Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

OBIEE 12C SSO

Received Response
191
Views
11
Comments
Adam Wickes
Adam Wickes Rank 6 - Analytics Lead
edited August 13 in Oracle Analytics Cloud and Server

Hi all,

Trying to set up SSO in our environment.
Our Kerberos expert has informed me that the users are being authenticated at the front end and we shouldn't need to do anything in the app for users to gain access to OBIEE as they have already been auth'd.
I'm looking at this document and wondering if I need to do all of this or if I just need to tick on "Enable SSO" in Enterprise Manager?

https://blogs.oracle.com/cealteam/obiee-12c%3a-configuring-kerberos-sso-for-obiee-12c

Has anyone set up SSO in their environments before that could possibly help me out?

Thanks,
Adam

Tagged:
«1

Answers

  • Adam Wickes
    Adam Wickes Rank 6 - Analytics Lead

    Additional Info:

    In our existing 11g installation, it looks to use the following: https://redelsilenziotech.wordpress.com/2012/02/08/how-to-integrate-obiee-11-1-1-5-with-ibm-tivoli-and-tam-for-ebusiness…


    It also has SSO provider in EM set to "generic SSO".
    There seems to be a bug in 12c where you can't access the SSO provider drop down so i'm not sure how you're supposed to set which one you want to use.... (??).

  • Joel
    Joel Rank 8 - Analytics Strategist

    That is the correct documentation. Follow all the steps and you should be fine. I’ve used it several times for SSO configuration.

  • aspardhya
    aspardhya Rank 1 - Community Starter

    Hi Adam,

    Thanks for your providing all relevant information at first hand only.

    Here are my points for your query.

    1. Even with OBIEE 11g also it's integrated with TAM through configuration. There is not just select SSO provider and you are done.

    2. So, As per your analysis, I would be recommend to do the complete steps as suggested by blog in Dev environment and Validate your logins.

    https://blogs.oracle.com/cealteam/obiee-12c%3a-configuring-kerberos-sso-for-obiee-12c

    3. OBIEE integration with Kerberos based authentication is required. So, Kerberos expert point is fine if OBIEE is fully configured to accept kerberos authentication mechanism. So, You can to configure OBIEE accordingly.

    Thanks,

    Abhishek Kumar

  • Adam Wickes
    Adam Wickes Rank 6 - Analytics Lead

    Thanks Joel.

    Appreciate that.

  • Adam Wickes
    Adam Wickes Rank 6 - Analytics Lead

    Thanks for your response Abhishek.
    I will read over the documentation more and give it a try in our development server tomorrow.

  • Adam Wickes
    Adam Wickes Rank 6 - Analytics Lead

    Sorry for replying again to this post.
    I just wanted to confirm a couple of things.

    The architecture that we are using is the following:

    Front end = ISAM -> OHS -> OBIEE App Server

    Our Identity Management specialist has said that he's already "configured authentication at the front end" and is passing through a user via the http header that I should be able to use for SSO.
    Is there another way of applying SSO in this scenario or are the aforementioned instructions still applicable.

    Thanks so much,
    Adam

  • aspardhya
    aspardhya Rank 1 - Community Starter

    Hi Adam,

    As per my understanding, You need to perform the complete action plan as per documented the blog https://blogs.oracle.com/cealteam/obiee-12c%3a-configuring-kerberos-sso-for-obiee-12c

    through http header (as per Identity Administrator specialist) only authentication will happen. That's right, but OBIEE url should be receptive to those parameters, I believe and for that you need to perform the action.

    If you face any challenge in following the action plan then you can share your output and see How we can help here.

    Thanks,

    Abhishek Kumar

  • Adam Wickes
    Adam Wickes Rank 6 - Analytics Lead

    Hi all,

    Sorry to bump this thread again but I have some extra information.
    Unfortunately, I can't use the link provided above (kerberos etc) because then I won't be able to use the ISAM front end which has already been set up and is our organisations standard approach.
    I did however find some instructions on how SSO was set up in our 11g environment (see below).
    ISAM was not supported in 11g either but we (the people before me) managed to get it to work so i'm hoping I can get 12c to do the same.
    Unfortunately, asking Oracle support was a dead end as ISAM is not supported.

    Has anyone here used the ISAM headers iv-user/iv-groups to get SSO working by modifying the authenticationschemas.xml file (see below)?
    One of the steps suggests to set SSO to "Generic SSO" but this options doesn't seem to exist in 12c.

