi:type="xsd:string">cn</crn:value>
          </crn:parameter>
          <!-- accountObjectClass: Specifies the name of the LDAP object class used to 
     identify an account. -->
          <crn:parameter name="accountObjectClass">
            <crn:value xsi:type="xsd:string">inetorgperson</crn:value>
          </crn:parameter>
          <!-- accountBusinessPhone: Specifies the LDAP attribute used for the 
     "businessPhone" property for an account. -->
          <crn:parameter name="accountBusinessPhone">
            <crn:value xsi:type="xsd:string">telephonenumber</crn:value>
          </crn:parameter>
          <!-- accountContentLocale: Specifies the LDAP attribute used for the 
     "contentLocale" property for an account. -->
          <crn:parameter name="accountContentLocale">
            <crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
          </crn:parameter>
          <!-- accountDescription: Specifies the LDAP attribute used for the "description" 
     property for an account. -->
          <crn:parameter name="accountDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- accountEmail: Specifies the LDAP attribute used for the "email" address of the 
     account. -->
          <crn:parameter name="accountEmail">
            <crn:value xsi:type="xsd:string">mail</crn:value>
          </crn:parameter>
          <!-- accountFaxPhone: Specifies the LDAP attribute used for the "faxPhone" property 
     for an account. -->
          <crn:parameter name="accountFaxPhone">
            <crn:value xsi:type="xsd:string">facsimiletelephonenumber</crn:value>
          </crn:parameter>
          <!-- accountGivenName: Specifies the LDAP attribute used for the "givenName" 
     property for an account. -->
          <crn:parameter name="accountGivenName">
            <crn:value xsi:type="xsd:string">givenname</crn:value>
          </crn:parameter>
          <!-- accountHomePhone: Specifies the LDAP attribute used for the "homePhone" 
     property for an account. -->
          <crn:parameter name="accountHomePhone">
            <crn:value xsi:type="xsd:string">homephone</crn:value>
          </crn:parameter>
          <!-- accountMobilePhone: Specifies the LDAP attribute used for the "mobilePhone" 
     property for an account. -->
          <crn:parameter name="accountMobilePhone">
            <crn:value xsi:type="xsd:string">mobile</crn:value>
          </crn:parameter>
          <!-- accountName: Specifies the LDAP attribute used for the "name" property for an 
     account. -->
          <crn:parameter name="accountName">
            <crn:value xsi:type="xsd:string">cn</crn:value>
          </crn:parameter>
          <!-- accountPagerPhone: Specifies the LDAP attribute used for the "pagerPhone" 
     property for an account. -->
          <crn:parameter name="accountPagerPhone">
            <crn:value xsi:type="xsd:string">pager</crn:value>
          </crn:parameter>
          <!-- accountPassword: Specifies the LDAP attribute used for the "password" property 
     for an account. -->
          <crn:parameter name="accountPassword">
            <crn:value xsi:type="xsd:string">userPassword</crn:value>
          </crn:parameter>
          <!-- accountPostalAddress: Specifies the LDAP attribute used for the 
     "postalAddress" property for an account. -->
          <crn:parameter name="accountPostalAddress">
            <crn:value xsi:type="xsd:string">postaladdress</crn:value>
          </crn:parameter>
          <!-- accountProductLocale: Specifies the LDAP attribute used for the 
     "productLocale" property for an account. -->
          <crn:parameter name="accountProductLocale">
            <crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
          </crn:parameter>
          <!-- accountSurname: Specifies the LDAP attribute used for the "surname" property 
     for an account. -->
          <crn:parameter name="accountSurname">
            <crn:value xsi:type="xsd:string">sn</crn:value>
          </crn:parameter>
          <!-- accountUserName: Specifies the LDAP attribute used for the "userName" property 
     for an account. -->
          <crn:parameter name="accountUserName">
            <crn:value xsi:type="xsd:string">uid</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) LDAP template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) LDAP_AD template
-->
        <crn:instance name="LDAP_AD Name" class="LDAP_AD">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- connection: Specifies the host name and port of the directory server. -->
          <!-- Use the following syntax to specify the host name and port for the directory 
     server: host:port; for example, localhost:389. Ensure that if you use a fully 
     qualified name for your computer that your DNS is set up to resolve it. 
     Otherwise, you can also use the IP address. -->
          <crn:parameter name="connection">
            <crn:value xsi:type="cfg:hostPort"> 
            </crn:value>
          </crn:parameter>
          <!-- baseDN: Specifies the base distinguished name of the LDAP server. -->
          <!-- The product uses the base DN to identify the top level of your directory 
     server structure. The root of the hierarchal directory structure is the 
     starting place for all searches. You restrict searches by specifying a base DN. 
     -->
          <crn:parameter name="baseDN">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- userLookup: Specifies the user lookup used for binding to the LDAP directory 
     server. -->
          <!-- Use this property to specify the string that is used to construct the fully 
     qualified DN for authentication. All instances of '${userID}' in this string 
     are replaced by the value typed in by the user at the logon prompt. If the 
     string does not begin with an open parenthesis, the result of the substitution 
     is assumed to be a DN which can be used for authentication.  For example, 
     'uid=${userID},ou=people, base DN', where base DN is the Base Distinguished 
     Name parameter value. If the value begins with an open parenthesis '(', the 
     result of the substitution is assumed to be a search filter. Before binding, 
     the provider uses the filter to get the DN for authentication. For example, 
     '(userPrincipalName=${userID})'. A filter should be used if you have a 
     hierarchical directory structure. -->
          <crn:parameter name="userLookup">
            <crn:value xsi:type="xsd:string">${userID}</crn:value>
          </crn:parameter>
          <!-- useExternalIdentity: Specifies whether to use the identity from an external 
     source for user authentication. -->
          <!-- If this property is set to true, the user is authenticated by an external 
     source and the user's identity is provided to the product from the external 
     source. For example, if SSL is configured to use client certificates, the Web 
     server sets the REMOTE_USER environment variable to the user's identity. If you 
     set this property to true, ensure that you set the "External Identity Mapping" 
     property. -->
          <crn:parameter name="useExternalIdentity">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- externalIdentityMapping: Specifies the mapping used to locate a user in the 
     LDAP directory server. -->
          <!-- This property is used only if you enable the "Use External identity" property. 
     This mapping is used to construct a DN or a search filter to locate a user in 
     the LDAP directory server. All instances of 
     '${environment("ENVIRONMENT_VARIABLE_NAME")' in this string are replaced by the 
     value of the environment variable provided by the Web server. If the string 
     does not begin with an open parenthesis, the result of the substitution is 
     assumed to be the user's DN. For example, 
     'uid=${environment("REMOTE_USER")},ou=people, base DN', where base DN is the 
     Base Distinguished Name parameter value. If the value begins with an open 
     parenthesis '(', the result of the substitution is assumed to be a search 
     filter. For example, '(userPrincipalName=${environment("REMOTE_USER")})'. Note 
     that you must either enable anonymous access to the LDAP directory server or 
     set the 'Bind user DN and password' property. -->
          <crn:parameter name="externalIdentityMapping">
            <crn:value xsi:type="xsd:string">${environment("REMOTE_USER")}</crn:value>
          </crn:parameter>
          <!-- bindCredentials: Specifies the credentials used for binding to the LDAP server 
     when performing a search using the user lookup property, or when performing all 
     operations using the external identity mapping. -->
          <!-- This value corresponds to an LDAP user who has read and search access to the 
     user branch of the LDAP directory server. -->
          <crn:parameter name="bindCredentials">
            <crn:value xsi:type="cfg:credential" encrypted="false">
              <credential>
                <username>joe</username>
                <password>paranoid</password>
              </credential>
            </crn:value>
          </crn:parameter>
          <!-- sizeLimit: Specifies the maximum number of responses permitted for a search 
     request. -->
          <!-- The value depends on your environment. As a general rule, the minimum value 
     for this setting should be greater than the maximum number of groups or users 
     plus 100. When the size limit is reached the directory server stops searching. 
     The default value of -1 indicates that the value on the LDAP server will be 
     used. -->
          <!-- Units: entries -->
          <crn:parameter name="sizeLimit">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- timeOut: Specifies the number of seconds permitted to perform a search 
     request. -->
          <!-- The product uses this value when it requests authentication from the namespace 
     on your directory server. The value depends on your reporting environment. If 
     the duration is exceeded, the search is timed out. The default value -1 
     indicates that the value on the LDAP server will be used. -->
          <!-- Units: sec -->
          <crn:parameter name="timeOut">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- useBindCredentialsForSearch: Specifies whether to use the bind credentials to 
     perform a search. -->
          <!-- This property only affects users who don't use the external identity mapping. 
