Forum Stats

  • 3,874,157 Users
  • 2,266,675 Discussions
  • 7,911,745 Comments

Discussions

OBIEE SSO with SiteMinder

Hi Folks,

Can i get clarification on the setup for SSO with SiteMinder?

I have seen two different configuration instructions for instanceconfig.xml

This configuration came out of word documentation that was provided to my team for SiteMinder implementation.

<?xml version="1.0"?>
<WebConfig>
<ServerInstance>
<!-- other settings ... -->
<Auth>
<Impersonator>Impersonator</Impersonator>
<ImpersonatorPassword>12hjsdf</ImpersonatorPassword>
<SSOEnabled>y</SSOEnabled>
<SSOServerVariable>REMOTE_USER</SSOServerVariable>
</Auth>
<!-- other settings ... -->
</ServerInstance>
</WebConfig>

I compared this against the Oracle Docs, which have a different set of configuration.

<!-- other settings ... -->
<Auth>
<SSO enabled="true">
<ParamList>
<!--IMPERSONATE param is used to get the authenticated user's username and is required -->
<Param name="IMPERSONATE"
source="serverVariable"
nameInSource="REMOTE_USER"/>
</ParamList>
</SSO>
<!-- other settings ... -->

http://download.oracle.com/docs/cd/E12096_01/books/AnyDeploy/AnyDeploySSO3.html

Can anyone that has implemented SSO with SiteMinder provide some insight?
Tagged:

Answers

  • Hi,

    You need this

    <Auth>
    <SSO enabled="true">
    <ParamList>
    <!--IMPERSONATE param is used to get the authenticated user's username and is required -->
    <Param name="IMPERSONATE"
    source="httpHeader"
    nameInSource="REMOTE_USER"/>
    </ParamList>
    </SSO>

    I believe it all depends on the Analytics version. As far as I know for OBIEE the above works. Its pretty tricky with Siteminder. Check if the Siteminder retains the REMOTE_USER value in its HTTP header?

    Good Luck

    Yuva
    Yuvaraj Narayanan
  • empyre
    empyre Member Posts: 89
    edited Oct 1, 2009 6:42PM
    I know SiteMinder uses SM_USER as the variable to store the user name but it's been configure to point to REMOTE_USER.

    I am using OBIEE 10.1.3.4.

    Edited by: empyre on Oct 1, 2009 3:42 PM
  • empyre
    empyre Member Posts: 89
    When I use this version for instanceconfig.xml, I get the following error msg

    Type: Error
    Severity: 20
    Time: Wed Sep 30 15:45:24 2009
    File: project/sawserver/main.cpp Line: 338
    Properties: ThreadID-1
    Location:
    saw.sawserver

    AuthConfigManager. Invalid source attribue value. <Param name="IMPERSONATE" source="httpVariable" nameInSource="REMOTE_USER"/>
  • Turribeach
    Turribeach Member Posts: 2,019 Silver Trophy
    edited Oct 2, 2009 3:59AM
    AuthConfigManager. Invalid source attribue value. <Param name="IMPERSONATE" source="httpVariable" nameInSource="REMOTE_USER"/>
    Your mind is playing tricks with you. It's either source="httpHeader" or source="serverVariable" but not source="httpVariable".
    Turribeach
  • Hi,

    Turri is right.. I dont know where you copied that param line..I wrote httpHeader..

    Did you include the credential store value for Impersonation ?

    Let us know if it works after you changed ..

    Thanks
    Yuvaraj
    Yuvaraj Narayanan
  • empyre
    empyre Member Posts: 89
    I changed it and it seems to be working because i don't see the error anymore.

    Here is my credential store entry....

    <sawcs:credential type="usernamePassword" alias="impersonation">
    <sawcs:username>Impersonator</sawcs:username>
    <sawcs:password>
    <xenc:EncryptedData>
    <xenc:EncryptionMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbes2">
    <pkcs-5:PBES2-params Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5#pbkdf2">
    <pkcs-5:KeyDerivationFunc>
    <pkcs-5:Parameters>
    <pkcs-5:IterationCount>1024</pkcs-5:IterationCount>
    </pkcs-5:Parameters>
    </pkcs-5:KeyDerivationFunc>
    <pkcs-5:EncryptionScheme Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
    </pkcs-5:PBES2-params>
    </xenc:EncryptionMethod>
    <xenc:CipherData>
    <xenc:CipherValue>XXXXXXXXXXXXXXXXX</xenc:CipherValue>
    </xenc:CipherData>
    </xenc:EncryptedData>
    </sawcs:password>
    </sawcs:credential>
    </sawcs:credentialStore>
  • empyre
    empyre Member Posts: 89
    Another issue that is coming up is that I noticed SiteMinder is returning the HTTP header variable as HTTP_REMOTE_USER not as REMOTE_USER.

    I believe that the BI Server will only accept REMOTE_USER correct?
  • Hi,

    Try replacing the REMOTE_USER with the available variable and give it a shot.

    *<Param name="IMPERSONATE" source="httpHeader" nameInSource="HTTP_REMOTE_USER"/>*


    Yuvaraj
  • empyre
    empyre Member Posts: 89
    Now i see the remote user being populated (i dumped the headers and verified) but the request is not being sent to the Presentation Services.

    How do I ensure that tomcat is passing along the request to the presentation services.

    I have increased the log on the SAW log but i don't see any requests.
  • Hi,

    Now that you know you get the Remote_user value. Check if its passign through to the Init blocks. check for the NQquery log. when you login. See if there is some activity. Also chekc if you have all the valid Presentation grroups to support login on Webcat.

    Thanks
    Yuvaraj
This discussion has been closed.