GlobalCube
/
analytics


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127
							<!-- MANDATORY: Defines a group of properties that allows the product to use an OpenID 
	 Connect identity provider for user authentication.  -->
<!-- Set the values for this group of properties to allow the product access to your existing 
	 OpenID Connect identity provider. This external resource must already exist in your 
	 environment and be configured to use for authentication.  -->
<crn:instance name="MANDATORY" class="OIDC_BlueID">
  <!-- identityProviderType: Specifies the implementation of an OpenID Connect identity 
	   provider.  -->
  <crn:parameter name="identityProviderType">
	<crn:value xsi:type="xsd:string">IBMid</crn:value>
  </crn:parameter>
  <!-- id: Specifies a unique identifier for the authentication namespace.  -->
  <!-- Use the namespace identifier to distinguish between multiple namespaces. Each namespace 
	   must have a unique identifier. When you select a namespace to use for authentication 
	   in the run-time environment, the identifier is used by the IBM Cognos components. 
	   Changing the namespace ID after the service has been started may invalidate the object 
	   security policies and the Cognos group and role memberships. The use of the colon 
	   in the Namespace ID is not supported.  -->
  <crn:parameter name="id">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- issuer: Specifies the OpenID claim issuer.  -->
  <!-- A string that represents the identity provider that issued the claims in the ID token. 
	   This value must match the value of the 'iss' entry in the ID token JSON document.  -->
  <crn:parameter name="issuer">
	<crn:value xsi:type="xsd:string">https://idaas.iam.ibm.com</crn:value>
  </crn:parameter>
  <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint  -->
  <!-- The token endpoint is used to retrieve the identity token after a successful authentication 
	   to the OpenID Connect identity provider.  -->
  <crn:parameter name="oidcTokenEndpoint">
	<crn:value xsi:type="cfg:anyPathURI">https://idaas.iam.ibm.com:443/idaas/oidc/endpoint/default/token</crn:value>
  </crn:parameter>
  <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint.  -->
  <!-- The authorization endpoint is a URL that your OpenID Connect identity provider uses 
	   for authentication. In most cases, the URL should use the https scheme. The authorization 
	   endpoint is invoked when users authenticate to the OpenID Connect identity provider.  -->
  <crn:parameter name="oidcAuthEndpoint">
	<crn:value xsi:type="cfg:anyPathURI">https://idaas.iam.ibm.com:443/idaas/oidc/endpoint/default/authorize</crn:value>
  </crn:parameter>
  <!-- clientId: Specifies the OpenID Connect client identifier  -->
  <!-- The client identity that is assigned to the application by the OpenID Connect identity 
	   provider.  -->
  <crn:parameter name="clientId">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- clientSecret: Specifies the client secret that is assigned to the application by 
	   the OpenID Connect identity provider.  -->
  <!-- The client secret that is assigned to the application by the OpenID Connect identity 
	   provider.  -->
  <crn:parameter name="clientSecret">
	<crn:value xsi:type="xsd:string" encrypted="true"></crn:value>
  </crn:parameter>
  <!-- idpCertificateFile: Specifies the location of the certificate that is used by the 
	   OpenID Connect identity provider to sign the identity token.  -->
  <!-- A path to the file that contains the certificate used by the identity provider to 
	   sign the JSON Web Token. The path must include the certificate file name and be accessible 
	   to the running instance of Cognos Analytics. The certificate must be in a PEM format, 
	   include only the public key certificate, and include the begin and end certificate 
	   lines. The certificate file cannot be placed in the configuration/certs directory.  -->
  <crn:parameter name="idpCertificateFile">
	<crn:value xsi:type="cfg:filePath"></crn:value>
  </crn:parameter>
  <!-- returnUrl: Return URL that is configured with the OpenID Connect identity provider.  -->
  <!-- The return URL is invoked by the OpenID Connect identity provider after successfully 
	   authenticating a user. The URL format is https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp 
	   or https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL completes 
	   Cognos Analytics authentication using the OpenID Connect identity provider.  -->
  <crn:parameter name="returnUrl">
	<crn:value xsi:type="cfg:anyPathURI">https://host:443/bi/completeAuth.jsp</crn:value>
  </crn:parameter>
  <!-- selectableForAuth: Specifies whether the namespace is selectable for authentication.  -->
  <!-- If this property is set to true, the namespace will be available for authentication 
	   in the logon page namespace selection prompt. Set this value to false if the namespace 
	   should not be available for selection on the logon page.  -->
  <crn:parameter name="selectableForAuth">
	<crn:value xsi:type="xsd:boolean">true</crn:value>
  </crn:parameter>
  <!-- advancedProperties: Specifies a set of advanced properties.  -->
  <!-- The user needs to provide the name and the value for each advanced property.  -->
  <crn:parameter name="advancedProperties" opaque="true">
	<crn:value xsi:type="cfg:array"/>
  </crn:parameter>
  <!-- accountCamidProperty: Specifies the value used to uniquely identify account objects.  -->
  <!-- Specify either an existing Content Manager account object model property (e.g., email, 
	   username, defaultName, etc) or the name of a configured custom property. A claim 
	   must be returned for all accounts from the Identity Provider for either the Content 
	   Manager account object model property or the configured custom property. The value 
	   selected must be unique across all account objects. The value selected should be 
	   constant over time with a low probability of needing to be changed. NOTE: this value 
	   should not be changed after initial namespace configuration.  -->
  <crn:parameter name="accountCamidProperty">
	<crn:value xsi:type="xsd:string">email</crn:value>
  </crn:parameter>
  <!-- customProperties: Specifies a set of custom properties.  -->
  <!-- Use this set of custom properties to define additional account information. The "name" 
	   field corresponds to the property name set in the account while the "value" corresponds 
	   to the claim name in the id_token.  -->
  <crn:parameter name="customProperties" opaque="true">
	<crn:value xsi:type="cfg:array"/>
  </crn:parameter>
  <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs.  -->
  <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for a user 
	   can be determined using a pattern or a tenant provider class. The pattern is a AAA 
	   service search path to a property which defines a tenant ID. The search path must 
	   be relative to a user account. For example: '~/ancestors[2]/defaultName'. A tenant 
	   provider class is Java class which implements the the ITenantProvider interface. 
	   For more details please consult the installation and configuration guide.  -->
  <crn:parameter name="tenantIdMapping" opaque="true">
	<crn:value xsi:type="cfg:tenancyInfo">
	  <crn:item name="pattern" xsi:type="xsd:string"></crn:item>
	</crn:value>
  </crn:parameter>
  <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined for 
	   a user.  -->
  <!-- This parameter is used when multitenancy is enabled. The tenant bounding set for 
	   a user can be determined using a pattern or a tenant bounding set provider class. 
	   The pattern is a AAA service search path to a property which defines a tenant bounding 
	   set. The search path must be relative to a user account. For example: '˜/parameters/boundingSet'. 
	   A tenant bounding set provider class is Java class which implements the the IBoundingSetProvider 
	   interface. For more details please consult the installation and configuration guide.  -->
  <crn:parameter name="tenantBoundingSetMapping" opaque="true">
	<crn:value xsi:type="cfg:tenancyInfo">
	  <crn:item name="pattern" xsi:type="xsd:string"></crn:item>
	</crn:value>
  </crn:parameter>
</crn:instance>