Keycloak integration with IBM Cognos OpenID

Hi,

Can I please get some assistance or direction in understanding an issue I’m noticing with integrating Keycloak with IBM cognos via Open ID.
The issue I’m noticing is the id_token is being successfully received at the SP end and then it fails with an error “AAA-OIDC-0006 Unable to authenticate user”

Here is the entity relationship:

Cognos (SP) —Open Id —> Keycloak (IDP)

Keycloak debug message log:

13:48:10,729 DEBUG [org.keycloak.events] (default task-1030) type=CODE_TO_TOKEN, realmId=azure, clientId=cognosopenidproxy, userId=827fba49-685b-4dd4-abf1-d5b6b9fe****, ipAddress=100.65.19.173, token_id=3461e07c-6e16-4fe2-8e15-9801674*****, grant_type=authorization_code, refresh_token_type=Refresh, scope=‘openid email profile username’, refresh_token_id=dee2f67c-8b3f-4445-a281-df13086***, code_id=6c0594e2-5456-4cdd-a574-c236bf***, client_auth_method=client-secret

On evaluation of the token via jwt.io site it displays all the correct information with signature verified:

{
“exp”: 1601121724,
“iat”: 1601121424,
“auth_time”: 1601121411,
“jti”: “70f23bf5-e8b2-470e-3d27b75",
“iss”: "https://
/auth/realms/azure”,
“aud”: “keycloakcognosopenid”,
“sub”: “827fba49-685b-4dd*****6b9fee48d”,
“typ”: “ID”,
“azp”: “keycloakcognosopenid”,
“session_state”: “52fcd983-fac3-42ca-******4b”,
“acr”: “0”,
“email_verified”: false,
“name”: “ABC”,
“preferred_username”: “ABC”,
“given_name”: “TEST”,
“family_name”: “ABC”,
“email”: “abc@test.com
}

Here is the client configuration of keycloak:

{
“clientId”: “cognosopenidproxy”,
“rootUrl”: “”,
“baseUrl”: “https://**/bi",
“surrogateAuthRequired”: false,
“enabled”: true,
“alwaysDisplayInConsole”: false,
“clientAuthenticatorType”: “client-secret”,
“redirectUris”: [
“”,
"https://
:443/bi/completeAuth.jsp”
],
“webOrigins”: [],
“notBefore”: 0,
“bearerOnly”: false,
“consentRequired”: false,
“standardFlowEnabled”: true,
“implicitFlowEnabled”: false,
“directAccessGrantsEnabled”: true,
“serviceAccountsEnabled”: true,
“authorizationServicesEnabled”: true,
“publicClient”: false,
“frontchannelLogout”: false,
“protocol”: “openid-connect”,

Attached cognos openID configuration.

Please assist or provide any tips what to look for?

Regards,