GlobalCube
/
analytics


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111
							<!-- MANDATORY: Defines a group of properties that allows the product to use an OpenID 
	 Connect identity provider for user authentication.  -->
<!-- Set the values for this group of properties to allow the product access to your existing 
	 OpenID connect identity provider. This external resource must already exist in your 
	 environment and be configured to use for authentication.  -->
<crn:instance name="MANDATORY" class="TSP_OIDC_SiteMinder">
  <!-- identityProviderType: Specifies the implementation of an OpenID Connect identity 
	   provider.  -->
  <crn:parameter name="identityProviderType">
	<crn:value xsi:type="xsd:string">SiteMinder</crn:value>
  </crn:parameter>
  <!-- id: Specifies a unique identifier for the authentication namespace.  -->
  <!-- Use the namespace identifier to distinguish between multiple namespaces. Each namespace 
	   must have a unique identifier. When you select a namespace to use for authentication 
	   in the run-time environment, the identifier is used by the IBM Cognos components. 
	   Changing the namespace ID after the service has been started may invalidate the object 
	   security policies and the Cognos group and role memberships. The use of the colon 
	   in the Namespace ID is not supported.  -->
  <crn:parameter name="id">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- issuer: Specifies the OpenID claim issuer. The value looks like: https://<SiteMinder 
	   fully qualified hostname>  -->
  <!-- A string that represents the identity provider that issued the claims in the ID token. 
	   This value must match the value of the 'iss' entry in the ID token JSON document.  -->
  <crn:parameter name="issuer">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- oidcTokenEndpoint: Specifies the OpenID Connect token endpoint, using the following 
	   syntax: https://<SiteMinder fully qualified hostname:port>/affwebservices/CASSO/oidc/token  -->
  <!-- The token endpoint is used to retrieve the identity token after a successful authentication 
	   to the OpenID Connect identity provider.  -->
  <crn:parameter name="oidcTokenEndpoint">
	<crn:value xsi:type="cfg:anyPathURI">https://fqhost:443/affwebservices/CASSO/oidc/token</crn:value>
  </crn:parameter>
  <!-- oidcAuthEndpoint: Specifies the OpenID Connect authorization endpoint, using the 
	   following syntax: https://<SiteMinder fully qualified hostname:port>/affwebservices/CASSO/oidc/authorize  -->
  <!-- The authorization endpoint is a URL that your OpenID Connect identity provider uses 
	   for authentication. In most cases, the URL should use the https scheme. The authorization 
	   endpoint is invoked when users authenticate to the OpenID Connect identity provider.  -->
  <crn:parameter name="oidcAuthEndpoint">
	<crn:value xsi:type="cfg:anyPathURI">https://fqhost:443/affwebservices/CASSO/oidc/authorize</crn:value>
  </crn:parameter>
  <!-- clientId: Specifies the OpenID Connect client identifier  -->
  <!-- The client identity that is assigned to the application by the OpenID Connect identity 
	   provider.  -->
  <crn:parameter name="clientId">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- clientSecret: Specifies the client secret that is assigned to the application by 
	   the OpenID Connect identity provider.  -->
  <!-- The client secret that is assigned to the application by the OpenID Connect identity 
	   provider.  -->
  <crn:parameter name="clientSecret">
	<crn:value xsi:type="xsd:string" encrypted="true">MIGEBgkqhkiG9w0BBwagdzB1AgEAMHAGCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEHSYoePfkWF1MtU1wEr7LJGARON/SJUaV73zzZshPxdJoJX9SmFQUDGD12uNmabdWQZ/LQBcJq3cvXnRZwjyRT8syaq5R+Ct9O68brfahPMd8kDfjxXI</crn:value>
  </crn:parameter>
  <!-- jwksEndpoint: Specifies the OpenID Connect endpoint for retrieving JWT signing keys, 
	   using the following syntax: https://<SiteMinder fully qualified hostname:port>/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=<provider 
	   name>  -->
  <!-- The JWKS endpoint is a URL that your OpenID Connect identity provider uses to provide 
	   signing key data. In most cases, the URL should use the https scheme. The JWKS endpoint 
	   is invoked when validating an id_token returned from the identity provider.  -->
  <crn:parameter name="jwksEndpoint">
	<crn:value xsi:type="cfg:anyPathURI">https://fqhost:443/affwebservices/CASSO/oidc/jwks?AuthorizationProvider=providerName</crn:value>
  </crn:parameter>
  <!-- returnUrl: Return URL that is configured with the OpenID Connect identity provider.  -->
  <!-- The return URL is invoked by the OpenID Connect identity provider after successfully 
	   authenticating a user. The URL format is https://dispatcherHOST:dispatcherPORT/bi/completeAuth.jsp 
	   or https://webserverHOST:webserverPORT/ibmcognos/bi/completeAuth.jsp. This URL completes 
	   Cognos Analytics authentication using the OpenID Connect identity provider.  -->
  <crn:parameter name="returnUrl">
	<crn:value xsi:type="cfg:anyPathURI">https://host:9443/bi/completeAuth.jsp</crn:value>
  </crn:parameter>
  <!-- selectableForAuth: Specifies whether the namespace is selectable for authentication.  -->
  <!-- If this property is set to true, the namespace will be available for authentication 
	   in the logon page namespace selection prompt. Set this value to false if the namespace 
	   should not be available for selection on the logon page.  -->
  <crn:parameter name="selectableForAuth">
	<crn:value xsi:type="xsd:boolean">true</crn:value>
  </crn:parameter>
  <!-- advancedProperties: Specifies a set of advanced properties.  -->
  <!-- The user needs to provide the name and the value for each advanced property.  -->
  <crn:parameter name="advancedProperties" opaque="true">
	<crn:value xsi:type="cfg:array"/>
  </crn:parameter>
  <!-- claimName: Specifies the name of the claim that will be provided to the target namespace.  -->
  <!-- A string that represents the name of the claim from the id_token that will be provided 
	   to the target namespace. This value must be a single string value in the id_token 
	   and must exist for all account objects.  -->
  <crn:parameter name="claimName">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
  <!-- trustedEnvName: Specifies the environment variable name that will be used to transfer 
	   the claim to the target namespace.  -->
  <!-- A string that represents the environment variable name that will be used to transfer 
	   the claim to the target namespace. This value is dependent on the target namespace 
	   type and corresponds to how the target namespace will obtain the user's identity. 
	   For example, the LDAP and Active Directory namespace types both expect the user's 
	   identity to be passed in the REMOTE_USER environment variable.  -->
  <crn:parameter name="trustedEnvName">
	<crn:value xsi:type="xsd:string">REMOTE_USER</crn:value>
  </crn:parameter>
  <!-- redirectNsID: Specifies the namespace ID that will be invoked with the claim obtained 
	   from the OpenID identity provider.  -->
  <!-- A string that represents the ID of the namespace that will be invoked with the claim 
	   obtained from the OpenID identity provider. This value must match the namespace ID 
	   of a configured namespace (e.g., LDAP, AD, etc).  -->
  <crn:parameter name="redirectNsID">
	<crn:value xsi:type="xsd:string">MANDATORY</crn:value>
  </crn:parameter>
</crn:instance>