     If this property is set to true, the bind credentials provided in the namespace 
     configuration will be used to perform a search in the LDAP directory server. If 
     this flag is false or bind credentials are not presented, the authenticated 
     user credentials will be used for searching. -->
          <crn:parameter name="useBindCredentialsForSearch">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- allowEmptyPswd: Specifies whether empty passwords are allowed for user 
     authentication. -->
          <!-- Set this property to true only if you specifically wish to allow empty 
     passwords. When a user is not required to specify a password, he is 
     authenticated as an anonymous user on the LDAP namespace, but as a named user 
     on the Cognos namespace. Requiring passwords for authentication increases 
     security and makes it more difficult to forge identities. By default, this 
     property is set to false. -->
          <crn:parameter name="allowEmptyPswd">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- camidAttribute: Specifies the value used to uniquely identify objects stored 
     in the LDAP directory server. -->
          <!-- Specify either an attribute name or the value of 'dn' to use as the unique 
     identifier. If an attribute is used, it must exist for all objects, such as 
     users, groups, folders. If the 'dn' is used, more resources are used as you 
     search deeper in the LDAP directory server hierarchy and policies may be 
     affected if the 'dn' is renamed. -->
          <crn:parameter name="camidAttribute">
            <crn:value xsi:type="xsd:string">objectGUID</crn:value>
          </crn:parameter>
          <!-- dataEncoding: Specifies the encoding of the data stored in the LDAP directory 
     server. -->
          <!-- If this property is set to an encoding other than UTF-8, then the data is 
     converted from UTF-8 to the encoding you specify. The encoding must follow IANA 
     (RFC 1700) or MIME character set specifications. For example, use windows-1252, 
     iso-8859-1, iso-8859-15, Shift_JIS, utf-16, or utf-8. -->
          <crn:parameter name="dataEncoding">
            <crn:value xsi:type="xsd:string">UTF-8</crn:value>
          </crn:parameter>
          <!-- sslCertificateDatabase: Specifies the location of the certificate database 
     used by the directory server for SSL connections. -->
          <!-- Use this property to point to the location of the SSL certificate database for 
     your LDAP server. -->
          <crn:parameter name="sslCertificateDatabase">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- folderObjectClass: Specifies the name of the LDAP object class used to 
     identify a folder. -->
          <crn:parameter name="folderObjectClass">
            <crn:value xsi:type="xsd:string">organizationalUnit,organization,container</crn:value>
          </crn:parameter>
          <!-- folderDescription: Specifies the LDAP attribute used for the "description" 
     property of a folder. -->
          <crn:parameter name="folderDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- folderName: Specifies the LDAP attribute used for the "name" property of a 
     folder. -->
          <crn:parameter name="folderName">
            <crn:value xsi:type="xsd:string">ou,o,cn</crn:value>
          </crn:parameter>
          <!-- groupObjectClass: Specifies the name of the LDAP object class used to identify 
     a group. -->
          <crn:parameter name="groupObjectClass">
            <crn:value xsi:type="xsd:string">group</crn:value>
          </crn:parameter>
          <!-- groupDescription: Specifies the LDAP attribute used for the "description" 
     property of a group. -->
          <crn:parameter name="groupDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- groupMembers: Specifies the LDAP attribute used to identify the members of a 
     group. -->
          <crn:parameter name="groupMembers">
            <crn:value xsi:type="xsd:string">member</crn:value>
          </crn:parameter>
          <!-- groupName: Specifies the LDAP attribute used for the "name" property of a 
     group. -->
          <crn:parameter name="groupName">
            <crn:value xsi:type="xsd:string">cn</crn:value>
          </crn:parameter>
          <!-- accountObjectClass: Specifies the name of the LDAP object class used to 
     identify an account. -->
          <crn:parameter name="accountObjectClass">
            <crn:value xsi:type="xsd:string">user</crn:value>
          </crn:parameter>
          <!-- accountBusinessPhone: Specifies the LDAP attribute used for the 
     "businessPhone" property for an account. -->
          <crn:parameter name="accountBusinessPhone">
            <crn:value xsi:type="xsd:string">telephonenumber</crn:value>
          </crn:parameter>
          <!-- accountContentLocale: Specifies the LDAP attribute used for the 
     "contentLocale" property for an account. -->
          <crn:parameter name="accountContentLocale">
            <crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
          </crn:parameter>
          <!-- accountDescription: Specifies the LDAP attribute used for the "description" 
     property for an account. -->
          <crn:parameter name="accountDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- accountEmail: Specifies the LDAP attribute used for the "email" address of the 
     account. -->
          <crn:parameter name="accountEmail">
            <crn:value xsi:type="xsd:string">mail</crn:value>
          </crn:parameter>
          <!-- accountFaxPhone: Specifies the LDAP attribute used for the "faxPhone" property 
     for an account. -->
          <crn:parameter name="accountFaxPhone">
            <crn:value xsi:type="xsd:string">facsimiletelephonenumber</crn:value>
          </crn:parameter>
          <!-- accountGivenName: Specifies the LDAP attribute used for the "givenName" 
     property for an account. -->
          <crn:parameter name="accountGivenName">
            <crn:value xsi:type="xsd:string">givenname</crn:value>
          </crn:parameter>
          <!-- accountHomePhone: Specifies the LDAP attribute used for the "homePhone" 
     property for an account. -->
          <crn:parameter name="accountHomePhone">
            <crn:value xsi:type="xsd:string">homephone</crn:value>
          </crn:parameter>
          <!-- accountMobilePhone: Specifies the LDAP attribute used for the "mobilePhone" 
     property for an account. -->
          <crn:parameter name="accountMobilePhone">
            <crn:value xsi:type="xsd:string">mobile</crn:value>
          </crn:parameter>
          <!-- accountName: Specifies the LDAP attribute used for the "name" property for an 
     account. -->
          <crn:parameter name="accountName">
            <crn:value xsi:type="xsd:string">displayName</crn:value>
          </crn:parameter>
          <!-- accountPagerPhone: Specifies the LDAP attribute used for the "pagerPhone" 
     property for an account. -->
          <crn:parameter name="accountPagerPhone">
            <crn:value xsi:type="xsd:string">pager</crn:value>
          </crn:parameter>
          <!-- accountPassword: Specifies the LDAP attribute used for the "password" property 
     for an account. -->
          <crn:parameter name="accountPassword">
            <crn:value xsi:type="xsd:string">unicodePwd</crn:value>
          </crn:parameter>
          <!-- accountPostalAddress: Specifies the LDAP attribute used for the 
     "postalAddress" property for an account. -->
          <crn:parameter name="accountPostalAddress">
            <crn:value xsi:type="xsd:string">postaladdress</crn:value>
          </crn:parameter>
          <!-- accountProductLocale: Specifies the LDAP attribute used for the 
     "productLocale" property for an account. -->
          <crn:parameter name="accountProductLocale">
            <crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
          </crn:parameter>
          <!-- accountSurname: Specifies the LDAP attribute used for the "surname" property 
     for an account. -->
          <crn:parameter name="accountSurname">
            <crn:value xsi:type="xsd:string">sn</crn:value>
          </crn:parameter>
          <!-- accountUserName: Specifies the LDAP attribute used for the "userName" property 
     for an account. -->
          <crn:parameter name="accountUserName">
            <crn:value xsi:type="xsd:string">sAMAccountName</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) LDAP_AD template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) LDAP_IBM template
-->
        <crn:instance name="LDAP_IBM Name" class="LDAP_IBM">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- connection: Specifies the host name and port of the directory server. -->
          <!-- Use the following syntax to specify the host name and port for the directory 
     server: host:port; for example, localhost:389. Ensure that if you use a fully 
     qualified name for your computer that your DNS is set up to resolve it. 
     Otherwise, you can also use the IP address. -->
          <crn:parameter name="connection">
            <crn:value xsi:type="cfg:hostPort"> 
            </crn:value>
          </crn:parameter>
          <!-- baseDN: Specifies the base distinguished name of the LDAP server. -->
          <!-- The product uses the base DN to identify the top level of your directory 
     server structure. The root of the hierarchal directory structure is the 
     starting place for all searches. You restrict searches by specifying a base DN. 
     -->
          <crn:parameter name="baseDN">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- userLookup: Specifies the user lookup used for binding to the LDAP directory 
     server. -->
          <!-- Use this property to specify the string that is used to construct the fully 
     qualified DN for authentication. All instances of '${userID}' in this string 
     are replaced by the value typed in by the user at the logon prompt. If the 
     string does not begin with an open parenthesis, the result of the substitution 
     is assumed to be a DN which can be used for authentication.  For example, 
     'uid=${userID},ou=people, base DN', where base DN is the Base Distinguished 
     Name parameter value. If the value begins with an open parenthesis '(', the 
     result of the substitution is assumed to be a search filter. Before binding, 
     the provider uses the filter to get the DN for authentication. For example, 
     '(userPrincipalName=${userID})'. A filter should be used if you have a 
     hierarchical directory structure. -->
          <crn:parameter name="userLookup">
            <crn:value xsi:type="xsd:string">${userID}</crn:value>
          </crn:parameter>
          <!-- useExternalIdentity: Specifies whether to use the identity from an external 
     source for user authentication. -->
          <!-- If this property is set to true, the user is authenticated by an external 
     source and the user's identity is provided to the product from the external 
     source. For example, if SSL is configured to use client certificates, the Web 
     server sets the REMOTE_USER environment variable to the user's identity. If you 
     set this property to true, ensure that you set the "External Identity Mapping" 
     property. -->
          <crn:parameter name="useExternalIdentity">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- externalIdentityMapping: Specifies the mapping used to locate a user in the 
     LDAP directory server. -->
          <!-- This property is used only if you enable the "Use External identity" property. 
     This mapping is used to construct a DN or a search filter to locate a user in 
     the LDAP directory server. All instances of 
     '${environment("ENVIRONMENT_VARIABLE_NAME")' in this string are replaced by the 
     value of the environment variable provided by the Web server. If the string 
     does not begin with an open parenthesis, the result of the substitution is 
     assumed to be the user's DN. For example, 
     'uid=${environment("REMOTE_USER")},ou=people, base DN', where base DN is the 
     Base Distinguished Name parameter value. If the value begins with an open 
     parenthesis '(', the result of the substitution is assumed to be a search 
     filter. For example, '(userPrincipalName=${environment("REMOTE_USER")})'. Note 
     that you must either enable anonymous access to the LDAP directory server or 
     set the 'Bind user DN and password' property. -->
          <crn:parameter name="externalIdentityMapping">
            <crn:value xsi:type="xsd:string">${environment("REMOTE_USER")}</crn:value>
          </crn:parameter>
          <!-- bindCredentials: Specifies the credentials used for binding to the LDAP server 
     when performing a search using the user lookup property, or when performing all 
     operations using the external identity mapping. -->
          <!-- This value corresponds to an LDAP user who has read and search access to the 
     user branch of the LDAP directory server. -->
          <crn:parameter name="bindCredentials">
            <crn:value xsi:type="cfg:credential" encrypted="false">
              <credential>
                <username>joe</username>
                <password>paranoid</password>
              </credential>
            </crn:value>
          </crn:parameter>
          <!-- sizeLimit: Specifies the maximum number of responses permitted for a search 
     request. -->
          <!-- The value depends on your environment. As a general rule, the minimum value 
     for this setting should be greater than the maximum number of groups or users 
     plus 100. When the size limit is reached the directory server stops searching. 
     The default value of -1 indicates that the value on the LDAP server will be 
     used. -->
          <!-- Units: entries -->
          <crn:parameter name="sizeLimit">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- timeOut: Specifies the number of seconds permitted to perform a search 
     request. -->
          <!-- The product uses this value when it requests authentication from the namespace 
     on your directory server. The value depends on your reporting environment. If 
     the duration is exceeded, the search is timed out. The default value -1 
     indicates that the value on the LDAP server will be used. -->
          <!-- Units: sec -->
          <crn:parameter name="timeOut">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- useBindCredentialsForSearch: Specifies whether to use the bind credentials to 
     perform a search. -->
          <!-- This property only affects users who don't use the external identity mapping. 
