Oracle Analytics Cloud and Server

Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

Categories

Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

Modify bitech-analysis-application.ear not working

Received Response
77
Views
5
Comments
Orenl91
Orenl91 Rank 1 - Community Starter
edited Aug 13, 2024 5:13PM in Oracle Analytics Cloud and Server

HI,

I have a cluster environment with full SSO Implementation with KERBEROS.

I noticed that the dv/va isn't working with full sso, so I tried to implement the 2213938.1 document and i have 2 issues:

1) after disabling LWSSO the analytics requires username and password . the full KERBEROS SSO was some how disabled.

2) the document 2213938.1 is not detailed at all . i tried to figure out how to add the token based SSO and this is what I've done :

     a) I opened the bitech-analysis-application.ear

     b) there are 2 wars inside so i figured its the bitech-analysis-webapp.war and not the bitech-analysis-legacy-webapp.war because its more similar to analytics.ear

     c) after opening the bitech-analysis-webapp.war i opened WEB-INF

     d) I edited the weblogic.xml as follows :i commented the <security-role-assignment> that was there by default and added the <security-role-assignment> that I originally added to the analytics.ear so the weblogic.xml of both analytics.ear and bitech-analysis-application.ear are the same as follows:

<security-role-assignment>

<role-name>SSORole</role-name>

<principal-name>SSOUsers</principal-name>

<principal-name>MySSOGroup</principal-name>

</security-role-assignment>

<!-- THE DEFAULT

<security-role-assignment>

<role-name>valid-users</role-name>

<principal-name>users</principal-name>

</security-role-assignment>

-->

     e) I edited the web.xml as follows :

<login-config>

   <auth-method>CLIENT-CERT</auth-method>

</login-config>

<security-role>

    <role-name>SSORole</role-name>

</security-role>

<!-- THE DEFAULT

<login-config>

<auth-method>CLIENT-CERT</auth-method>

</login-config>

<security-role>

  <role-name>valid-users>

</security-role>

-->

I hope i did as expected, if not i would like to know please.

as i mentioned, both the analytics and dv requires username and password to login after the configuration.

Answers

  • Madasamy -Oracle
    Madasamy -Oracle Rank 6 - Analytics Lead

    The principal names here should be VALID NAMES OF THE GROUPS that comes from your Active Directory to Weblogic/OBIEE

    <principal-name>SSOUsers</principal-name>

    <principal-name>MySSOGroup</principal-name>

    It seems like the principal-names are copied and pasted from the document

    Check with your Admin/Business for the list of principals you want to give OBIEE access to, from the bunch of MSAD groups and populate your principal-name with that

    Repack the same and redeploy the same should work

  • Orenl91
    Orenl91 Rank 1 - Community Starter

    Hello Madasamy-Oracle

    Thanks for your reply.

    When I said the group "MySSOGroup" I meant that I took the proper MSAD groups from my business, the same group that is working with the analytics.ear , i just didnt write the name of the group here.

    the SSOUsers principal is copied from the default example because it worked with the analytics.ear but i removed it anyway and it still doesnt work, the dv still requires username and password.

  • Madasamy -Oracle
    Madasamy -Oracle Rank 6 - Analytics Lead

    I get that

    1. So considering that the .ear is properly configured, its mandatory to disable the lightWeightSSO, Have you done that ?

    disableBISingleSignOn('domainpath')

    2. And you can enable krb5 debug flags and debugsecurity flags for bi_server1 and check the transaction to understand where its failing when you navigate to /va OR /dv   ( the logs will be on bi_servern.log)

  • user10905045
    user10905045 Rank 1 - Community Starter

    Hi,

    did you get this working? I have a similar issue with SSO to ADFS using SAML token for OBIEE 12.2.1.4.0

    I think your update to web.xml also needs something similar to what is done for Analytics.

    What I don't know the is what the web-resource-name should be for Data Visualisations - and of course it's not documented anywhere whatsover i.e.:

       <security-constraint>

         <web-resource-collection>

           <web-resource-name>BI Analytics - replace this with correct name for DV</web-resource-name>

           <url-pattern>/*</url-pattern>

         </web-resource-collection>

         <auth-constraint>

           <role-name>YOUR_SSO_ROLE</role-name>

         </auth-constraint>

       </security-constraint>

       <login-config>

         <auth-method>CLIENT-CERT</auth-method>

       </login-config>

       <security-role>

         <role-name>YOUR_SSO_ROLE</role-name>

       </security-role>

    did you get anywhere in the end?

    cheers,

    John F.

  • Mayur_Kagathara
    Mayur_Kagathara Rank 1 - Community Starter

    I am so late to reply but this worked for me:

     <web-resource-name>*</web-resource-name>