Setting up Open ID with Canvas

Canvas v3.2.0 can now connect to IBM Planning Analytics instances configured with Open ID authentication.

Open ID authentication with Planning Analytics can be configured in two ways. It can either connect straight to your OpenID provider or by connecting to Cognos Analytics (the Cognos server will then authenticate you to your Open ID provider).

In the case where you are using Open ID with CAM Security, configuring Canvas is not different than setting up SSO with CAM and Canvas, as Canvas will only authenticate you with the Cognos server.

If you are using OpenID authentication without CAM security, the configuration on the Canvas side is quite straightforward.

But before going through these steps, you will need to make sure that you can connect to TM1 using OpenID.

Once the TM1 setup with OpenID is configured, open your instances.json file from the application WEB-INF folder (<canvasInstallationDirectory>\webapps\<applicationName>\WEB-INF), add the following property to the TM1 instance that was configured to connect with OpenID:

  • “useSSOWithOIDC”: true

Next, create a JSON file within WEB-INF/config/oidc folder. The name of the file should match the name of the instance (defined in instances.json) which will be configured for OpenID.

Path should be located in <Canvas Application>/WEB-INF/config/oidc/<instance-name>.json. For dev instance for example, it would be: <Canvas Application>/WEB-INF/config/oidc/dev.json

Sample content of the JSON file would be:

    “clientID”: “XXXX123456789ZZ”,
    “discoveryEndpoint”: “http://<OpenID Provider’s Well Known Configuration>”

That should be it!

Restart your Canvas Application Server. Go to your page’s Configuration page for example to trigger the OpenID Connect mechanism.

What to Expect

When you open up a page in Canvas that has TM1 data on it, Canvas will check first if the session is valid. If not, it will redirect the current page to the Open ID Provider’s Login page to ask the user to login. Once successful, the OpenID Provider will then redirect the user back to the Canvas page that triggers it.

Canvas will now try to login to TM1, given the new set of information present in the URL (the code parameter in particular). If valid, it will proceed as per normal with the page, and all TM1 operations should work based off the user that was retrieved from OpenID: