Permissions issue - Azure AD

[Steve]

Hi

We have an installation which is using Active Directory as the Identity Provider and everything is working fine. I am a member of System Administration grop in Cognos and have access to everything.

Now, I added another Identity Provider to use Azure AD and after configuration, I can get into Cognos when I use the link. Azure authenticates and I can get straight into Cognos without any Login window. I don't have to enter my credentials anywhere. Now the problem:

Once I get into Cognos Welcome page, I cannot see any content (reports etc), neither in Team Content nor in My Content. I also don't see 'Manage' option at the bottom left so I cannot get into the Admin page.

When I log on using another URL which in IIS is set to use AD, then I have access to everything. I can see the namespace in Security which is configured to use Azure but it is greyed out maybe because in this session, I am logged onto to another namespace configured for AD.

How do I give myself permissions for the new namespace meant for Azure?

[MFGF]

Hi

We have an installation which is using Active Directory as the Identity Provider and everything is working fine. I am a member of System Administration grop in Cognos and have access to everything.

Now, I added another Identity Provider to use Azure AD and after configuration, I can get into Cognos when I use the link. Azure authenticates and I can get straight into Cognos without any Login window. I don't have to enter my credentials anywhere. Now the problem:

Once I get into Cognos Welcome page, I cannot see any content (reports etc), neither in Team Content nor in My Content. I also don't see 'Manage' option at the bottom left so I cannot get into the Admin page.

When I log on using another URL which in IIS is set to use AD, then I have access to everything. I can see the namespace in Security which is configured to use Azure but it is greyed out maybe because in this session, I am logged onto to another namespace configured for AD.

How do I give myself permissions for the new namespace meant for Azure?

Hi,

The secret to success here is to log in to *both* namespaces. First log in using the Azure provider, then, without logging out, go to your user icon and select the Log In link to log in a second time to the AD namespace. Once you are logged into AD, you will then have the sum of your privileges from both namespaces, and you can set permissions/capabilities etc for all the Azure groups and users.

Cheers!

MF.

[Steve]

Thanks for the reply MFGF.

On the user icon, I don't see an option to log in again. I see 'My Preferences', 'Log my session', 'My Inbox', 'My Watch Items' and 'Sign Out'.

I started another browser session and logged into the AD namespace but the namespace for Azure is still greyed out even if I am logged into it from another browser session.

D the security groups in AD and Azure control the access to cognos?

[MFGF]

Thanks for the reply MFGF.

On the user icon, I don't see an option to log in again. I see 'My Preferences', 'Log my session', 'My Inbox', 'My Watch Items' and 'Sign Out'.

I started another browser session and logged into the AD namespace but the namespace for Azure is still greyed out even if I am logged into it from another browser session.

D the security groups in AD and Azure control the access to cognos?

Hi,

Just to confirm - this is a single instance of Cognos Analytics accessed through a single gateway? When you go to log in manually, do you get a namespace dropdown before the credentials prompts that allows you to to choose between the Azure and AD namespaces?

If you have two namespaces it should give you the option to log in a second time when logged into one of them. You mention using a link to log in to Azure - is this a different URL?

Worst case scenario is that when logged in to AD you can temporarily add the Everyone group to the System Administrators role to grant you (and everyone else) admin privileges when you are logged in to Azure. It's risky though as anyone logging in after that point will automatically be able to see and do everything. If you could figure out a window where you were the only person using the instance you could do this, log in to the Azure namespace, add your Azure login to the System Administrators role, then remove the Everyone group from the role.

Cheers!

MF.

[Steve]

I logged into the AD namespace and added Everyone to System Administrator group and now I can get into the Admin page using Azure  namespace.

It's not a singe instance. We have 2 instances of cognos for AD and this one is a new instance of Cognos for Azure. All these 3 instances are Gateway installs only and they use the same instance of App server which then uses one instance on the Content Manager server.

The reason we have 3 instances is because we needed a seperate URL for each authentication namespace and we didn't want the user to get a prompt asking them to select the authentication namespace. When they use a URL, it takes them to a particular instance because every instance has a virtual application in IIS configured to use only one authentication namespace.

However, I don't see the 'Cognos' namespace when I go into Admin. I can see the namespace for Azure but not Cognos !

[MFGF]

I logged into the AD namespace and added Everyone to System Administrator group and now I can get into the Admin page using Azure  namespace.

It's not a singe instance. We have 2 instances of cognos for AD and this one is a new instance of Cognos for Azure. All these 3 instances are Gateway installs only and they use the same instance of App server which then uses one instance on the Content Manager server.

The reason we have 3 instances is because we needed a seperate URL for each authentication namespace and we didn't want the user to get a prompt asking them to select the authentication namespace. When they use a URL, it takes them to a particular instance because every instance has a virtual application in IIS configured to use only one authentication namespace.

However, I don't see the 'Cognos' namespace when I go into Admin. I can see the namespace for Azure but not Cognos !

Sounds like you have things buttoned down tightly. Have you tried connecting to CA via the servlet gateway URL (ie bypassing IIS)? If you're lucky this might prompt you for namespace when you are logging in and allow you to log in twice? You could then set your security for both namespaces.
Obvious, I know, but don't forget to remove the Everyone group from the System Administrators role. It's not just a security issue - it probably breaks your license agreement if others log in with Admin privileges.

Cheers!

MF.

[Steve]

Thanks again MFGF

Using the URL directly, I get an error 'Invalid Login'. I don't get the login screen ! It's weird ! When I use the link which goes thru IIS then it takes me straight into Cognos page without giving me any login screen and I haven't configured SSO yet. The Azure team tells me they have setup Azure that way so that it will go straight into the app ! Their objective is to put this link into Sharepoint so that users click on this link and go straight into Cognos.
I always used to think we have to configure SSO in Cognos, atleast add those settings in the Advanced properties in Cognos Configusration but I didn't do any of that.

Well, one step ahead by your suggestion of adding Everyone to the System Admin group. Now I can see the content and go to the Admin page when using Azure login but now a weird problem ! I cannot see the 'Cognos' namespace which has all the groups and roles. I can see the namespace for Azure and all users and groups in it. I thought Cognos namespace is default and will be visible regardless of which authentication namespace you log on to, correct ?

[MFGF]

Thanks again MFGF

Using the URL directly, I get an error 'Invalid Login'. I don't get the login screen ! It's weird ! When I use the link which goes thru IIS then it takes me straight into Cognos page without giving me any login screen and I haven't configured SSO yet. The Azure team tells me they have setup Azure that way so that it will go straight into the app ! Their objective is to put this link into Sharepoint so that users click on this link and go straight into Cognos.
I always used to think we have to configure SSO in Cognos, atleast add those settings in the Advanced properties in Cognos Configusration but I didn't do any of that.

Well, one step ahead by your suggestion of adding Everyone to the System Admin group. Now I can see the content and go to the Admin page when using Azure login but now a weird problem ! I cannot see the 'Cognos' namespace which has all the groups and roles. I can see the namespace for Azure and all users and groups in it. I thought Cognos namespace is default and will be visible regardless of which authentication namespace you log on to, correct ?

Hi,

I don't get why you can't see the Cognos namespace. That's a really weird one. If you have support with IBM it might be worth raising a ticket to get their expert help with that?

Cheers!

MF.

[Steve]

HA ! Guess what !

The Cognos namespace was hidden so I logged on using AD account, checked off the check box hiding it and then it became visible in Azure login !

Now I can set security and everything works !

Thanks again for your help MFGF !