     If this property is set to true, the bind credentials provided in the namespace 
     configuration will be used to perform a search in the LDAP directory server. If 
     this flag is false or bind credentials are not presented, the authenticated 
     user credentials will be used for searching. -->
          <crn:parameter name="useBindCredentialsForSearch">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- allowEmptyPswd: Specifies whether empty passwords are allowed for user 
     authentication. -->
          <!-- Set this property to true only if you specifically wish to allow empty 
     passwords. When a user is not required to specify a password, he is 
     authenticated as an anonymous user on the LDAP namespace, but as a named user 
     on the Cognos namespace. Requiring passwords for authentication increases 
     security and makes it more difficult to forge identities. By default, this 
     property is set to false. -->
          <crn:parameter name="allowEmptyPswd">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- camidAttribute: Specifies the value used to uniquely identify objects stored 
     in the LDAP directory server. -->
          <!-- Specify either an attribute name or the value of 'dn' to use as the unique 
     identifier. If an attribute is used, it must exist for all objects, such as 
     users, groups, folders. If the 'dn' is used, more resources are used as you 
     search deeper in the LDAP directory server hierarchy and policies may be 
     affected if the 'dn' is renamed. -->
          <crn:parameter name="camidAttribute">
            <crn:value xsi:type="xsd:string">ibm-entryuuid</crn:value>
          </crn:parameter>
          <!-- dataEncoding: Specifies the encoding of the data stored in the LDAP directory 
     server. -->
          <!-- If this property is set to an encoding other than UTF-8, then the data is 
     converted from UTF-8 to the encoding you specify. The encoding must follow IANA 
     (RFC 1700) or MIME character set specifications. For example, use windows-1252, 
     iso-8859-1, iso-8859-15, Shift_JIS, utf-16, or utf-8. -->
          <crn:parameter name="dataEncoding">
            <crn:value xsi:type="xsd:string">UTF-8</crn:value>
          </crn:parameter>
          <!-- sslCertificateDatabase: Specifies the location of the certificate database 
     used by the directory server for SSL connections. -->
          <!-- Use this property to point to the location of the SSL certificate database for 
     your LDAP server. -->
          <crn:parameter name="sslCertificateDatabase">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- folderObjectClass: Specifies the name of the LDAP object class used to 
     identify a folder. -->
          <crn:parameter name="folderObjectClass">
            <crn:value xsi:type="xsd:string">organizationalunit,organization,container</crn:value>
          </crn:parameter>
          <!-- folderDescription: Specifies the LDAP attribute used for the "description" 
     property of a folder. -->
          <crn:parameter name="folderDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- folderName: Specifies the LDAP attribute used for the "name" property of a 
     folder. -->
          <crn:parameter name="folderName">
            <crn:value xsi:type="xsd:string">ou,o,cn</crn:value>
          </crn:parameter>
          <!-- groupObjectClass: Specifies the name of the LDAP object class used to identify 
     a group. -->
          <crn:parameter name="groupObjectClass">
            <crn:value xsi:type="xsd:string">groupofnames</crn:value>
          </crn:parameter>
          <!-- groupDescription: Specifies the LDAP attribute used for the "description" 
     property of a group. -->
          <crn:parameter name="groupDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- groupMembers: Specifies the LDAP attribute used to identify the members of a 
     group. -->
          <crn:parameter name="groupMembers">
            <crn:value xsi:type="xsd:string">member</crn:value>
          </crn:parameter>
          <!-- groupName: Specifies the LDAP attribute used for the "name" property of a 
     group. -->
          <crn:parameter name="groupName">
            <crn:value xsi:type="xsd:string">cn</crn:value>
          </crn:parameter>
          <!-- accountObjectClass: Specifies the name of the LDAP object class used to 
     identify an account. -->
          <crn:parameter name="accountObjectClass">
            <crn:value xsi:type="xsd:string">inetOrgPerson</crn:value>
          </crn:parameter>
          <!-- accountBusinessPhone: Specifies the LDAP attribute used for the 
     "businessPhone" property for an account. -->
          <crn:parameter name="accountBusinessPhone">
            <crn:value xsi:type="xsd:string">telephonenumber</crn:value>
          </crn:parameter>
          <!-- accountContentLocale: Specifies the LDAP attribute used for the 
     "contentLocale" property for an account. -->
          <crn:parameter name="accountContentLocale">
            <crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
          </crn:parameter>
          <!-- accountDescription: Specifies the LDAP attribute used for the "description" 
     property for an account. -->
          <crn:parameter name="accountDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- accountEmail: Specifies the LDAP attribute used for the "email" address of the 
     account. -->
          <crn:parameter name="accountEmail">
            <crn:value xsi:type="xsd:string">mail</crn:value>
          </crn:parameter>
          <!-- accountFaxPhone: Specifies the LDAP attribute used for the "faxPhone" property 
     for an account. -->
          <crn:parameter name="accountFaxPhone">
            <crn:value xsi:type="xsd:string">facsimiletelephonenumber</crn:value>
          </crn:parameter>
          <!-- accountGivenName: Specifies the LDAP attribute used for the "givenName" 
     property for an account. -->
          <crn:parameter name="accountGivenName">
            <crn:value xsi:type="xsd:string">givenname</crn:value>
          </crn:parameter>
          <!-- accountHomePhone: Specifies the LDAP attribute used for the "homePhone" 
     property for an account. -->
          <crn:parameter name="accountHomePhone">
            <crn:value xsi:type="xsd:string">homephone</crn:value>
          </crn:parameter>
          <!-- accountMobilePhone: Specifies the LDAP attribute used for the "mobilePhone" 
     property for an account. -->
          <crn:parameter name="accountMobilePhone">
            <crn:value xsi:type="xsd:string">mobile</crn:value>
          </crn:parameter>
          <!-- accountName: Specifies the LDAP attribute used for the "name" property for an 
     account. -->
          <crn:parameter name="accountName">
            <crn:value xsi:type="xsd:string">cn</crn:value>
          </crn:parameter>
          <!-- accountPagerPhone: Specifies the LDAP attribute used for the "pagerPhone" 
     property for an account. -->
          <crn:parameter name="accountPagerPhone">
            <crn:value xsi:type="xsd:string">pager</crn:value>
          </crn:parameter>
          <!-- accountPassword: Specifies the LDAP attribute used for the "password" property 
     for an account. -->
          <crn:parameter name="accountPassword">
            <crn:value xsi:type="xsd:string">userPassword</crn:value>
          </crn:parameter>
          <!-- accountPostalAddress: Specifies the LDAP attribute used for the 
     "postalAddress" property for an account. -->
          <crn:parameter name="accountPostalAddress">
            <crn:value xsi:type="xsd:string">postaladdress</crn:value>
          </crn:parameter>
          <!-- accountProductLocale: Specifies the LDAP attribute used for the 
     "productLocale" property for an account. -->
          <crn:parameter name="accountProductLocale">
            <crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
          </crn:parameter>
          <!-- accountSurname: Specifies the LDAP attribute used for the "surname" property 
     for an account. -->
          <crn:parameter name="accountSurname">
            <crn:value xsi:type="xsd:string">sn</crn:value>
          </crn:parameter>
          <!-- accountUserName: Specifies the LDAP attribute used for the "userName" property 
     for an account. -->
          <crn:parameter name="accountUserName">
            <crn:value xsi:type="xsd:string">uid</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) LDAP_IBM template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) LDAP_SUNONE template
-->
        <crn:instance name="LDAP_SUNONE Name" class="LDAP_SUNONE">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- connection: Specifies the host name and port of the directory server. -->
          <!-- Use the following syntax to specify the host name and port for the directory 
     server: host:port; for example, localhost:389. Ensure that if you use a fully 
     qualified name for your computer that your DNS is set up to resolve it. 
     Otherwise, you can also use the IP address. -->
          <crn:parameter name="connection">
            <crn:value xsi:type="cfg:hostPort"> 
            </crn:value>
          </crn:parameter>
          <!-- baseDN: Specifies the base distinguished name of the LDAP server. -->
          <!-- The product uses the base DN to identify the top level of your directory 
     server structure. The root of the hierarchal directory structure is the 
     starting place for all searches. You restrict searches by specifying a base DN. 
     -->
          <crn:parameter name="baseDN">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- userLookup: Specifies the user lookup used for binding to the LDAP directory 
     server. -->
          <!-- Use this property to specify the string that is used to construct the fully 
     qualified DN for authentication. All instances of '${userID}' in this string 
     are replaced by the value typed in by the user at the logon prompt. If the 
     string does not begin with an open parenthesis, the result of the substitution 
     is assumed to be a DN which can be used for authentication.  For example, 
     'uid=${userID},ou=people, base DN', where base DN is the Base Distinguished 
     Name parameter value. If the value begins with an open parenthesis '(', the 
     result of the substitution is assumed to be a search filter. Before binding, 
     the provider uses the filter to get the DN for authentication. For example, 
     '(userPrincipalName=${userID})'. A filter should be used if you have a 
     hierarchical directory structure. -->
          <crn:parameter name="userLookup">
            <crn:value xsi:type="xsd:string">${userID}</crn:value>
          </crn:parameter>
          <!-- useExternalIdentity: Specifies whether to use the identity from an external 
     source for user authentication. -->
          <!-- If this property is set to true, the user is authenticated by an external 
     source and the user's identity is provided to the product from the external 
     source. For example, if SSL is configured to use client certificates, the Web 
     server sets the REMOTE_USER environment variable to the user's identity. If you 
     set this property to true, ensure that you set the "External Identity Mapping" 
     property. -->
          <crn:parameter name="useExternalIdentity">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- externalIdentityMapping: Specifies the mapping used to locate a user in the 
     LDAP directory server. -->
          <!-- This property is used only if you enable the "Use External identity" property. 
     This mapping is used to construct a DN or a search filter to locate a user in 
     the LDAP directory server. All instances of 
     '${environment("ENVIRONMENT_VARIABLE_NAME")' in this string are replaced by the 
     value of the environment variable provided by the Web server. If the string 
     does not begin with an open parenthesis, the result of the substitution is 
     assumed to be the user's DN. For example, 
     'uid=${environment("REMOTE_USER")},ou=people, base DN', where base DN is the 
     Base Distinguished Name parameter value. If the value begins with an open 
     parenthesis '(', the result of the substitution is assumed to be a search 
     filter. For example, '(userPrincipalName=${environment("REMOTE_USER")})'. Note 
     that you must either enable anonymous access to the LDAP directory server or 
     set the 'Bind user DN and password' property. -->
          <crn:parameter name="externalIdentityMapping">
            <crn:value xsi:type="xsd:string">${environment("REMOTE_USER")}</crn:value>
          </crn:parameter>
          <!-- bindCredentials: Specifies the credentials used for binding to the LDAP server 
     when performing a search using the user lookup property, or when performing all 
     operations using the external identity mapping. -->
          <!-- This value corresponds to an LDAP user who has read and search access to the 
     user branch of the LDAP directory server. -->
          <crn:parameter name="bindCredentials">
            <crn:value xsi:type="cfg:credential" encrypted="false">
              <credential>
                <username>joe</username>
                <password>paranoid</password>
              </credential>
            </crn:value>
          </crn:parameter>
          <!-- sizeLimit: Specifies the maximum number of responses permitted for a search 
     request. -->
          <!-- The value depends on your environment. As a general rule, the minimum value 
     for this setting should be greater than the maximum number of groups or users 
     plus 100. When the size limit is reached the directory server stops searching. 
     The default value of -1 indicates that the value on the LDAP server will be 
     used. -->
          <!-- Units: entries -->
          <crn:parameter name="sizeLimit">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- timeOut: Specifies the number of seconds permitted to perform a search 
     request. -->
          <!-- The product uses this value when it requests authentication from the namespace 
     on your directory server. The value depends on your reporting environment. If 
     the duration is exceeded, the search is timed out. The default value -1 
     indicates that the value on the LDAP server will be used. -->
          <!-- Units: sec -->
          <crn:parameter name="timeOut">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- useBindCredentialsForSearch: Specifies whether to use the bind credentials to 
     perform a search. -->
          <!-- This property only affects users who don't use the external identity mapping. 
