Implementing SSO with OBIEE. Cannot log in

717256

Hello,

I configured SSO for OBIE: e.g created the impersonator user, added it to the credential store and modified instaconfig.xml to point to it:

<credentialStore>
<CredentialStorage type="file" path="/usr/local/OracleBIData/web/config/credentialstore.xml" passphrase="XXX"/>
</credentialStore>

<Auth>
<SSO enabled="true">
<ParamList>
<!--IMPERSONATE param is used to get the authenticated user's
username and is required -->
<Param name="IMPERSONATE" source="httpHeader" nameInSource="SSOUSERNAME"/>
</ParamList>
</SSO>
</Auth>

Now when I launch an http request with the httpheader called SSOUSERNAME with a value of a valid user (e.g Administrator), I still get a "Not logged in" message from my http://xxx.xxx.xx.x:7777/analytics/saw.dll?dashboard webpage.

After looking at the saw log, I can see that:

---------------------------------------
Type: Error
Severity: 40
Time: Thu Aug 13 16:13:26 2009
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-6,6;ThreadID-91
Location:
saw.odbc.connection.open
saw.connectionPool.getConnection
saw.threadPool
saw.threads

Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 0. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for Administrator in repository zri: invalid user/password. (08004)
---------------------------------------
Type: Error
Severity: 42
Time: Thu Aug 13 16:13:26 2009
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-91
Location:
saw.connectionPool.getConnection
saw.threadPool
saw.threads

Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
---------------------------------------

It is weird since it talks about username and password and password shouldnt be requested when using SSO. So im kinda lost.

Any idea?

Thanks.

Abdulhafeezshaik

Are you doing the SSO with EBS?

717256

What is EBS?

Right now, in order to test I just request the server with firefox, and I add a http header using a firefox addon (i can check with another addon that the header with the right name is indeed sent).

Ugser

Hello are you trying to use Oracle SSO or CA siteminder sso?

672047

Hi,

Oracle SSO Server have some restriction on the password lenth.

i dont remember it exactly now.

can you just try this.,

give the IMPERSONATOR password with some 10 char length and make sure it contains some numeric chars

e.g., welcomeobiee123

Regards,
Raghu

717256

Hello,

I created another user "Impersonatortwo" with a 10-digit password containing letter, numbers and a '!'.

Added it to the credential store
<sawcs:credential type="usernamePassword" alias="impersonation">
<sawcs:username>Impersonatortwo</sawcs:username>
<sawcs:password passphrase="admin">
<xenc:EncryptedData>
<xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
<pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
<pkcs-5:KeyDerivationFunc>
<pkcs-5:Parameters>
<pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
</pkcs-5:Parameters>
</pkcs-5:KeyDerivationFunc>
<pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</pkcs-5:PBES2-params>
</xenc:EncryptionMethod>
<xenc:CipherData>
<xenc:CipherValue>tvLhbvwB1aVPlQ414dfRm0CJYz3AkEOL</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</sawcs:password>
</sawcs:credential>

Modified instanceconfig
<credentialStore>
<CredentialStorage type="file" path="/usr/local/OracleBIData/web/config/credentialstore.xml" passphrase="admin"/>
</credentialStore>

<Auth>
<SSO enabled="true">
<ParamList>
<!--IMPERSONATE param is used to get the authenticated user's
username and is required -->
<Param name="IMPERSONATE" source="httpHeader" nameInSource="SSOUSERNAME"/>
</ParamList>
</SSO>
</Auth>


Im still getting the Not Logged In
You are not currently logged in to the ZAP Server.

If you have already logged in, your connection might have timed out, or a communications or server error may have occurred.

So it looked like it's not coming from the password

717256

I'm not sure if it is OraceSSO or not.
I'm going to plug it with a personnal application.

So to simulate that right now I just request the saw.dll?dashboard page with a http header containing the username of the user i want to log in as.

Turribeach

Have you created an Initialization Block to initialize the USER variable? If not see [this thread|http://forums.oracle.com/forums/thread.jspa?messageID=3632443&#3632443]. If you have then post what SQL are you using.

717256

No I haven't I am not sure how to do it.

I looked at http://download.oracle.com/docs/cd/E12096_01/books/AnyDeploy/AnyDeployOID4.html but it doesnt looks like what I need. It's talking about LDAP and stuff while I'm using my own portal.

Could you tell me how to create this block and how to initialize the USERvariable?
right now I am passing a user variable through my httpheader. Should I put this value in the init block? Im lost.

thanks

Turribeach

The thread I linked shows how to do what you need. Simply create an Init Block that uses this SQL:

select ':USER' from dual

And assign the resulting value to the USER variable and your SSO should work. I am not sure why this is not shown clearly in the OBIEE documentation but without this step you can't login in SSO mode with the configuration you are doing. What you are basically doing there is passing the Presentation Services USER variable (':USER') to the BI Server USER variable. When you configured SSO you told the Presentation Services (in instanceconfig.xml) where to fetch the USER variable from. But it's the BI Server that needs in order to identify the user and create a BI Server session. With this Init Block you are passing the value from the Presentation Services to the BI Server. You may also prefer to do a check against a physical table where you have all your users stored, in that case you would something like this:

select USER_ID from users WHERE USER_ID = ':USER'

This will basically "authenticate" the User ID that the user is passing in your HTTP against your users table. If there is no match, the user will get the "Not Logged In" error.

Turribeach

Can you confirm the above solution fixed your issues?