صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
GlobalCube
/
analytics
3
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
شاخه: master
شاخه‌ها تگ‌ها
analytics
/
templates
/
AAA
/
OIDC_SiteMinder.xml

OIDC_SiteMinder.xml 8.4 KB
لینک دائمی تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 
  1. <!-- MANDATORY: Defines a group of properties that allows the product to use an OpenID 
    2. 

  2. 	 Connect identity provider for user authentication.  -->
    3. 

  3. <!-- Set the values for this group of properties to allow the product access to your existing 
    4. 

  4. 	 OpenID connect identity provider. This external resource must already exist in your 
    5. 

  5. 	 environment and be configured to use for authentication.  -->
    6. 

  6. <crn:instance name="MANDATORY" class="OIDC_SiteMinder">
    7. 

  7.   <!-- identityProviderType: Specifies the implementation of an OpenID Connect identity 
    8. 

  8. 	   provider.  -->
    9. 

  9.   <crn:parameter name="identityProviderType">
    10. 

  10. 	<crn:value xsi:type="xsd:string">SiteMinder</crn:value>
    11. 

  11.   </crn:parameter>
    12. 

  12.   <!-- id: Specifies a unique identifier for the authentication namespace.  -->
    13. 

  13.   <!-- Use the namespace identifier to distinguish between multiple namespaces. Each namespace 
    14. 

  14. 	   must have a unique identifier. When you select a namespace to use for authentication 
    15. 

  15. 	   in the run-time environment, the identifier is used by the IBM Cognos components. 
    16. 

  16. 	   Changing the namespace ID after the service has been started may invalidate the object 
    17. 

  17. 	   security policies and the Cognos group and role memberships. The use of the colon 
    18. 

  18. 	   in the Namespace ID is not supported.  -->
    19. 

  19.   <crn:parameter name="id">
    20. 

  20. 	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
    21. 

  21.   </crn:parameter>
    22. 

  22.   <!-- issuer: Specifies the OpenID claim issuer. The value looks like: https://<SiteMinder 
    23. 

  23. 	   fully qualified hostname>  -->
    24. 

  24.   <!-- A string that represents the identity provider that issued the claims in the ID token. 
    25. 

  25. 	   This value must match the value of the 'iss' entry in the ID token JSON document.  -->
    26. 

  26.   <crn:parameter name="issuer">
    27. 

  27. 	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
    28. 

  28.   </crn:parameter>
    29. 

  29.   <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint, using the following 
    30. 

  30. 	   syntax: https://<SiteMinder fully qualified hostname:port>/affwebservices/CASSO/oidc/token  -->
    31. 

  31.   <!-- The token endpoint is used to retrieve the identity token after a successful authentication 
    32. 

  32. 	   to the OpenID Connect identity provider.  -->
    33. 

  33.   <crn:parameter name="oidcTokenEndpoint">
    34. 

  34. 	<crn:value xsi:type="cfg:anyPathURI">https://fqhost:443/affwebservices/CASSO/oidc/token</crn:value>
    35. 

  35.   </crn:parameter>
    36. 

  36.   <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint, using the 
    37. 

  37. 	   following syntax: https://<SiteMinder fully qualified hostname:port>/affwebservices/CASSO/oidc/authorize  -->
    38. 

  38.   <!-- The authorization endpoint is a URL that your OpenID Connect identity provider uses 
    39. 

  39. 	   for authentication. In most cases, the URL should use the https scheme. The authorization 
    40. 

  40. 	   endpoint is invoked when users authenticate to the OpenID Connect identity provider.  -->
    41. 

  41.   <crn:parameter name="oidcAuthEndpoint">
    42. 

  42. 	<crn:value xsi:type="cfg:anyPathURI">https://fqhost:443/affwebservices/CASSO/oidc/authorize</crn:value>
    43. 

  43.   </crn:parameter>
    44. 

  44.   <!-- clientId: Specifies the OpenID Connect client identifier  -->
    45. 

  45.   <!-- The client identity that is assigned to the application by the OpenID Connect identity 
    46. 

  46. 	   provider.  -->
    47. 

  47.   <crn:parameter name="clientId">
    48. 

  48. 	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
    49. 

  49.   </crn:parameter>
    50. 

  50.   <!-- clientSecret: Specifies the client secret that is assigned to the application by 
    51. 

  51. 	   the OpenID Connect identity provider.  -->
    52. 

  52.   <!-- The client secret that is assigned to the application by the OpenID Connect identity 
    53. 

  53. 	   provider.  -->
    54. 

  54.   <crn:parameter name="clientSecret">
    55. 

  55. 	<crn:value xsi:type="xsd:string" encrypted="true"></crn:value>
    56. 

  56.   </crn:parameter>
    57. 

  57.   <!-- jwksEndpoint: Specifies the OpenID Connect endpoint for retrieving JWT signing keys, 
    58. 

  58. 	   using the following syntax: https://<SiteMinder fully qualified hostname:port>/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=<provider 
    59. 

  59. 	   name>  -->
    60. 

  60.   <!-- The JWKS endpoint is a URL that your OpenID Connect identity provider uses to provide 
    61. 

  61. 	   signing key data. In most cases, the URL should use the https scheme. The JWKS endpoint 
    62. 

  62. 	   is invoked when validating an id_token returned from the identity provider.  -->
    63. 

  63.   <crn:parameter name="jwksEndpoint">
    64. 