     If this property is set to true, the bind credentials provided in the namespace 
     configuration will be used to perform a search in the LDAP directory server. If 
     this flag is false or bind credentials are not presented, the authenticated 
     user credentials will be used for searching. -->
          <crn:parameter name="useBindCredentialsForSearch">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- allowEmptyPswd: Specifies whether empty passwords are allowed for user 
     authentication. -->
          <!-- Set this property to true only if you specifically wish to allow empty 
     passwords. When a user is not required to specify a password, he is 
     authenticated as an anonymous user on the LDAP namespace, but as a named user 
     on the Cognos namespace. Requiring passwords for authentication increases 
     security and makes it more difficult to forge identities. By default, this 
     property is set to false. -->
          <crn:parameter name="allowEmptyPswd">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- camidAttribute: Specifies the value used to uniquely identify objects stored 
     in the LDAP directory server. -->
          <!-- Specify either an attribute name or the value of 'dn' to use as the unique 
     identifier. If an attribute is used, it must exist for all objects, such as 
     users, groups, folders. If the 'dn' is used, more resources are used as you 
     search deeper in the LDAP directory server hierarchy and policies may be 
     affected if the 'dn' is renamed. -->
          <crn:parameter name="camidAttribute">
            <crn:value xsi:type="xsd:string">nsuniqueid</crn:value>
          </crn:parameter>
          <!-- dataEncoding: Specifies the encoding of the data stored in the LDAP directory 
     server. -->
          <!-- If this property is set to an encoding other than UTF-8, then the data is 
     converted from UTF-8 to the encoding you specify. The encoding must follow IANA 
     (RFC 1700) or MIME character set specifications. For example, use windows-1252, 
     iso-8859-1, iso-8859-15, Shift_JIS, utf-16, or utf-8. -->
          <crn:parameter name="dataEncoding">
            <crn:value xsi:type="xsd:string">UTF-8</crn:value>
          </crn:parameter>
          <!-- sslCertificateDatabase: Specifies the location of the certificate database 
     used by the directory server for SSL connections. -->
          <!-- Use this property to point to the location of the SSL certificate database for 
     your LDAP server. -->
          <crn:parameter name="sslCertificateDatabase">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- folderObjectClass: Specifies the name of the LDAP object class used to 
     identify a folder. -->
          <crn:parameter name="folderObjectClass">
            <crn:value xsi:type="xsd:string">organizationalUnit,organization</crn:value>
          </crn:parameter>
          <!-- folderDescription: Specifies the LDAP attribute used for the "description" 
     property of a folder. -->
          <crn:parameter name="folderDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- folderName: Specifies the LDAP attribute used for the "name" property of a 
     folder. -->
          <crn:parameter name="folderName">
            <crn:value xsi:type="xsd:string">ou,o</crn:value>
          </crn:parameter>
          <!-- groupObjectClass: Specifies the name of the LDAP object class used to identify 
     a group. -->
          <crn:parameter name="groupObjectClass">
            <crn:value xsi:type="xsd:string">groupofuniquenames</crn:value>
          </crn:parameter>
          <!-- groupDescription: Specifies the LDAP attribute used for the "description" 
     property of a group. -->
          <crn:parameter name="groupDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- groupMembers: Specifies the LDAP attribute used to identify the members of a 
     group. -->
          <crn:parameter name="groupMembers">
            <crn:value xsi:type="xsd:string">uniquemember</crn:value>
          </crn:parameter>
          <!-- groupName: Specifies the LDAP attribute used for the "name" property of a 
     group. -->
          <crn:parameter name="groupName">
            <crn:value xsi:type="xsd:string">cn</crn:value>
          </crn:parameter>
          <!-- accountObjectClass: Specifies the name of the LDAP object class used to 
     identify an account. -->
          <crn:parameter name="accountObjectClass">
            <crn:value xsi:type="xsd:string">inetorgperson</crn:value>
          </crn:parameter>
          <!-- accountBusinessPhone: Specifies the LDAP attribute used for the 
     "businessPhone" property for an account. -->
          <crn:parameter name="accountBusinessPhone">
            <crn:value xsi:type="xsd:string">telephonenumber</crn:value>
          </crn:parameter>
          <!-- accountContentLocale: Specifies the LDAP attribute used for the 
     "contentLocale" property for an account. -->
          <crn:parameter name="accountContentLocale">
            <crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
          </crn:parameter>
          <!-- accountDescription: Specifies the LDAP attribute used for the "description" 
     property for an account. -->
          <crn:parameter name="accountDescription">
            <crn:value xsi:type="xsd:string">description</crn:value>
          </crn:parameter>
          <!-- accountEmail: Specifies the LDAP attribute used for the "email" address of the 
     account. -->
          <crn:parameter name="accountEmail">
            <crn:value xsi:type="xsd:string">mail</crn:value>
          </crn:parameter>
          <!-- accountFaxPhone: Specifies the LDAP attribute used for the "faxPhone" property 
     for an account. -->
          <crn:parameter name="accountFaxPhone">
            <crn:value xsi:type="xsd:string">facsimiletelephonenumber</crn:value>
          </crn:parameter>
          <!-- accountGivenName: Specifies the LDAP attribute used for the "givenName" 
     property for an account. -->
          <crn:parameter name="accountGivenName">
            <crn:value xsi:type="xsd:string">givenname</crn:value>
          </crn:parameter>
          <!-- accountHomePhone: Specifies the LDAP attribute used for the "homePhone" 
     property for an account. -->
          <crn:parameter name="accountHomePhone">
            <crn:value xsi:type="xsd:string">homephone</crn:value>
          </crn:parameter>
          <!-- accountMobilePhone: Specifies the LDAP attribute used for the "mobilePhone" 
     property for an account. -->
          <crn:parameter name="accountMobilePhone">
            <crn:value xsi:type="xsd:string">mobile</crn:value>
          </crn:parameter>
          <!-- accountName: Specifies the LDAP attribute used for the "name" property for an 
     account. -->
          <crn:parameter name="accountName">
            <crn:value xsi:type="xsd:string">cn</crn:value>
          </crn:parameter>
          <!-- accountPagerPhone: Specifies the LDAP attribute used for the "pagerPhone" 
     property for an account. -->
          <crn:parameter name="accountPagerPhone">
            <crn:value xsi:type="xsd:string">pager</crn:value>
          </crn:parameter>
          <!-- accountPassword: Specifies the LDAP attribute used for the "password" property 
     for an account. -->
          <crn:parameter name="accountPassword">
            <crn:value xsi:type="xsd:string">userPassword</crn:value>
          </crn:parameter>
          <!-- accountPostalAddress: Specifies the LDAP attribute used for the 
     "postalAddress" property for an account. -->
          <crn:parameter name="accountPostalAddress">
            <crn:value xsi:type="xsd:string">postaladdress</crn:value>
          </crn:parameter>
          <!-- accountProductLocale: Specifies the LDAP attribute used for the 
     "productLocale" property for an account. -->
          <crn:parameter name="accountProductLocale">
            <crn:value xsi:type="xsd:string">preferredlanguage</crn:value>
          </crn:parameter>
          <!-- accountSurname: Specifies the LDAP attribute used for the "surname" property 
     for an account. -->
          <crn:parameter name="accountSurname">
            <crn:value xsi:type="xsd:string">sn</crn:value>
          </crn:parameter>
          <!-- accountUserName: Specifies the LDAP attribute used for the "userName" property 
     for an account. -->
          <crn:parameter name="accountUserName">
            <crn:value xsi:type="xsd:string">uid</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) LDAP_SUNONE template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_ADFS template
-->
        <crn:instance name="OIDC_ADFS Name" class="OIDC_ADFS">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">ADFS</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://{hostname}:443/adfs/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_ADFS template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_AzureAD template
-->
        <crn:instance name="OIDC_AzureAD Name" class="OIDC_AzureAD">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">AzureAD</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://login.microsoftonline.com:443/{tenantid}/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_AzureAD template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_BlueID template
-->
        <crn:instance name="OIDC_BlueID Name" class="OIDC_BlueID">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">IBMid</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- issuer: Specifies the OpenID claim issuer. -->
          <!-- A string that represents the identity provider that issued the claims in the 
     ID token. This value must match the value of the 'iss' entry in the ID token 
     JSON document. -->
          <crn:parameter name="issuer">
            <crn:value xsi:type="xsd:string">https://idaas.iam.ibm.com</crn:value>
          </crn:parameter>
          <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint -->
          <!-- The token endpoint is used to retrieve the identity token after a successful 
     authentication to the OpenID Connect identity provider. -->
          <crn:parameter name="oidcTokenEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://idaas.iam.ibm.com:443/idaas/oidc/endpoint/default/token</crn:value>
          </crn:parameter>
          <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint. -->
          <!-- The authorization endpoint is a URL that your OpenID Connect identity provider 
     uses for authentication. In most cases, the URL should use the https scheme. 
     The authorization endpoint is invoked when users authenticate to the OpenID 
     Connect identity provider. -->
          <crn:parameter name="oidcAuthEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://idaas.iam.ibm.com:443/idaas/oidc/endpoint/default/authorize</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- idpCertificateFile: Specifies the location of the certificate that is used by 
     the OpenID Connect identity provider to sign the identity token. -->
          <!-- A path to the file that contains the certificate used by the identity provider 
     to sign the JSON Web Token. The path must include the certificate file name and 
     be   accessible to the running instance of Cognos Analytics. The certificate 
     must be in a PEM format, include only the public key certificate, and include 
     the begin and end certificate lines. The certificate file cannot be placed in 
     the configuration/certs directory. -->
          <crn:parameter name="idpCertificateFile">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_BlueID template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_Generic template
-->
        <crn:instance name="OIDC_Generic Name" class="OIDC_Generic">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">Generic</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- useDiscoveryEndpoint: Specifies whether the Identity Provider returns a 
     discovery document. -->
          <!-- Set this value to true if the Identity Provider supports a discovery document 
     endpoint and fill out the discovery endpoint configuration group. Set this 
     value to false if the Identity Provider does not support a discovery document 
     endpoint and fill out the non-discovery endpoint configuration group. -->
          <crn:parameter name="useDiscoveryEndpoint">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- issuer: Specifies the OpenID claim issuer. -->
          <!-- A string that represents the identity provider that issued the claims in the 
     ID token. This value must match the value of the 'iss' entry in the ID token 
     JSON document. -->
          <crn:parameter name="issuer">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint, using the 
     following syntax: https://<hostname:port>/<path> -->
          <!-- The token endpoint is used to retrieve the identity token after a successful 
     authentication to the OpenID Connect identity provider. -->
          <crn:parameter name="oidcTokenEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint, using 
     the following syntax: https://<hostname:port>/<path> -->
          <!-- The authorization endpoint is a URL that your OpenID Connect identity provider 
     uses for authentication. In most cases, the URL should use the https scheme. 
