jciup (jciup) asked a question.
We have successfully created the iDP authentication connection to IBM iD from OKTA, however, once the authentication has completed, we are routed back to the IBM iD login page instead of to the Planning Analytics application. Providing the email address again allows for access to PA. Has anyone else experienced this issue? IBM says that it is something on the OKTA side that we are missing and we are unable to find anything. Our expectation is to click the OKTA tile, route to IBM iD for authentication through OKTA and then taken directly to the Planning Analytics Workspace application. Has anyone had this experience that might have a suggestion or recommendation on how to achieve the desired results? Thank you.
Hello @jciup (jciup) Thank you for reacting out to our Community!
Based on your description this seems to be an issue on relay state, after reviewing our documentation I saw this which might resolve your issue:
In Okta, select the Sign On tab for the IBMid app, then click Edit.
Our documentation link: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-IBMid.html
If these links have changed, you might want to reach out to IBM support for additional details.
Community members help others by clicking Like or Select as Best on responses. Try it today.
Thank you, Paul...based on the original instructions provided by IBM, we have already implemented this. The integration with which they assisted was in federating our domain through OKTA to IBM iD. We need to be able to pass through to the Planning Analytics application without being returned to the IBM iD login page for a further user account (e.g. IBM iD...user.email) input. Our expectation is that the path between OKTA and Planning Analytics should be fluid and not broken up by an additional stop...granted, I think this is about to change anyway as it appears that IBM is going to be requiring 2FA this week. Thoughts? Thank you!
In this case you might want to try an add a relay state of the application you are trying to access to be directed to that particular application. The fact that 2FA is implemented should not disturb the flow of authentication.
Yes...that's what we have done...getting bounced to the IBM iD page instead of PA.
Hi...would it be possible to add a 'post authentication rule' to provide the IBM iD credentials (e.g. the user's email address) to the login page that appears post authentication to allow a seamless transition into Planning Analytics and for future use to Cognos Analytics which we will need to migrate to make use of IBM iD very soon. Thank you!