We are working on the strategy to integrate the company portal with OBIEE.
The portal is used for internal and external users (both logs on using Active Directory accounts)
Ideally we'd like to seamlessly integrate OBIEE reports in the portal using SSO so after user logs on once
- to the network/workstation PC (internal)
- to the portal (external)
he doesn't need to pass his credentials again.
We did POC using IIS and the Single Sign On configuration there was easy and working.
However since WebLogic is the strategic Oracle Application Server we'd like to host OBIEE on it, especially to be OBIEE 11g ready.
It seems that OBIEE SSO integration with WebLogic is possible but only with the additional components.
Is that true??
Does anyone know how to configure it on it's own?
If impossible, what additional products should we focus on: OSSO (Oracle Single-Sign-On),Oracle Internet Directory (OID),Oracle Access Manager (OAM)?
We're a bit confused as the IIS variant of integration apparently doesn't require any extra software.
It should not require any additional softwares.
You can use Kerberos for Single Sign On
Follow the link below for the steps
If u want ur Domain (AD) Users to log in to application, widout passing the credentials,u will have to configure ur AD with WLS.
U can use the WLS Script below to configure Active Directory with WLS
Hope this helps.
If u have further queries, let me knw.
The web is full of OBIEE-IIS configuration HOWTOs but no information regarding WebLogic/OC4J
Will try with WebLogic next week.
I Presume all the OBIEE necessary steps are documented in:
§8. Implementing Single Sign-On Products With Oracle Business Intelligence of Oracle® Business Intelligence Enterprise Edition Deployment Guide Version 10.1.3.2 document available: http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b40058.pdf
I had a quick look at the documentation
SSO can be achieved in one of the two ways described below.
■ Through an HTTP header or HTTP cookie containing the username of the end user. The header
can be any valid HTTP header or cookie name.
■ Or, by using one of the following server-side options:
■ When using a J2EE Application Server and the BI Presentation Services Plug-In (Java
Servlet), from the getRemoteUser method of the
In this case, the SSO system must be able to integrate with the J2EE environment of choice
and set up the framework such that the getRemoteUser method returns the username of the
■ When using Internet Information Server (IIS) and the BI Presentation Services Plug-In
(ISAPI Plug-in), from the REMOTE_USER server variable that is populated with the username
of the end user.
REMOTE_USER is a server variable queried through the use of the ISAPI Extension API
If u consider the option of passing the users's information in an HTTP Header, then u need to develop a custom identity asserter for Weblogic, that would process those tokens. Also u wud require a user store.
If u choose the option of passing the user information, then u will ahve to do the authentication programtically or chose a weblogic classes shown below.
CallbackHandler callback = new CallbackHandler(userName,password);
javax.security.auth.Subject subject = weblogic.security.services.Authentication.login(callback);
Found similar info but no practical guidelines on how to implement it.
The IIS variant is relatively simple, basically it requires to turn one option on (as described: http://www.clearpeaks.com/blog/oracle-bi-ee/configuring-obiee-to-work-in-single-sign-on-sso-environment-on-iis)
So it looks like apart from using IIS and ISAPI BI Presentation Services Plug-In we have three options:
- HTTP header
- getRemoteUser method
The hints you sent before:
which option are they related to and how?
you mentioned custom identity asserter – what is this?
is this asserter only for HTTP header option or for the cookie as well?
what would such development involve?
user store – what do you mean here - would I need to store each user login/passwords on the WebLogic separately? or this only affects impersonator user?
how can I leverage the Active Directory LDAP to do the SSO in a similar way like it’s done for IIS – no user credentials needs to be stored on the Web App Server?
could you throw some more light on this callbacks code – how this could be used? or again, what would such development involve?
Thank you very much for your feedback. Those hints could be probably enough for someone with practical web development knowledge however since my area of expertise is different I would really appreciate some step-by-step instructions.
So far I reckon the Active Directory LDAP based SSO for OBIEE on WebLogic is probably possible without the extra products like OID/OAM but it’s not as simple as the IIS variant and do require some additional programming (not sure about cookie scenario…)
Another info around the matter I found is:
but unfortunately it hasn’t been followed and still would require OID
and is it possible to link BIEE with SSO without an application sever ?
where Turribeach says:
“you would want to know how to integrate Oracle SSO with a Web Application running in OC4J. As long as you can set the GetRemoteUser in your OC4J instance OBIEE will happily work in SSO mode (if configured correctly of course). Personally I wouldn't even use OC4J or Oracle SSO. We implemented our SSO solution using a custom Java SSO Web App deployed in JBOSS that reads the user credentials using the JCIFs library and re-validates them using NTLM. It then passes the user ID to OBIEE. It requires no SSO server, just a Windows Domain Controller.”
Looks everything I need - I guess such Java SSO Web App could be deployed onto WebLogic but really no idea on how to do such development.