     The authorization endpoint is invoked when users authenticate to the OpenID 
     Connect identity provider. -->
          <crn:parameter name="oidcAuthEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- authScope: Specifies the scope parameter values provided to the authorize 
     endpoint. -->
          <!-- The scope parameter values that will be added to the authorize endpoint URL 
     for authentication. At a minimum, 'openid' must be included in the list of 
     possible scope values. -->
          <crn:parameter name="authScope">
            <crn:value xsi:type="xsd:string">openid</crn:value>
          </crn:parameter>
          <!-- accountClaims: Specifies if the id_token contains all of the account claims. -->
          <!-- Set this value to token if the id_token contains all of the user claims. Set 
     this value to userinfo if an additional call should be made to the userinfo 
     endpoint in order to retrieve any user claims that are not part of the 
     id_token. -->
          <crn:parameter name="accountClaims">
            <crn:value xsi:type="xsd:string">token</crn:value>
          </crn:parameter>
          <!-- tokenEndpointAuth: Specifies how to authenticate to the Identity Provider when 
     invoking the token endpoint. -->
          <!-- Use client secret post if the client id and client secret should be 
     transmitted in the request body. Use client secret basic if the client id and 
     client secret should be transmitted in the HTTP header. Use private key JWT if 
     the client id and a JWT client_assertion that is signed with a private key 
     should be transmitted in the request body. -->
          <crn:parameter name="tokenEndpointAuth">
            <crn:value xsi:type="xsd:string">client_secret_post</crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- privateKeyFile: Specifies the file that contains the private signing key. -->
          <!-- The file that contains the private signing key in PKCS8 format. It must 
     contain a single private RSA key of length 2048 bits. -->
          <crn:parameter name="privateKeyFile">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- privateKeyPassword: Specifies the private key password used to protect the 
     private signing key. -->
          <!-- This password is required to secure the private key. It provides an extra 
     layer of security by encrypted the private key file using a password. -->
          <crn:parameter name="privateKeyPassword">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- privateKeyId: Specifies the key identifier that should be placed in the JWT 
     header. -->
          <!-- The key identifier that will be set in the JWT 'kid' header. Use this 
     configuration item if your identity provider requires a 'kid'. Leave this value 
     blank if your identity provider does not require a 'kid'. -->
          <crn:parameter name="privateKeyId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- keyLocation: Specifies the location of the signing public key or certificate. -->
          <!-- Set this value to 'File' if the signing certificate is manually downloaded 
     from the Identity Provider as a certificate and placed on the file system. Set 
     this value to 'JWKS endpoint' if the Identity Provider supports an endpoint for 
     retrieving id_token signature keys. Note: if the Identity Provider does not 
     support a discovery document but provides public keys via a JWKS endpoint, then 
     the JWKS Endpoint must contain a valid URI for retrieving the public keys. -->
          <crn:parameter name="keyLocation">
            <crn:value xsi:type="xsd:string">jwks_uri</crn:value>
          </crn:parameter>
          <!-- idpCertificateFile: Specifies the location of the certificate that is used by 
     the OpenID Connect identity provider to sign the identity token. -->
          <!-- A path to the file that contains the certificate used by the identity provider 
     to sign the JSON Web Token. The path must include the certificate file name and 
     be   accessible to the running instance of Cognos Analytics. The certificate 
     must be in a PEM format, include only the public key certificate, and include 
     the begin and end certificate lines. The certificate file cannot be placed in 
     the configuration/certs directory. -->
          <crn:parameter name="idpCertificateFile">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- jwksEndpoint: Specifies the OpenID Connect endpoint for retrieving JWT signing 
     keys. -->
          <!-- The JWKS endpoint is a URL that your OpenID Connect identity provider uses to 
     provide signing key data. In most cases, the URL should use the https scheme. 
     The JWKS  endpoint is invoked when validating an id_token returned from the 
     identity provider. -->
          <crn:parameter name="jwksEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- pgStrategy: Specifies how to get the user's identity when using the password 
     grant flow. -->
          <!-- Set this value to 'ID token' if all user claims are returned in the id_token. 
     Set this value to 'ID token and userinfo endpoint' if an id_token is returned 
     from the password grant flow but does not contain all of the user claims. Set 
     this value to 'Userinfo endpoint' if the id_token does not contain any user 
     claims and if the user claims should be retrieved from the userinfo endpoint. 
     Set this value to 'Unsupported' if the Identity Provider does not support the 
     password grant flow. -->
          <crn:parameter name="pgStrategy">
            <crn:value xsi:type="xsd:string">idToken</crn:value>
          </crn:parameter>
          <!-- pgInclScope: Specifies that the scope should be included when using the 
     password grant flow. -->
          <!-- Set this value to true to indicate that the scope parameter should be included 
     as part of the query string for the password grant flow. Set this value to 
     false to indicate that the scope should be omitted from the query string for 
     the password grant flow. -->
          <crn:parameter name="pgInclScope">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- pgAddParams: Specifies any additional parameters that are required for the 
     password grant flow. -->
          <!-- Set this value to reflect any additional parameters that should be included as 
     part of the query string for the password grant flow. The parameter must begin 
     with an '&&' and must be urlencoded so that it can be safely inserted into the 
     query string. For example, if the 'resource=https://ca.ibm.com' parameter is 
     required in the query string, it must be entered as: 
     '&resource=https%3A%2F%2Fca.ibm.com'. -->
          <crn:parameter name="pgAddParams">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- tcStrategy: Specifies the information that should be stored for scheduling 
     jobs. -->
          <!-- Set this value to 'Credentials' if the Identity Provider supports the password 
     grant and returns a valid id_token that contains all of the user claims in the 
     response. Set this value to 'Credentials and ID token' if the Identity Provider 
     supports the password grant flow but does not return a valid id_token in the 
     response or if the id_token does not contain all of the user claims. Set this 
     value to 'Refresh token' if the Identity Provider supports the refresh token 
     flow, provides a non-expiring refresh token, and returns a valid id_token that 
     contains all of the user claims from the refresh token flow. Set this value to 
     'ID token only' if the Identity Provider does not support the password grant 
     nor refresh token flows (Note: when set to 'ID token only', it will not be 
     possible to verify that the user is still exists and is enabled in the Identity 
     Provider). -->
          <crn:parameter name="tcStrategy">
            <crn:value xsi:type="xsd:string">credentials</crn:value>
          </crn:parameter>
          <!-- tcAccountClaims: Specifies if the id_token contains all of the account claims. 
     -->
          <!-- Set this value to 'ID token' if the id_token returned from the token endpoint 
     contains all of the user claims. Set this value to 'Userinfo endpoint' if an 
     additional call to the userinfo endpoint is required in order to obtain all of 
     the user claims. -->
          <crn:parameter name="tcAccountClaims">
            <crn:value xsi:type="xsd:string">id_token</crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- acEncoding: Specifies if the claims in the id_token are URL encoded. -->
          <!-- Set this value to URL encoded if the claims in the id_token are URL encoded. 
     Set this value to Not encoded if the claims in the id_token are not encoded. -->
          <crn:parameter name="acEncoding">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acBusinessPhone: Specifies the OIDC claim used for the "businessPhone" 
     property for an account. -->
          <crn:parameter name="acBusinessPhone">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acContentLocale: Specifies the OIDC claim used for the "contentLocale" 
     property for an account. -->
          <crn:parameter name="acContentLocale">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acDescription: Specifies the OIDC claim used for the "description" property 
     for an account. -->
          <crn:parameter name="acDescription">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acEmail: Specifies the OIDC claim used for the "email" property for an 
     account. -->
          <crn:parameter name="acEmail">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- acFaxPhone: Specifies the OIDC claim used for the "faxPhone" property for an 
     account. -->
          <crn:parameter name="acFaxPhone">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acGivenName: Specifies the OIDC claim used for the "givenName" property for an 
     account. -->
          <crn:parameter name="acGivenName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acHomePhone: Specifies the OIDC claim used for the "homePhone" property for an 
     account. -->
          <crn:parameter name="acHomePhone">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acMemberOf: Specifies the OIDC claim used for the "memberOf" property for an 
     account. -->
          <crn:parameter name="acMemberOf">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acMobilePhone: Specifies the OIDC claim used for the "mobilePhone" property 
     for an account. -->
          <crn:parameter name="acMobilePhone">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acName: Specifies the OIDC claim used for the "name" property for an account. -->
          <crn:parameter name="acName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acPagerPhone: Specifies the OIDC claim used for the "pagerPhone" property for 
     an account. -->
          <crn:parameter name="acPagerPhone">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acPostalAddr: Specifies the OIDC claim used for the "postalAddress" property 
     for an account. -->
          <crn:parameter name="acPostalAddr">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acProductLocale: Specifies the OIDC claim used for the "productLocale" 
     property for an account. -->
          <crn:parameter name="acProductLocale">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acSurname: Specifies the OIDC claim used for the "surname" property for an 
     account. -->
          <crn:parameter name="acSurname">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- acUsername: Specifies the OIDC claim used for the "userName" property for an 
     account. -->
          <crn:parameter name="acUsername">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_Generic template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_Google template
-->
        <crn:instance name="OIDC_Google Name" class="OIDC_Google">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">Google</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://accounts.google.com:443/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_Google template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_IBMCloudId template
-->
        <crn:instance name="OIDC_IBMCloudId Name" class="OIDC_IBMCloudId">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">IBMCloudId</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://login.ibm.com:443/oidc/endpoint/default/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_IBMCloudId template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_MSIdentity template
-->
        <crn:instance name="OIDC_MSIdentity Name" class="OIDC_MSIdentity">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">MSIdentity</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://login.microsoftonline.com:443/{tenantid}/v2.0/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_MSIdentity template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_OKTA template
-->
        <crn:instance name="OIDC_OKTA Name" class="OIDC_OKTA">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">OKTA</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://{hostname}:443/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_OKTA template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_Ping template
-->
        <crn:instance name="OIDC_Ping Name" class="OIDC_Ping">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">Ping</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://pingfederatehost:port/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_Ping template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_SalesForce template
-->
        <crn:instance name="OIDC_SalesForce Name" class="OIDC_SalesForce">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">SalesForce</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://login.salesforce.com:443/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_SalesForce template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_SiteMinder template
-->
        <crn:instance name="OIDC_SiteMinder Name" class="OIDC_SiteMinder">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">SiteMinder</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- issuer: Specifies the OpenID claim issuer. The value looks like: 
     https://<SiteMinder fully qualified hostname> -->
          <!-- A string that represents the identity provider that issued the claims in the 
     ID token. This value must match the value of the 'iss' entry in the ID token 
     JSON document. -->
          <crn:parameter name="issuer">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint, using the 
     following syntax: https://<SiteMinder fully qualified 
     hostname:port>/affwebservices/CASSO/oidc/token -->
          <!-- The token endpoint is used to retrieve the identity token after a successful 
     authentication to the OpenID Connect identity provider. -->
          <crn:parameter name="oidcTokenEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint, using 
     the following syntax: https://<SiteMinder fully qualified 
     hostname:port>/affwebservices/CASSO/oidc/authorize -->
          <!-- The authorization endpoint is a URL that your OpenID Connect identity provider 
     uses for authentication. In most cases, the URL should use the https scheme. 
     The authorization endpoint is invoked when users authenticate to the OpenID 
     Connect identity provider. -->
          <crn:parameter name="oidcAuthEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- jwksEndpoint: Specifies the OpenID Connect endpoint for retrieving JWT signing 
     keys, using the following syntax: https://<SiteMinder fully qualified 
     hostname:port>/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=<provider 
     name> -->
          <!-- The JWKS endpoint is a URL that your OpenID Connect identity provider uses to 
     provide signing key data. In most cases, the URL should use the https scheme. 
     The JWKS  endpoint is invoked when validating an id_token returned from the 
     identity provider. -->
          <crn:parameter name="jwksEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_SiteMinder template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) OIDC_W3ID template
-->
        <crn:instance name="OIDC_W3ID Name" class="OIDC_W3ID">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">W3ID</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- issuer: Specifies the OpenID claim issuer. -->
          <!-- A string that represents the identity provider that issued the claims in the 
     ID token. This value must match the value of the 'iss' entry in the ID token 
     JSON document. -->
          <crn:parameter name="issuer">
            <crn:value xsi:type="xsd:string">https://w3id.sso.ibm.com/isam</crn:value>
          </crn:parameter>
          <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint -->
          <!-- The token endpoint is used to retrieve the identity token after a successful 
     authentication to the OpenID Connect identity provider. -->
          <crn:parameter name="oidcTokenEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://w3id.sso.ibm.com:443/isam/oidc/endpoint/amapp-runtime-oidcidp/token</crn:value>
          </crn:parameter>
          <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint. -->
          <!-- The authorization endpoint is a URL that your OpenID Connect identity provider 
     uses for authentication. In most cases, the URL should use the https scheme. 
