GlobalCube
/
analytics


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238
							<!-- MANDATORY: Defines a group of properties that allows the product to use an OpenID 
	 Connect identity provider for user authentication.  -->
<!-- Set the values for this group of properties to allow the product access to your existing 
	 OpenID connect identity provider. This external resource must already exist in your 
	 environment and be configured to use for authentication.  -->
<crn:instance name="MANDATORY" class="TSP_OIDC_Generic">
  <!-- identityProviderType: Specifies the implementation of an OpenID Connect identity 
	   provider.  -->
  <crn:parameter name="identityProviderType">
	<crn:value xsi:type="xsd:string">Generic</crn:value>
  </crn:parameter>
  <!-- id: Specifies a unique identifier for the authentication namespace.  -->
  <!-- Use the namespace identifier to distinguish between multiple namespaces. Each namespace 
	   must have a unique identifier. When you select a namespace to use for authentication 
	   in the run-time environment, the identifier is used by the IBM Cognos components. 
	   Changing the namespace ID after the service has been started may invalidate the object 
	   security policies and the Cognos group and role memberships. The use of the colon 
	   in the Namespace ID is not supported.  -->
  <crn:parameter name="id">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- selectableForAuth: Specifies whether the namespace is selectable for authentication.  -->
  <!-- If this property is set to true, the namespace will be available for authentication 
	   in the logon page namespace selection prompt. Set this value to false if the namespace 
	   should not be available for selection on the logon page.  -->
  <crn:parameter name="selectableForAuth">
	<crn:value xsi:type="xsd:boolean">true</crn:value>
  </crn:parameter>
  <!-- claimName: Specifies the name of the claim that will be provided to the target namespace.  -->
  <!-- A string that represents the name of the claim from the id_token that will be provided 
	   to the target namespace. This value must be a single string value in the id_token 
	   and must exist for all account objects.  -->
  <crn:parameter name="claimName">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- trustedEnvName: Specifies the environment variable name that will be used to transfer 
	   the claim to the target namespace.  -->
  <!-- A string that represents the environment variable name that will be used to transfer 
	   the claim to the target namespace. This value is dependent on the target namespace 
	   type and corresponds to how the target namespace will obtain the user's identity. 
	   For example, the LDAP and Active Directory namespace types both expect the user's 
	   identity to be passed in the REMOTE_USER environment variable.  -->
  <crn:parameter name="trustedEnvName">
	<crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
  </crn:parameter>
  <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim obtained 
	   from the OpenID identity provider.  -->
  <!-- A string that represents the ID of the namespace that will be invoked with the claim 
	   obtained from the OpenID identity provider. This value must match the namespace ID 
	   of a configured namespace (e.g., LDAP, AD, etc).  -->
  <crn:parameter name="redirectNsID">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- advancedProperties: Specifies a set of advanced properties.  -->
  <!-- The user needs to provide the name and the value for each advanced property.  -->
  <crn:parameter name="advancedProperties" opaque="true">
	<crn:value xsi:type="cfg:array"/>
  </crn:parameter>
  <!-- useDiscoveryEndpoint: Specifies whether the Identity Provider returns a discovery 
	   document.  -->
  <!-- Set this value to true if the Identity Provider supports a discovery document endpoint 
	   and fill out the discovery endpoint configuration group. Set this value to false 
	   if the Identity Provider does not support a discovery document endpoint and fill 
	   out the non-discovery endpoint configuration group.  -->
  <crn:parameter name="useDiscoveryEndpoint">
	<crn:value xsi:type="xsd:boolean">true</crn:value>
  </crn:parameter>
  <!-- oidcDiscEndpoint: Specifies the OpenID Connect discovery endpoint  -->
  <!-- The discovery endpoint is used to retrieve the OpenID Connect configuration that 
	   includes the authorization endpoint, token endpoint, jwks endpoint, and issuer.  -->
  <crn:parameter name="oidcDiscEndpoint">
	<crn:value xsi:type="cfg:anyPathURI"></crn:value>
  </crn:parameter>
  <!-- issuer: Specifies the OpenID claim issuer.  -->
  <!-- A string that represents the identity provider that issued the claims in the ID token. 