    Instructions

    To enable SSO, OBIEE presentation services must be configured to accept IV-USER header from the SSO product’s web server. In this case, WebSeal would authenticate the user and pass on the credentials to Presentation Services. To do this, edit the authenticationschemas.xml located in

    <MIDDLEWARE_HOME>\Oracle_BI1\bifoundation\web\display

    Edit the file to resemble the following

    BEFORE

    <!–<SchemaKeyVariable source=”serverVariable” nameInSource=”REMOTE_USER” forceValue=”SSO”/>–>

    AFTER

      <SchemaKeyVariable source=”httpHeader” nameInSource=”iv-user” forceValue=”SSO”/>

    BEFORE

          <AuthenticationSchema name=”SSO” displayName=”Single Sign On” userID=”IMPERSONATE” proxyUserID=”NQ_SESSION.RUNAS” options=”noLogoffUI noLogonUI”>

    <!–<RequestVariable source=”serverVariable” type=”auth” nameInSource=”REMOTE_USER” biVariableName=”IMPERSONATE” options=”stripWindowsDomain required”/>–>

            </AuthenticationSchema>

    AFTER

          <AuthenticationSchema name=”SSO” displayName=”Single Sign On” userID=”IMPERSONATE” proxyUserID=”NQ_SESSION.RUNAS” options=”noLogoffUI noLogonUI”>

    <RequestVariable source=”httpHeader” type=”auth” nameInSource=”iv-user” biVariableName=”IMPERSONATE” options=”required”/>

            </AuthenticationSchema>

    1. Save the file and open the file in Internet Explorer to ensure that there are no syntactical errors.
    2. Next, navigate to EM, select Business Intelligence and go to the Security tab
    3. Lock and Edit and in the SSO drop down, Select Generic SSO.
    4. Click Apply and Activate changes.
    5. Restart BI presentation services and navigate to the Webseal Junction. http://<junctionurl>/analytics
  • Adam Wickes
    Adam Wickes Rank 6 - Analytics Lead

    Hi all,

    Just an update on this one for all the people in the future who may wish to do the same thing.
    I was able to get obiee 12c (12.4) working with authentication happening at the ISAM front end and then having iv-user header passed through.

    Important Note: This is not supported by Oracle so user beware. In our case it wasn't feasible to NOT do it but we're happy to take the risk.

    Less Important Note: From version 11.9 onwards, when SSO is applied, you can no longer log in to Analytics via the server:port or IP user address. You can only go through the front end's URL. Apparently the ability to do this in 11.7 and prior was a bug. See here.

    Steps to apply SSO (Note: This is all AFTER you've applied your auth provider stuff in console. In our case, we used LDAP provider).

    1. Navigate to "%ORACLE_HOME%\bi\bifoundation\web\display" and take a backup of "authenticationschemas.xml".

    2. Edit "authenticationschemas.xml" and change the following:

    Before

    <SchemaKeyVariable source="serverVariable" nameInSource="REMOTE_USER" forceValue="SSO"/>

    After


    <SchemaKeyVariable source="httpHeader" nameInSource="iv-user" forceValue="SSO"/>

    Note: iv-user may change depending on your front end's settings.

    AND

    Before

    <AuthenticationSchema name="SSO" displayName="Single Sign On" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI webSSO">

             <RequestVariable source="serverVariable" type="auth" nameInSource="REMOTE_USER" biVariableName="IMPERSONATE" options="stripWindowsDomain required"/>

    </AuthenticationSchema>

    After

    <AuthenticationSchema name="SSO" displayName="Single Sign On" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">

             <RequestVariable source="httpHeader" type="auth" nameInSource="iv-user" biVariableName="IMPERSONATE" options="required"/>

    </AuthenticationSchema>

    Note: Again, iv-user may change depending on your front end's settings.

    3. Save "authenticationschemas.xml".

    4. Navigate to "%DOMAIN_HOME%\config\fmwconfig\biconfig\OBIPS" and take a backup of "instanceconfig.xml".
    5. Edit "instanceconfig.xml" and change the following:

    Before

    <Authentication>

                <EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap</EnabledSchemas>

    </Authentication>

    After

    <Authentication>

                <EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,SSO</EnabledSchemas>

                <SchemaExtensions>

                    <Schema name="SSO" logonURL="http://yourURL/analytics/saw.dll?Dashboard" logoffURL="http://yourLogoutURL"/>

                </SchemaExtensions>

    </Authentication>

    6. Save "instanceconfig.xml".
    7. Restart Admin/biserver.
    8. Navigate to the logonURL you specified in step 5 and you should be good to go.


    Hope this helps someone out in the future.

    Cheers,
    Adam

  • User_WUC7L
    User_WUC7L Rank 1 - Community Starter

    All,

    Do we need to update anything in EM apart from authenticationschemas.xml,instanceconfig.xml changes in OBIEE12c(12.2.1.4)?

    Along with, How about for Forgerock SSO?

    Please advise.

    Thanks,

    Sandeep