     The authorization endpoint is invoked when users authenticate to the OpenID 
     Connect identity provider. -->
          <crn:parameter name="oidcAuthEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://w3id.sso.ibm.com:443/isam/oidc/endpoint/amapp-runtime-oidcidp/authorize</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- idpCertificateFile: Specifies the location of the certificate that is used by 
     the OpenID Connect identity provider to sign the identity token. -->
          <!-- A path to the file that contains the certificate used by the identity provider 
     to sign the JSON Web Token. The path must include the certificate file name and 
     be   accessible to the running instance of Cognos Analytics. The certificate 
     must be in a PEM format, include only the public key certificate, and include 
     the begin and end certificate lines. The certificate file cannot be placed in 
     the configuration/certs directory. -->
          <crn:parameter name="idpCertificateFile">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- accountCamidProperty: Specifies the value used to uniquely identify account 
     objects. -->
          <!-- Specify either an existing Content Manager account object model property 
     (e.g., email, username, defaultName, etc) or the name of a configured custom 
     property. A claim must be returned for all accounts from the Identity Provider 
     for either the Content Manager account object model property or the configured 
     custom property. The value selected must be unique across all account objects. 
     The value selected should be constant over time with a low probability of 
     needing to be changed. NOTE: this value should not be changed after initial 
     namespace configuration. -->
          <crn:parameter name="accountCamidProperty">
            <crn:value xsi:type="xsd:string">email</crn:value>
          </crn:parameter>
          <!-- customProperties: Specifies a set of custom properties. -->
          <!-- Use this set of custom properties to define additional account information. 
     The "name" field corresponds to the property name set in the account while the 
     "value" corresponds to the claim name in the id_token. -->
          <crn:parameter name="customProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) OIDC_W3ID template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) RACF template
-->
        <crn:instance name="RACF Name" class="RACF">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- connection: Specifies the host name and port of the directory server. -->
          <!-- Use the following syntax to specify the host name and port for the directory 
     server: host:port; for example, localhost:389. Ensure that if you use a fully 
     qualified name for your computer that your DNS is set up to resolve it. 
     Otherwise, you can also use the IP address. -->
          <crn:parameter name="connection">
            <crn:value xsi:type="cfg:hostPort"> 
            </crn:value>
          </crn:parameter>
          <!-- baseDN: Specifies the base distinguished name of the RACF server. -->
          <!-- The product uses the base DN to identify the top level of your directory 
     server structure. The root of the hierarchal directory structure is the 
     starting place for all searches. You restrict searches by specifying a base DN. 
     -->
          <crn:parameter name="baseDN">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- identityMappingFlag: Specifies whether to use the identity mapping for user 
     authentication. -->
          <crn:parameter name="identityMappingFlag">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- bindCredentials: Specifies the credentials used for binding to the RACF server 
     when performing a search or when performing all operations using the identity 
     mapping. -->
          <!-- This value corresponds to a RACF user who has read and search access to the 
     user branch of the RACF directory server. -->
          <crn:parameter name="bindCredentials">
            <crn:value xsi:type="cfg:credential" encrypted="false">
              <credential>
                <username>joe</username>
                <password>paranoid</password>
              </credential>
            </crn:value>
          </crn:parameter>
          <!-- racfEnableSSL: Specifies that the RACF server expects SSL communication. -->
          <!-- Use this property to specify if SSL should be used when communicating with the 
     RACF server. -->
          <crn:parameter name="racfEnableSSL">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
          <!-- sizeLimit: Specifies the maximum number of responses permitted for a search 
     request. -->
          <!-- The value depends on your environment. As a general rule, the minimum value 
     for this setting should be greater than the maximum number of groups or users 
     plus 100. When the size limit is reached the directory server stops searching. 
     The default value of -1 indicates that the value on the RACF server will be 
     used. -->
          <!-- Units: entries -->
          <crn:parameter name="sizeLimit">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- timeOut: Specifies the number of seconds permitted to perform a search 
     request. -->
          <!-- The product uses this value when it requests authentication from the namespace 
     on your directory server. The value depends on your reporting environment. If 
     the duration is exceeded, the search is timed out. The default value -1 
     indicates that the value on the RACF server will be used. -->
          <!-- Units: sec -->
          <crn:parameter name="timeOut">
            <crn:value xsi:type="xsd:int">-1</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- baseDataMappedProperty: Specifies the account property that will be mapped to 
     the RACF Base Segment field, "DATA". -->
          <crn:parameter name="baseDataMappedProperty">
            <crn:value xsi:type="xsd:string">none</crn:value>
          </crn:parameter>
          <!-- TSODataMappedProperty: Specifies the account property that will be mapped to 
     the RACF TSO Segment field, "USERDATA". -->
          <crn:parameter name="TSODataMappedProperty">
            <crn:value xsi:type="xsd:string">none</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) RACF template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) SAP template
-->
        <crn:instance name="SAP Name" class="SAP">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- client: Specifies the name of the SAP logon client. -->
          <!-- Specifies the SAP client number. -->
          <crn:parameter name="client">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- hostname: Specifies the host name of the SAP server. -->
          <!-- Use this property so that you can connect to the computer that runs one or 
     more SAP instances. -->
          <crn:parameter name="hostname">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- systnr: Specifies the SAP system number. -->
          <!-- The number must be an integer between 0 and 99. -->
          <crn:parameter name="systnr">
            <crn:value xsi:type="xsd:int">0</crn:value>
          </crn:parameter>
          <!-- codepage: Specifies the SAP BW server code page used to convert user 
     credentials to the correct encoding. -->
          <!-- Use this property to convert the user ID and password from UTF8 encoding to 
     the encoding used by the SAP server. To enable single signon, specify the same 
     SAP Code page in the portal on the Data Sources page for the SAP BW connection 
     string. -->
          <crn:parameter name="codepage">
            <crn:value xsi:type="xsd:string">4110</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) SAP template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) Series7 template
-->
        <crn:instance name="Series7 Name" class="Series7">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- connection: Specifies the host name and port of the directory server. -->
          <!-- Use the following syntax to specify the host name and port for the directory 
     server: host:port; for example, localhost:389. Ensure that if you use a fully 
     qualified name for your computer that your DNS is set up to resolve it. 
     Otherwise, you can also use the IP address. -->
          <crn:parameter name="connection">
            <crn:value xsi:type="cfg:hostPort"> 
            </crn:value>
          </crn:parameter>
          <!-- baseDN: Specifies the base distinguished name of the LDAP server. -->
          <!-- The product uses the base DN to identify the top level of your directory 
     server structure. The root of the hierarchal directory structure is the 
     starting place for all searches. You restrict searches by specifying a base DN. 
     -->
          <crn:parameter name="baseDN">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- namespace: Specifies the name of the IBM Cognos Series 7 namespace. -->
          <!-- Ensure that the namespace is available. -->
          <crn:parameter name="namespace">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- timeOut: Specifies the maximum number of seconds in which a connection to the 
     directory server must be established. -->
          <!-- The product uses this value when it binds or re-binds to the directory server. 
     A value of 0 indicates that the timeout is determined by the network 
     connectivity software.  The default value (10) sets the number of seconds that 
     the Series7 provider waits for the bind operation to complete -->
          <!-- Units: sec -->
          <crn:parameter name="timeOut">
            <crn:value xsi:type="xsd:int">10</crn:value>
          </crn:parameter>
          <!-- dataEncoding: Specifies the encoding of the data stored in the LDAP directory 
     server. -->
          <!-- Use this property to specify the encoding of data stored in the LDAP directory 
     server. If this property is set to an encoding other than UTF-8, then 
     conversion of the data from the encoding specified will be performed. The 
     encoding value must follow IANA (RFC 1700) or MIME charset specifications. For 
     example, windows-1252, iso-8859-1, iso-8859-15, Shift_JIS, utf-8, etc. If the 
     Series 7 namespace version is 16.0 or greater, then this value must be set to 
     UTF-8. If the Series 7 namespace version is 15.2 or lower, then this value must 
     be set to the encoding of the system used to update the Access Manager data. To 
     determine the namespace version, launch the Series 7 Access Manager - 
     Administrator tool. Logon to the appropriate namespace, right click on the 
     namespace name, and choose properties. -->
          <crn:parameter name="dataEncoding">
            <crn:value xsi:type="xsd:string">UTF-8</crn:value>
          </crn:parameter>
          <!-- sslCertificateDatabase: Specifies the location of the certificate database 
     used by the directory server for SSL connections. -->
          <!-- Use this property to point to the location of the SSL certificate database for 
     your LDAP server. -->
          <crn:parameter name="sslCertificateDatabase">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs. -->
          <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for 
     a user can be determined using a pattern or a tenant provider class. The 
     pattern is a AAA service search path to a property which defines a tenant ID. 