	   This value must match the value of the 'iss' entry in the ID token JSON document.  -->
  <crn:parameter name="issuer">
	<crn:value xsi:type="xsd:string"></crn:value>
  </crn:parameter>
  <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint, using the following 
	   syntax: https://<hostname:port>/<path>  -->
  <!-- The token endpoint is used to retrieve the identity token after a successful authentication 
	   to the OpenID Connect identity provider.  -->
  <crn:parameter name="oidcTokenEndpoint">
	<crn:value xsi:type="cfg:anyPathURI"></crn:value>
  </crn:parameter>
  <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint, using the 
	   following syntax: https://<hostname:port>/<path>  -->
  <!-- The authorization endpoint is a URL that your OpenID Connect identity provider uses 
	   for authentication. In most cases, the URL should use the https scheme. The authorization 
	   endpoint is invoked when users authenticate to the OpenID Connect identity provider.  -->
  <crn:parameter name="oidcAuthEndpoint">
	<crn:value xsi:type="cfg:anyPathURI"></crn:value>
  </crn:parameter>
  <!-- clientId: Specifies the OpenID Connect client identifier  -->
  <!-- The client identity that is assigned to the application by the OpenID Connect identity 
	   provider.  -->
  <crn:parameter name="clientId">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- returnUrl: Return URL that is configured with the OpenID Connect identity provider.  -->
  <!-- The return URL is invoked by the OpenID Connect identity provider after successfully 
	   authenticating a user. The URL format is https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp 
	   or https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL completes 
	   Cognos Analytics authentication using the OpenID Connect identity provider.  -->
  <crn:parameter name="returnUrl">
	<crn:value xsi:type="cfg:anyPathURI">https://host:443/bi/completeAuth.jsp</crn:value>
  </crn:parameter>
  <!-- authScope: Specifies the scope parameter values provided to the authorize endpoint.  -->
  <!-- The scope parameter values that will be added to the authorize endpoint URL for authentication. 
	   At a minimum, 'openid' must be included in the list of possible scope values.  -->
  <crn:parameter name="authScope">
	<crn:value xsi:type="xsd:string">openid</crn:value>
  </crn:parameter>
  <!-- accountClaims: Specifies if the id_token contains all of the account claims.  -->
  <!-- Set this value to token if the id_token contains all of the user claims. Set this 
	   value to userinfo if an additional call should be made to the userinfo endpoint in 
	   order to retrieve any user claims that are not part of the id_token.  -->
  <crn:parameter name="accountClaims">
	<crn:value xsi:type="xsd:string">token</crn:value>
  </crn:parameter>
  <!-- tokenEndpointAuth: Specifies how to authenticate to the Identity Provider when invoking 
	   the token endpoint.  -->
  <!-- Use client secret post if the client id and client secret should be transmitted in 
	   the request body. Use client secret basic if the client id and client secret should 
	   be transmitted in the HTTP header. Use private key JWT if the client id and a JWT 
	   client_assertion that is signed with a private key should be transmitted in the request 
	   body.  -->
  <crn:parameter name="tokenEndpointAuth">
	<crn:value xsi:type="xsd:string">client_secret_post</crn:value>
  </crn:parameter>
  <!-- clientSecret: Specifies the client secret that is assigned to the application by 
	   the OpenID Connect identity provider.  -->
  <!-- The client secret that is assigned to the application by the OpenID Connect identity 
	   provider.  -->
  <crn:parameter name="clientSecret">
	<crn:value xsi:type="xsd:string" encrypted="true"></crn:value>
  </crn:parameter>
  <!-- privateKeyFile: Specifies the file that contains the private signing key.  -->
  <!-- The file that contains the private signing key in PKCS8 format. It must contain a 
	   single private RSA key of length 2048 bits.  -->
  <crn:parameter name="privateKeyFile">
	<crn:value xsi:type="cfg:filePath"></crn:value>
  </crn:parameter>
  <!-- privateKeyPassword: Specifies the private key password used to protect the private 
	   signing key.  -->
  <!-- This password is required to secure the private key. It provides an extra layer of 
	   security by encrypted the private key file using a password.  -->
  <crn:parameter name="privateKeyPassword">
	<crn:value xsi:type="xsd:string" encrypted="true"></crn:value>
  </crn:parameter>
  <!-- privateKeyId: Specifies the key identifier that should be placed in the JWT header.  -->
  <!-- The key identifier that will be set in the JWT 'kid' header. Use this configuration 
	   item if your identity provider requires a 'kid'. Leave this value blank if your identity 
	   provider does not require a 'kid'.  -->
  <crn:parameter name="privateKeyId">
	<crn:value xsi:type="xsd:string"></crn:value>
  </crn:parameter>
  <!-- keyLocation: Specifies the location of the signing public key or certificate.  -->
  <!-- Set this value to 'File' if the signing certificate is manually downloaded from the 
	   Identity Provider as a certificate and placed on the file system. Set this value 
