Categories
- All Categories
- 15 Oracle Analytics Sharing Center
- 14 Oracle Analytics Lounge
- 213 Oracle Analytics News
- 42 Oracle Analytics Videos
- 15.7K Oracle Analytics Forums
- 6.1K Oracle Analytics Idea Labs
- Oracle Analytics User Groups
- 78 Oracle Analytics Trainings
- 14 Oracle Analytics Data Visualizations Challenge
- Find Partners
- For Partners
Siteminder SSO using httpheader in OBIEE 12c is not working
Hi,
We recently upgraded OBIEE from 11.1.1.7.150120 (Build 150113.1200 64-bit) to Oracle Business Intelligence Product Version 12.2.1.3.0 (Build BIPS-20170820114118 64-bit).
Post upgrade Siteminder SSO using httpheader is not working.
Please find the attached document for steps we followed to implement it our 11g and 12c environments.
Could you please help if there are any additional steps to be followed in 12c Environment.
-----------------------------------------------------------------------------------------------------------------------
Steps (also in attached document with screenshots)
We implemented SSO using httpheader info as below in OBIEE 11g
Changes in instanceconfig.xml
Added CustomSSO in EnabledSchemas section.
Changes in authenticationschemas.xml
Added the below text to the file authenticationschemas.xml
<SchemaKeyVariable source="httpHeader" nameInSource="SM_USER" forceValue="CustomSSO"/>
Add the below text to the file
<AuthenticationSchema name="CustomSSO" displayName="Custom SSO Schema" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">
<RequestVariable source="credStoreUser" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
<RequestVariable source="credStorePwd" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
<RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER" biVariableName="IMPERSONATE" options="required" />
</AuthenticationSchema>
Changes in em:
Lock & Edit Configuration
Clicked the Checkbox to Enable SSO .
Change the SSO Provider to Custom
Restarted the services
We are trying to implement the same SSO using httpheader in our new OBIEE 12c environment .
Changes done:
Added the below tags to authenticationschemas.xml in location
home\bi\bifoundation\web\display
as we have in our old 11g environment.
<SchemaKeyVariable source="httpHeader" nameInSource="SM_USER" forceValue="CustomSSO"/>
<AuthenticationSchema name="CustomSSO" displayName="Custom SSO Schema" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">
<RequestVariable source="credStoreUser" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
<RequestVariable source="credStorePwd" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
<RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER" biVariableName="IMPERSONATE" options="required" />
</AuthenticationSchema>
Changes done to InstanceConfig.xml at location
\Apps\OBIEE\user_projects\domains\bi\config\fmwconfig\biconfig\OBIPS
<Authentication>
<EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,CustomSSO</EnabledSchemas>
<SchemaExtensions>
<Schema name="CustomSSO" logonURL="http://c-qa.company.com/analytics" logoffURL=" http://c-qa.company.com/analytics/saw.dll?logoff"/>
</SchemaExtensions>
</Authentication>
After restarting , we are unable to logon to Analytics.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Thanks,
Raveendra
Answers
-
I'm not familiar with your specific SSO approach (Siteminder), but I do have SAML2.0 SSO working in our 12c environment. I have a few suggestions for you to explore:
1) Oracle Support specifically instructed me *not* to tick the "Enable SSO" box in EM, even though we are clearly doing SSO. I am not sure if this was unique to our situation or not, but you could see if unchecking it makes any difference for you.
2) FYI, our <Authentication> tag in instanceconfig looks like this:
<Authentication> <EnabledSchemas>UidPwd,Impersonate,UidPwd-soap,Impersonate-soap,SSO</EnabledSchemas> <SchemaExtensions> <Schema logoffURL="xxxxxxxx" logonURL="xxxxxxxxx" name="SSO" /> </SchemaExtensions></Authentication>
3) I'd suggest you turn on debugging and see what's happening in your bi_server1 log files upon login failure. That could definitely get you on the right path to solving the problem. To do this, go into the console -> Environment -> Servers -> bi_server1 -> Debug. From there, Lock and Edit first and then enable debugging on weblogic -> security. Restart everything, reproduce the issue, and then go check your bi_server1.log and see what's happening.
4) What's the web traffic doing (F12 in Chrome, Preserve Log, and pay attention to what's happening)
EDIT: Oops, I thought our <Authentication> tag had different syntax than yours, but yours looks okay to me.
0 -
The Oracle documentation states that you should check MOSC notes 1274953.1 and 1287479.1 (reference: https://docs.oracle.com/middleware/1221/biee/BIESC/sso.htm#BIESC6044)0 -
Hi,
Thank you for respective details. I see this error message in the sawlog0.log.
Service instance session variable(s) not set for user XXXxx, causing authentication failure.[[
One more error in bi-server1-diagnostic.log [Security:090938]Authentication failure: The specified user failed to log in. javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User specified user denied
0 -
Does the user actually exist in LDAP that weblogic is configured with?
0 -
Along with the other suggestions, can you also make sure that you configure the LDAP on your RPD instead of doing that on Security Realm.
Refer the section "Configuring RPD file" on SiteMinder SSO technote.
0 -
Hi , We have added one more tag in authentication schema CustomSSO schema and the Siteminder sso is working fine now. Looks like this is the new change for 12c.Not working tags: <AuthenticationSchema name="CustomSSO" displayName="Custom SSO Schema" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">
<RequestVariable source="credStoreUser" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
<RequestVariable source="credStorePwd" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
<RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER" biVariableName="IMPERSONATE" options="required" />
</AuthenticationSchema> Working tags: <AuthenticationSchema name="CustomSSO" displayName="Custom SSO Schema" userID="IMPERSONATE" proxyUserID="NQ_SESSION.RUNAS" options="noLogoffUI noLogonUI">
<RequestVariable source="credStoreUser" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="UID"/>
<RequestVariable source="credStorePwd" type="auth" nameInSource="oracle.bi.system/system.user" biVariableName="PWD" options="secure"/>
<RequestVariable source="httpHeader" type="auth" nameInSource="SM_USER" biVariableName="IMPERSONATE" options="required" />
<RequestVariable source="constant" type="auth" nameInSource="ssi" biVariableName="NQ_SESSION.SERVICEINSTANCEKEY" />
</AuthenticationSchema> Change is in the last part. Added the following tag at the end. <RequestVariable source="constant" type="auth" nameInSource="ssi" biVariableName="NQ_SESSION.SERVICEINSTANCEKEY" />Thanks,Raveendra0