     The search path must be relative to a user account. For example: 
     '~/ancestors[2]/defaultName'. A tenant provider class is Java class which 
     implements the the ITenantProvider interface. For more details please consult 
     the installation and configuration guide. -->
          <crn:parameter name="tenantIdMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined 
     for a user. -->
          <!-- This parameter is used when multitenancy is enabled. The tenant bounding set 
     for a user can be determined using a pattern or a tenant bounding set provider 
     class. The pattern is a AAA service search path to a property which defines a 
     tenant bounding set. The search path must be relative to a user account. For 
     example: '˜/parameters/boundingSet'. A tenant bounding set provider class is 
     Java class which implements the the IBoundingSetProvider interface. For more 
     details please consult the installation and configuration guide. -->
          <crn:parameter name="tenantBoundingSetMapping">
            <crn:value xsi:type="cfg:tenancyInfo">pattern</crn:value>
          </crn:parameter>
          <!-- CookiePath: Specifies the subset of URLs in a domain for which the cookie is 
     valid. -->
          <!-- If a cookie successfully passes domain matching, the pathname component of the 
     URL is compared to the value of this property. If the values match, the cookie 
     is valid. The path "/" is the most general path. -->
          <crn:parameter name="CookiePath">
            <crn:value xsi:type="xsd:string">/</crn:value>
          </crn:parameter>
          <!-- CookieDomain: Specifies the domain for which the cookie is valid. -->
          <!--  The domain attributes of the cookie are compared with the Internet domain 
     name of the host from which the URL will be fetched. If the values match, the 
     cookie is valid. -->
          <crn:parameter name="CookieDomain">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- CookieSecure: Specifies whether the cookie is sent only to secure servers. -->
          <!-- If this property is set to true, then the cookie will only be sent to HTTPS 
     servers. If the property is set to false, the cookie can be sent over unsecured 
     channels. -->
          <crn:parameter name="CookieSecure">
            <crn:value xsi:type="xsd:boolean">false</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) Series7 template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) SiteMinder template
-->
        <crn:instance name="SiteMinder Name" class="SiteMinder">
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- agentName: Specifies the agent name as registered with the Policy Server. -->
          <!-- This property is case-sensitive. -->
          <crn:parameter name="agentName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- sharedSecret: Specifies the shared secret registered with the Policy Server 
     for this agent. -->
          <!-- This property is  case-sensitive. -->
          <crn:parameter name="sharedSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- failOverMode: Specifies whether to use fail over. -->
          <!-- If this property is set to true, when a connection fails, a new connection is 
     made to the list of servers in the specified order. Set this value to false to 
     access the Policy Servers in a round-robin configuration. -->
          <crn:parameter name="failOverMode">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <crn:instances name="policyServerList">
            <!--

===============================================================================
(Begin of) PolicyServer template
-->
            <crn:instance name="PolicyServer Name" class="PolicyServer">
              <!-- policyServerHost: Specifies the host name of the Policy Server. -->
              <!-- Ensure that if you use a fully qualified name for your computer that your DNS 
     is set up to resolve it. Otherwise, use the IP address. -->
              <crn:parameter name="policyServerHost">
                <crn:value xsi:type="cfg:hostOnly"> 
                </crn:value>
              </crn:parameter>
              <!-- connMin: Specifies the minimum number of TCP connections. -->
              <!-- Use this property to specify the initial number of TCP connections. -->
              <crn:parameter name="connMin">
                <crn:value xsi:type="xsd:unsignedShort">1</crn:value>
              </crn:parameter>
              <!-- connMax: Specifies the maximum number of TCP connections. -->
              <!-- Use this property to specify the maximum number of TCP connections. -->
              <crn:parameter name="connMax">
                <crn:value xsi:type="xsd:unsignedShort">1</crn:value>
              </crn:parameter>
              <!-- connStep: Specifies  the increment by which the number of TCP connections will 
     be increased. -->
              <!-- Use this property to specify the number of TCP connections that will be added, 
     when necessary. -->
              <crn:parameter name="connStep">
                <crn:value xsi:type="xsd:unsignedShort">1</crn:value>
              </crn:parameter>
              <!-- timeout: Specifies the maximum number of seconds to wait for the agent to get 
     a response from the Policy Server. -->
              <!-- Use this property to specify the number of seconds until it is determined that 
     the agent cannot reach the Policy Server. -->
              <!-- Units: sec -->
              <crn:parameter name="timeout">
                <crn:value xsi:type="xsd:int">75</crn:value>
              </crn:parameter>
              <!-- authPort: Specifies the authentication port of the SiteMinder Policy Server. -->
              <!-- Use this property to specify the authentication port that  the Policy Server 
     uses to listen for an agent connection. -->
              <crn:parameter name="authPort">
                <crn:value xsi:type="xsd:unsignedShort">44442</crn:value>
              </crn:parameter>
              <!-- aznPort: Specifies the authorization port of the SiteMinder Policy Server. -->
              <!-- Use this property to specify the authorization port that the Policy Server 
     uses to listen for an agent connection. -->
              <crn:parameter name="aznPort">
                <crn:value xsi:type="xsd:unsignedShort">44443</crn:value>
              </crn:parameter>
              <!-- accPort: Specifies the accounting port of the SiteMinder Policy Server. -->
              <!-- Use this property to specify the accounting port that the Policy Server 
     listens for an agent connection. -->
              <crn:parameter name="accPort">
                <crn:value xsi:type="xsd:unsignedShort">44441</crn:value>
              </crn:parameter>
              <crn:instances name="userDirectory">
                <!--

===============================================================================
(Begin of) userDirectory template
-->
                <crn:instance name="userDirectory Name" class="userDirectory">
                  <!-- nsID: Specifies a reference to a unique identifier for an authentication 
     namespace. -->
                  <!-- Use the namespace reference to uniquely identify an authentication namespace. -->
                  <crn:parameter name="nsID">
                    <crn:value xsi:type="xsd:string"> 
                    </crn:value>
                  </crn:parameter>
                </crn:instance>
                <!--
(End of) userDirectory template
===============================================================================

-->
              </crn:instances>
            </crn:instance>
            <!--
(End of) PolicyServer template
===============================================================================

-->
          </crn:instances>
        </crn:instance>
        <!--
(End of) SiteMinder template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_ADFS template
-->
        <crn:instance name="TSP_OIDC_ADFS Name" class="TSP_OIDC_ADFS">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">ADFS</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://{hostname}:443/adfs/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_ADFS template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_AzureAD template
-->
        <crn:instance name="TSP_OIDC_AzureAD Name" class="TSP_OIDC_AzureAD">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">AzureAD</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://login.microsoftonline.com:443/{tenantid}/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_AzureAD template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_BlueID template
-->
        <crn:instance name="TSP_OIDC_BlueID Name" class="TSP_OIDC_BlueID">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">IBMid</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- issuer: Specifies the OpenID claim issuer. -->
          <!-- A string that represents the identity provider that issued the claims in the 
     ID token. This value must match the value of the 'iss' entry in the ID token 
     JSON document. -->
          <crn:parameter name="issuer">
            <crn:value xsi:type="xsd:string">https://idaas.iam.ibm.com</crn:value>
          </crn:parameter>
          <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint -->
          <!-- The token endpoint is used to retrieve the identity token after a successful 
     authentication to the OpenID Connect identity provider. -->
          <crn:parameter name="oidcTokenEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://idaas.iam.ibm.com:443/idaas/oidc/endpoint/default/token</crn:value>
          </crn:parameter>
          <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint. -->
          <!-- The authorization endpoint is a URL that your OpenID Connect identity provider 
     uses for authentication. In most cases, the URL should use the https scheme. 
     The authorization endpoint is invoked when users authenticate to the OpenID 
     Connect identity provider. -->
          <crn:parameter name="oidcAuthEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://idaas.iam.ibm.com:443/idaas/oidc/endpoint/default/authorize</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- idpCertificateFile: Specifies the location of the certificate that is used by 
     the OpenID Connect identity provider to sign the identity token. -->
          <!-- A path to the file that contains the certificate used by the identity provider 
     to sign the JSON Web Token. The path must include the certificate file name and 
     be   accessible to the running instance of Cognos Analytics. The certificate 
     must be in a PEM format, include only the public key certificate, and include 
     the begin and end certificate lines. The certificate file cannot be placed in 
     the configuration/certs directory. -->
          <crn:parameter name="idpCertificateFile">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_BlueID template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_Generic template
-->
        <crn:instance name="TSP_OIDC_Generic Name" class="TSP_OIDC_Generic">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">Generic</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- useDiscoveryEndpoint: Specifies whether the Identity Provider returns a 
     discovery document. -->
          <!-- Set this value to true if the Identity Provider supports a discovery document 
     endpoint and fill out the discovery endpoint configuration group. Set this 
     value to false if the Identity Provider does not support a discovery document 
     endpoint and fill out the non-discovery endpoint configuration group. -->
          <crn:parameter name="useDiscoveryEndpoint">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- issuer: Specifies the OpenID claim issuer. -->
          <!-- A string that represents the identity provider that issued the claims in the 
     ID token. This value must match the value of the 'iss' entry in the ID token 
     JSON document. -->
          <crn:parameter name="issuer">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint, using the 
     following syntax: https://<hostname:port>/<path> -->
          <!-- The token endpoint is used to retrieve the identity token after a successful 
     authentication to the OpenID Connect identity provider. -->
          <crn:parameter name="oidcTokenEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint, using 
     the following syntax: https://<hostname:port>/<path> -->
          <!-- The authorization endpoint is a URL that your OpenID Connect identity provider 
     uses for authentication. In most cases, the URL should use the https scheme. 
     The authorization endpoint is invoked when users authenticate to the OpenID 
     Connect identity provider. -->
          <crn:parameter name="oidcAuthEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- authScope: Specifies the scope parameter values provided to the authorize 
     endpoint. -->
          <!-- The scope parameter values that will be added to the authorize endpoint URL 
     for authentication. At a minimum, 'openid' must be included in the list of 
     possible scope values. -->
          <crn:parameter name="authScope">
            <crn:value xsi:type="xsd:string">openid</crn:value>
          </crn:parameter>
          <!-- accountClaims: Specifies if the id_token contains all of the account claims. -->
          <!-- Set this value to token if the id_token contains all of the user claims. Set 
     this value to userinfo if an additional call should be made to the userinfo 
     endpoint in order to retrieve any user claims that are not part of the 
     id_token. -->
          <crn:parameter name="accountClaims">
            <crn:value xsi:type="xsd:string">token</crn:value>
          </crn:parameter>
          <!-- tokenEndpointAuth: Specifies how to authenticate to the Identity Provider when 
     invoking the token endpoint. -->
          <!-- Use client secret post if the client id and client secret should be 
     transmitted in the request body. Use client secret basic if the client id and 
     client secret should be transmitted in the HTTP header. Use private key JWT if 
     the client id and a JWT client_assertion that is signed with a private key 
     should be transmitted in the request body. -->
          <crn:parameter name="tokenEndpointAuth">
            <crn:value xsi:type="xsd:string">client_secret_post</crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- privateKeyFile: Specifies the file that contains the private signing key. -->
          <!-- The file that contains the private signing key in PKCS8 format. It must 
     contain a single private RSA key of length 2048 bits. -->
          <crn:parameter name="privateKeyFile">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- privateKeyPassword: Specifies the private key password used to protect the 
     private signing key. -->
          <!-- This password is required to secure the private key. It provides an extra 
     layer of security by encrypted the private key file using a password. -->
          <crn:parameter name="privateKeyPassword">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- privateKeyId: Specifies the key identifier that should be placed in the JWT 
     header. -->
          <!-- The key identifier that will be set in the JWT 'kid' header. Use this 
     configuration item if your identity provider requires a 'kid'. Leave this value 
     blank if your identity provider does not require a 'kid'. -->
          <crn:parameter name="privateKeyId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- keyLocation: Specifies the location of the signing public key or certificate. -->
          <!-- Set this value to 'File' if the signing certificate is manually downloaded 
     from the Identity Provider as a certificate and placed on the file system. Set 
     this value to 'JWKS endpoint' if the Identity Provider supports an endpoint for 
     retrieving id_token signature keys. Note: if the Identity Provider does not 
     support a discovery document but provides public keys via a JWKS endpoint, then 
     the JWKS Endpoint must contain a valid URI for retrieving the public keys. -->
          <crn:parameter name="keyLocation">
            <crn:value xsi:type="xsd:string">jwks_uri</crn:value>
          </crn:parameter>
          <!-- idpCertificateFile: Specifies the location of the certificate that is used by 
     the OpenID Connect identity provider to sign the identity token. -->
          <!-- A path to the file that contains the certificate used by the identity provider 
     to sign the JSON Web Token. The path must include the certificate file name and 
     be   accessible to the running instance of Cognos Analytics. The certificate 
     must be in a PEM format, include only the public key certificate, and include 
     the begin and end certificate lines. The certificate file cannot be placed in 
     the configuration/certs directory. -->
          <crn:parameter name="idpCertificateFile">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- jwksEndpoint: Specifies the OpenID Connect endpoint for retrieving JWT signing 
     keys. -->
          <!-- The JWKS endpoint is a URL that your OpenID Connect identity provider uses to 
     provide signing key data. In most cases, the URL should use the https scheme. 
     The JWKS  endpoint is invoked when validating an id_token returned from the 
     identity provider. -->
          <crn:parameter name="jwksEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- pgStrategy: Specifies how to get the user's identity when using the password 
     grant flow. -->
          <!-- Set this value to 'ID token' if all user claims are returned in the id_token. 
     Set this value to 'ID token and userinfo endpoint' if an id_token is returned 
     from the password grant flow but does not contain all of the user claims. Set 
     this value to 'Userinfo endpoint' if the id_token does not contain any user 
     claims and if the user claims should be retrieved from the userinfo endpoint. 