	   to 'JWKS endpoint' if the Identity Provider supports an endpoint for retrieving id_token 
	   signature keys. Note: if the Identity Provider does not support a discovery document 
	   but provides public keys via a JWKS endpoint, then the JWKS Endpoint must contain 
	   a valid URI for retrieving the public keys.  -->
  <crn:parameter name="keyLocation">
	<crn:value xsi:type="xsd:string">jwks_uri</crn:value>
  </crn:parameter>
  <!-- idpCertificateFile: Specifies the location of the certificate that is used by the 
	   OpenID Connect identity provider to sign the identity token.  -->
  <!-- A path to the file that contains the certificate used by the identity provider to 
	   sign the JSON Web Token. The path must include the certificate file name and be accessible 
	   to the running instance of Cognos Analytics. The certificate must be in a PEM format, 
	   include only the public key certificate, and include the begin and end certificate 
	   lines. The certificate file cannot be placed in the configuration/certs directory.  -->
  <crn:parameter name="idpCertificateFile">
	<crn:value xsi:type="cfg:filePath"></crn:value>
  </crn:parameter>
  <!-- jwksEndpoint: Specifies the OpenID Connect endpoint for retrieving JWT signing keys.  -->
  <!-- The JWKS endpoint is a URL that your OpenID Connect identity provider uses to provide 
	   signing key data. In most cases, the URL should use the https scheme. The JWKS endpoint 
	   is invoked when validating an id_token returned from the identity provider.  -->
  <crn:parameter name="jwksEndpoint">
	<crn:value xsi:type="cfg:anyPathURI"></crn:value>
  </crn:parameter>
  <!-- pgStrategy: Specifies how to get the user's identity when using the password grant 
	   flow.  -->
  <!-- Set this value to 'ID token' if all user claims are returned in the id_token. Set 
	   this value to 'ID token and userinfo endpoint' if an id_token is returned from the 
	   password grant flow but does not contain all of the user claims. Set this value to 
	   'Userinfo endpoint' if the id_token does not contain any user claims and if the user 
	   claims should be retrieved from the userinfo endpoint. Set this value to 'Unsupported' 
	   if the Identity Provider does not support the password grant flow.  -->
  <crn:parameter name="pgStrategy">
	<crn:value xsi:type="xsd:string">idToken</crn:value>
  </crn:parameter>
  <!-- pgInclScope: Specifies that the scope should be included when using the password 
	   grant flow.  -->
  <!-- Set this value to true to indicate that the scope parameter should be included as 
	   part of the query string for the password grant flow. Set this value to false to 
	   indicate that the scope should be omitted from the query string for the password 
	   grant flow.  -->
  <crn:parameter name="pgInclScope">
	<crn:value xsi:type="xsd:boolean">true</crn:value>
  </crn:parameter>
  <!-- pgAddParams: Specifies any additional parameters that are required for the password 
	   grant flow.  -->
  <!-- Set this value to reflect any additional parameters that should be included as part 
	   of the query string for the password grant flow. The parameter must begin with an 
	   '&' and must be urlencoded so that it can be safely inserted into the query string. 
	   For example, if the 'resource=https://ca.ibm.com' parameter is required in the query 
	   string, it must be entered as: '&resource=https%3A%2F%2Fca.ibm.com'.  -->
  <crn:parameter name="pgAddParams">
	<crn:value xsi:type="xsd:string"></crn:value>
  </crn:parameter>
  <!-- tcStrategy: Specifies the information that should be stored for scheduling jobs.  -->
  <!-- Set this value to 'Credentials' if the Identity Provider supports the password grant 
	   and returns a valid id_token that contains all of the user claims in the response. 
	   Set this value to 'Credentials and ID token' if the Identity Provider supports the 
	   password grant flow but does not return a valid id_token in the response or if the 
	   id_token does not contain all of the user claims. Set this value to 'Refresh token' 
	   if the Identity Provider supports the refresh token flow, provides a non-expiring 
	   refresh token, and returns a valid id_token that contains all of the user claims 
	   from the refresh token flow. Set this value to 'ID token only' if the Identity Provider 
	   does not support the password grant nor refresh token flows (Note: when set to 'ID 
	   token only', it will not be possible to verify that the user is still exists and 
	   is enabled in the Identity Provider).  -->
  <crn:parameter name="tcStrategy">
	<crn:value xsi:type="xsd:string">credentials</crn:value>
  </crn:parameter>
  <!-- tcAccountClaims: Specifies if the id_token contains all of the account claims.  -->
  <!-- Set this value to 'ID token' if the id_token returned from the token endpoint contains 
	   all of the user claims. Set this value to 'Userinfo endpoint' if an additional call 
	   to the userinfo endpoint is required in order to obtain all of the user claims.  -->
  <crn:parameter name="tcAccountClaims">
	<crn:value xsi:type="xsd:string">id_token</crn:value>
  </crn:parameter>
</crn:instance>