  64. 	<crn:value xsi:type="cfg:anyPathURI">https://fqhost:443/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=providerName</crn:value>
    65. 

  65.   </crn:parameter>
    66. 

  66.   <!-- returnUrl: Return URL that is configured with the OpenID Connect identity provider.  -->
    67. 

  67.   <!-- The return URL is invoked by the OpenID Connect identity provider after successfully 
    68. 

  68. 	   authenticating a user. The URL format is https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp 
    69. 

  69. 	   or https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL completes 
    70. 

  70. 	   Cognos Analytics authentication using the OpenID Connect identity provider.  -->
    71. 

  71.   <crn:parameter name="returnUrl">
    72. 

  72. 	<crn:value xsi:type="cfg:anyPathURI">https://host:443/bi/completeAuth.jsp</crn:value>
    73. 

  73.   </crn:parameter>
    74. 

  74.   <!-- selectableForAuth: Specifies whether the namespace is selectable for authentication.  -->
    75. 

  75.   <!-- If this property is set to true, the namespace will be available for authentication 
    76. 

  76. 	   in the logon page namespace selection prompt. Set this value to false if the namespace 
    77. 

  77. 	   should not be available for selection on the logon page.  -->
    78. 

  78.   <crn:parameter name="selectableForAuth">
    79. 

  79. 	<crn:value xsi:type="xsd:boolean">true</crn:value>
    80. 

  80.   </crn:parameter>
    81. 

  81.   <!-- advancedProperties: Specifies a set of advanced properties.  -->
    82. 

  82.   <!-- The user needs to provide the name and the value for each advanced property.  -->
    83. 

  83.   <crn:parameter name="advancedProperties" opaque="true">
    84. 

  84. 	<crn:value xsi:type="cfg:array"/>
    85. 

  85.   </crn:parameter>
    86. 

  86.   <!-- accountCamidProperty: Specifies the value used to uniquely identify account objects.  -->
    87. 

  87.   <!-- Specify either an existing Content Manager account object model property (e.g., email, 
    88. 

  88. 	   username, defaultName, etc) or the name of a configured custom property. A claim 
    89. 

  89. 	   must be returned for all accounts from the Identity Provider for either the Content 
    90. 

  90. 	   Manager account object model property or the configured custom property. The value 
    91. 

  91. 	   selected must be unique across all account objects. The value selected should be 
    92. 

  92. 	   constant over time with a low probability of needing to be changed. NOTE: this value 
    93. 

  93. 	   should not be changed after initial namespace configuration.  -->
    94. 

  94.   <crn:parameter name="accountCamidProperty">
    95. 

  95. 	<crn:value xsi:type="xsd:string">email</crn:value>
    96. 

  96.   </crn:parameter>
    97. 

  97.   <!-- customProperties: Specifies a set of custom properties.  -->
    98. 

  98.   <!-- Use this set of custom properties to define additional account information. The "name" 
    99. 

  99. 	   field corresponds to the property name set in the account while the "value" corresponds 
    100. 

  100. 	   to the claim name in the id_token.  -->
    101. 

  101.   <crn:parameter name="customProperties" opaque="true">
    102. 

  102. 	<crn:value xsi:type="cfg:array"/>
    103. 

  103.   </crn:parameter>
    104. 

  104.   <!-- tenantIdMapping: Specifies how namespace users are mapped to tenant IDs.  -->
    105. 

  105.   <!-- Specifying a value for this parameter enables multitenancy. The tenant ID for a user 
    106. 

  106. 	   can be determined using a pattern or a tenant provider class. The pattern is a AAA 
    107. 

  107. 	   service search path to a property which defines a tenant ID. The search path must 
    108. 

  108. 	   be relative to a user account. For example: '~/ancestors[2]/defaultName'. A tenant 
    109. 

  109. 	   provider class is Java class which implements the the ITenantProvider interface. 
    110. 

  110. 	   For more details please consult the installation and configuration guide.  -->
    111. 

  111.   <crn:parameter name="tenantIdMapping" opaque="true">
    112. 

  112. 	<crn:value xsi:type="cfg:tenancyInfo">
    113. 

  113. 	  <crn:item name="pattern" xsi:type="xsd:string"></crn:item>
    114. 

  114. 	</crn:value>
    115. 

  115.   </crn:parameter>
    116. 

  116.   <!-- tenantBoundingSetMapping: Specifies how the tenant bounding set is determined for 
    117. 

  117. 	   a user.  -->
    118. 

  118.   <!-- This parameter is used when multitenancy is enabled. The tenant bounding set for 
    119. 

  119. 	   a user can be determined using a pattern or a tenant bounding set provider class. 
    120. 

  120. 	   The pattern is a AAA service search path to a property which defines a tenant bounding 
    121. 

  121. 	   set. The search path must be relative to a user account. For example: '˜/parameters/boundingSet'. 
    122. 

  122. 	   A tenant bounding set provider class is Java class which implements the the IBoundingSetProvider 
    123. 

  123. 	   interface. For more details please consult the installation and configuration guide.  -->
    124. 

  124.   <crn:parameter name="tenantBoundingSetMapping" opaque="true">
    125. 

  125. 	<crn:value xsi:type="cfg:tenancyInfo">
    126. 

  126. 	  <crn:item name="pattern" xsi:type="xsd:string"></crn:item>
    127. 

  127. 	</crn:value>
    128. 

  128.   </crn:parameter>
    129. 

  129. </crn:instance>
    130.