Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 14 Oracle Analytics Lounge
- 213 Oracle Analytics News
- 42 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 78 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Oracle DV reports integration in classic dashboard where lightweight SSO is disabled
Hi Team,
Is there a way that we can integrate DV reports in classic dashboard in a setup where lightweight SSO is disabled.
For a requirement we had to use external table authentication for OAS to integrate with other applications and we have disabled the lightweight SSO for the same.
Thanks
Bharath
Best Answer
-
You maybe want to speak with product management about your decision to disable lightweight SSO.
A PM told me explicitly that in OAS lightweight SSO should not be disabled because it does prevent OAS from working correctly (not like OBIEE 12c when it was fine to disable it). That it isn't expected to run OAS with disabled lightweight SSO.
And the external table authentication (based on database tables) doesn't require to disable the lightweight SSO (the doc is quite explicit on how to configure it, and never mention to disable LWSSO).
And to answer your question, you need full SSO if you don't have lightweight SSO if you don't want the embedded DV content to ask you to login. Because if you disable lightweight SSO the 2 pieces of OAS work as totally independent and separate applications.
edit:
To support the argument that you should NOT disable lightweight SSO: https://support.oracle.com/epmos/faces/DocContentDisplay?id=2715997.1
there is no documented need to disable LWSSO in OAS
1
Answers
-
I do not see any reason to disable LWSSO in OAS unless you have a different use case to disable LWSSO to enable SQL Authenticator Please give us the complete picture for your authentication topology !
What is your OAS version?
1 -
@User_JIRRS is an internal Oracle Customer, they had reached out to me directly, but before I saw this post and I had provided them similar reply as Gianni, and later Mostafa.
Bharath, as per an Oracle employee, please update your Display Name to identify yourself as an Oracle employee.1 -
Thanks @Gianni Ceresa for your update.
@Mostafa Morsy-Oracle we are using go-url which uses nquser and nqpassword as additional parameters.
As per the below documentation LWSSO to be disabled if we are using legacy authentication methods but the document is for OBIEE
0 -
Thanks @SteveF-Oracle . Will update :)
0 -
Sounds like you want to use a brand new product, OAS, but use it like a 5+ years old product (OBIEE).
Nobody should ever use the go-url with nquser and nqpassword for anything else than embedding an analytics page in a 3rd party website. If you do use that for real authentication of your users (each users having their own credentials passed in a URL), you should get your security guy to review your solution: they will shut it down.
You can setup proper SSO for that, or if you take all the appropriate steps to protect your environment (here again, ask a security person to review your setup!), implement the supported anonymous login option in OAS that allow to login as any user without even passing a password (never, ever, ever, pass a real user password in a URL: it can be logged and stolen in so many places and way).
And the doc you followed is for OBIEE 12c, there is maybe a reason if that document doesn't exist for OAS.
1 -
No, we are not passing real password but rather an OTP as password which is generated via a jsp script.
0 -
Well, I believe this can be turned in all the possible ways, it always get back to the basic point of:
- you disable a (key) feature of OAS providing a lightweight SSO between /analytics and /dv
- you want /analytics and /dv to behave like if there was SSO between the 2
One exclude the other.
You either do 1) and forget 2), or don't do 1) and you can get 2). And if none of these works for you, then you should change the security "before" (outside) OAS, by using full SSO.
Or you could get a proxy that will handle your user & OTP to authenticate a user and then behave like SSO / anonymous login in OAS to keep the process transparent for users. That would be a supported architecture, because using only standard OAS features. (This kind of setup could be achieved in few minutes depending on the proxy you decide to adopt.)
Of course you can also post an idea in asking for go-url with nquser and nqpassword to be supported again in OAS. It's maybe still early enough for it to be added in OAS 2025 if you can get enough support on the idea.
1