     Set this value to 'Unsupported' if the Identity Provider does not support the 
     password grant flow. -->
          <crn:parameter name="pgStrategy">
            <crn:value xsi:type="xsd:string">idToken</crn:value>
          </crn:parameter>
          <!-- pgInclScope: Specifies that the scope should be included when using the 
     password grant flow. -->
          <!-- Set this value to true to indicate that the scope parameter should be included 
     as part of the query string for the password grant flow. Set this value to 
     false to indicate that the scope should be omitted from the query string for 
     the password grant flow. -->
          <crn:parameter name="pgInclScope">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- pgAddParams: Specifies any additional parameters that are required for the 
     password grant flow. -->
          <!-- Set this value to reflect any additional parameters that should be included as 
     part of the query string for the password grant flow. The parameter must begin 
     with an '&&' and must be urlencoded so that it can be safely inserted into the 
     query string. For example, if the 'resource=https://ca.ibm.com' parameter is 
     required in the query string, it must be entered as: 
     '&resource=https%3A%2F%2Fca.ibm.com'. -->
          <crn:parameter name="pgAddParams">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- tcStrategy: Specifies the information that should be stored for scheduling 
     jobs. -->
          <!-- Set this value to 'Credentials' if the Identity Provider supports the password 
     grant and returns a valid id_token that contains all of the user claims in the 
     response. Set this value to 'Credentials and ID token' if the Identity Provider 
     supports the password grant flow but does not return a valid id_token in the 
     response or if the id_token does not contain all of the user claims. Set this 
     value to 'Refresh token' if the Identity Provider supports the refresh token 
     flow, provides a non-expiring refresh token, and returns a valid id_token that 
     contains all of the user claims from the refresh token flow. Set this value to 
     'ID token only' if the Identity Provider does not support the password grant 
     nor refresh token flows (Note: when set to 'ID token only', it will not be 
     possible to verify that the user is still exists and is enabled in the Identity 
     Provider). -->
          <crn:parameter name="tcStrategy">
            <crn:value xsi:type="xsd:string">credentials</crn:value>
          </crn:parameter>
          <!-- tcAccountClaims: Specifies if the id_token contains all of the account claims. 
     -->
          <!-- Set this value to 'ID token' if the id_token returned from the token endpoint 
     contains all of the user claims. Set this value to 'Userinfo endpoint' if an 
     additional call to the userinfo endpoint is required in order to obtain all of 
     the user claims. -->
          <crn:parameter name="tcAccountClaims">
            <crn:value xsi:type="xsd:string">id_token</crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_Generic template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_Google template
-->
        <crn:instance name="TSP_OIDC_Google Name" class="TSP_OIDC_Google">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">Google</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://accounts.google.com:443/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_Google template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_IBMCloudId template
-->
        <crn:instance name="TSP_OIDC_IBMCloudId Name" class="TSP_OIDC_IBMCloudId">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">IBMCloudId</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://login.ibm.com:443/oidc/endpoint/default/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_IBMCloudId template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_MSIdentity template
-->
        <crn:instance name="TSP_OIDC_MSIdentity Name" class="TSP_OIDC_MSIdentity">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">MSIdentity</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://login.microsoftonline.com:443/{tenantid}/v2.0/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_MSIdentity template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_OKTA template
-->
        <crn:instance name="TSP_OIDC_OKTA Name" class="TSP_OIDC_OKTA">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">OKTA</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://{hostname}:443/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_OKTA template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_Ping template
-->
        <crn:instance name="TSP_OIDC_Ping Name" class="TSP_OIDC_Ping">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">Ping</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://pingfederatehost:port/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_Ping template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_SalesForce template
-->
        <crn:instance name="TSP_OIDC_SalesForce Name" class="TSP_OIDC_SalesForce">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">SalesForce</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint -->
          <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration 
     that includes the authorization endpoint, token endpoint, jwks endpoint, and 
     issuer. -->
          <crn:parameter name="oidcDiscEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://login.salesforce.com:443/.well-known/openid-configuration</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_SalesForce template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_SiteMinder template
-->
        <crn:instance name="TSP_OIDC_SiteMinder Name" class="TSP_OIDC_SiteMinder">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">SiteMinder</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- issuer: Specifies the OpenID claim issuer. The value looks like: 
     https://<SiteMinder fully qualified hostname> -->
          <!-- A string that represents the identity provider that issued the claims in the 
     ID token. This value must match the value of the 'iss' entry in the ID token 
     JSON document. -->
          <crn:parameter name="issuer">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint, using the 
     following syntax: https://<SiteMinder fully qualified 
     hostname:port>/affwebservices/CASSO/oidc/token -->
          <!-- The token endpoint is used to retrieve the identity token after a successful 
     authentication to the OpenID Connect identity provider. -->
          <crn:parameter name="oidcTokenEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint, using 
     the following syntax: https://<SiteMinder fully qualified 
     hostname:port>/affwebservices/CASSO/oidc/authorize -->
          <!-- The authorization endpoint is a URL that your OpenID Connect identity provider 
     uses for authentication. In most cases, the URL should use the https scheme. 
     The authorization endpoint is invoked when users authenticate to the OpenID 
     Connect identity provider. -->
          <crn:parameter name="oidcAuthEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- jwksEndpoint: Specifies the OpenID Connect endpoint for retrieving JWT signing 
     keys, using the following syntax: https://<SiteMinder fully qualified 
     hostname:port>/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=<provider 
     name> -->
          <!-- The JWKS endpoint is a URL that your OpenID Connect identity provider uses to 
     provide signing key data. In most cases, the URL should use the https scheme. 
     The JWKS  endpoint is invoked when validating an id_token returned from the 
     identity provider. -->
          <crn:parameter name="jwksEndpoint">
            <crn:value xsi:type="cfg:anyPathURI"> 
            </crn:value>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_SiteMinder template
===============================================================================

-->
        <!--

===============================================================================
(Begin of) TSP_OIDC_W3ID template
-->
        <crn:instance name="TSP_OIDC_W3ID Name" class="TSP_OIDC_W3ID">
          <!-- identityProviderType: Specifies the implementation of an OpenID Connect 
     identity provider. -->
          <crn:parameter name="identityProviderType">
            <crn:value xsi:type="xsd:string">W3ID</crn:value>
          </crn:parameter>
          <!-- id: Specifies a unique identifier for the authentication namespace. -->
          <!-- Use the namespace identifier to distinguish between multiple namespaces. Each 
     namespace must have a unique identifier. When you select a namespace to use for 
     authentication in the run-time environment, the identifier is used by the IBM 
     Cognos components. Changing the namespace ID after the service has been started 
     may invalidate the object security policies and the Cognos group and role 
     memberships. The use of the colon in the Namespace ID is not supported. -->
          <crn:parameter name="id">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- issuer: Specifies the OpenID claim issuer. -->
          <!-- A string that represents the identity provider that issued the claims in the 
     ID token. This value must match the value of the 'iss' entry in the ID token 
     JSON document. -->
          <crn:parameter name="issuer">
            <crn:value xsi:type="xsd:string">https://w3id.sso.ibm.com/isam</crn:value>
          </crn:parameter>
          <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint -->
          <!-- The token endpoint is used to retrieve the identity token after a successful 
     authentication to the OpenID Connect identity provider. -->
          <crn:parameter name="oidcTokenEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://w3id.sso.ibm.com:443/isam/oidc/endpoint/amapp-runtime-oidcidp/token</crn:value>
          </crn:parameter>
          <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint. -->
          <!-- The authorization endpoint is a URL that your OpenID Connect identity provider 
     uses for authentication. In most cases, the URL should use the https scheme. 
     The authorization endpoint is invoked when users authenticate to the OpenID 
     Connect identity provider. -->
          <crn:parameter name="oidcAuthEndpoint">
            <crn:value xsi:type="cfg:anyPathURI">https://w3id.sso.ibm.com:443/isam/oidc/endpoint/amapp-runtime-oidcidp/authorize</crn:value>
          </crn:parameter>
          <!-- clientId: Specifies the OpenID Connect client identifier -->
          <!-- The client identity that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientId">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- clientSecret: Specifies the client secret that is assigned to the application 
     by the OpenID Connect identity provider. -->
          <!-- The client secret that is assigned to the application by the OpenID Connect 
     identity provider. -->
          <crn:parameter name="clientSecret">
            <crn:value xsi:type="xsd:string" encrypted="false"/>
          </crn:parameter>
          <!-- idpCertificateFile: Specifies the location of the certificate that is used by 
     the OpenID Connect identity provider to sign the identity token. -->
          <!-- A path to the file that contains the certificate used by the identity provider 
     to sign the JSON Web Token. The path must include the certificate file name and 
     be   accessible to the running instance of Cognos Analytics. The certificate 
     must be in a PEM format, include only the public key certificate, and include 
     the begin and end certificate lines. The certificate file cannot be placed in 
     the configuration/certs directory. -->
          <crn:parameter name="idpCertificateFile">
            <crn:value xsi:type="cfg:filePath"> 
            </crn:value>
          </crn:parameter>
          <!-- returnUrl: Return URL that is configured with the OpenID Connect identity 
     provider. -->
          <!-- The return URL is invoked by the OpenID Connect identity provider after 
     successfully authenticating a user. The URL format is 
     https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp or 
     https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL 
     completes Cognos Analytics authentication using the OpenID Connect identity 
     provider. -->
          <crn:parameter name="returnUrl">
            <crn:value xsi:type="cfg:anyPathURI">https://host:port/bi/completeAuth.jsp</crn:value>
          </crn:parameter>
          <!-- selectableForAuth: Specifies whether the namespace is selectable for 
     authentication. -->
          <!-- If this property is set to true, the namespace will be available for 
     authentication in the logon page namespace selection prompt. Set this value to 
     false if the namespace should not be available for selection on the logon page. 
     -->
          <crn:parameter name="selectableForAuth">
            <crn:value xsi:type="xsd:boolean">true</crn:value>
          </crn:parameter>
          <!-- advancedProperties: Specifies a set of advanced properties. -->
          <!-- The user needs to provide the name and the value for each advanced property. -->
          <crn:parameter name="advancedProperties">
            <crn:value xsi:type="cfg:array"> 
            </crn:value>
          </crn:parameter>
          <!-- claimName: Specifies the name of the claim that will be provided to the target 
     namespace. -->
          <!-- A string that represents the name of the claim from the id_token that will be 
     provided to the target namespace. This value must be a single string value in 
     the id_token and must exist for all account objects. -->
          <crn:parameter name="claimName">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
          <!-- trustedEnvName: Specifies the environment variable name that will be used to 
     transfer the claim to the target namespace. -->
          <!-- A string that represents the environment variable name that will be used to 
     transfer the claim to the target namespace. This value is dependent on the 
     target namespace type and corresponds to how the target namespace will obtain 
     the user's identity. For example, the LDAP and Active Directory namespace types 
     both expect the user's identity to be passed in the REMOTE_USER environment 
     variable. -->
          <crn:parameter name="trustedEnvName">
            <crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
          </crn:parameter>
          <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim 
     obtained from the OpenID identity provider. -->
          <!-- A string that represents the ID of the namespace that will be invoked with the 
     claim obtained from the OpenID identity provider. This value must match the 
     namespace ID of a configured namespace (e.g., LDAP, AD, etc). -->
          <crn:parameter name="redirectNsID">
            <crn:value xsi:type="xsd:string"> 
            </crn:value>
          </crn:parameter>
        </crn:instance>
        <!--
(End of) TSP_OIDC_W3ID template
===============================================================================

-->
      </crn:instances>
    </crn:value>
  </crn:parameter>
</crn:parameters>