This discussion is archived
7 Replies Latest reply: Jun 28, 2010 8:39 AM by msciwoj RSS

OBIEE SSO WebLogic integration with or without extra software products

msciwoj Newbie
Currently Being Moderated
We are working on the strategy to integrate the company portal with OBIEE.
The portal is used for internal and external users (both logs on using Active Directory accounts)

Ideally we'd like to seamlessly integrate OBIEE reports in the portal using SSO so after user logs on once
- to the network/workstation PC (internal)
- to the portal (external)
he doesn't need to pass his credentials again.

We did POC using IIS and the Single Sign On configuration there was easy and working.
However since WebLogic is the strategic Oracle Application Server we'd like to host OBIEE on it, especially to be OBIEE 11g ready.

It seems that OBIEE SSO integration with WebLogic is possible but only with the additional components.
Is that true??
or
Does anyone know how to configure it on it's own?
If impossible, what additional products should we focus on: OSSO (Oracle Single-Sign-On),Oracle Internet Directory (OID),Oracle Access Manager (OAM)?

We're a bit confused as the IIS variant of integration apparently doesn't require any extra software.
  • 1. Re: OBIEE SSO WebLogic integration with or without extra software products
    Faisal Khan Expert
    Currently Being Moderated
    It should not require any additional softwares.
    You can use Kerberos for Single Sign On

    Follow the link below for the steps

    http://weblogic-wonders.com/weblogic/2009/11/15/configuring-kerberos-with-weblogic-server/

    If u want ur Domain (AD) Users to log in to application, widout passing the credentials,u will have to configure ur AD with WLS.

    U can use the WLS Script below to configure Active Directory with WLS

    http://weblogic-wonders.com/weblogic/2009/12/25/create-active-directory-authentication-provider-from-wlst/

    Hope this helps.

    If u have further queries, let me knw.

    -Faisal
  • 2. Re: OBIEE SSO WebLogic integration with or without extra software products
    msciwoj Newbie
    Currently Being Moderated
    This covers WebLogic configuration.
    Do you know what actions are then required for OBIEE to provide seamless SSO logging?

    Thanks
  • 3. Re: OBIEE SSO WebLogic integration with or without extra software products
    Faisal Khan Expert
    Currently Being Moderated
    was the reply above helpful?

    For a different issue, kindly ask a new question.
  • 4. Re: OBIEE SSO WebLogic integration with or without extra software products
    msciwoj Newbie
    Currently Being Moderated
    The web is full of OBIEE-IIS configuration HOWTOs but no information regarding WebLogic/OC4J

    Will try with WebLogic next week.
    I Presume all the OBIEE necessary steps are documented in:
    §8. Implementing Single Sign-On Products With Oracle Business Intelligence of Oracle® Business Intelligence Enterprise Edition Deployment Guide Version 10.1.3.2 document available: http://download.oracle.com/docs/cd/E10415_01/doc/bi.1013/b40058.pdf
  • 5. Re: OBIEE SSO WebLogic integration with or without extra software products
    msciwoj Newbie
    Currently Being Moderated
    There's no word about OBIEE in those links.
    I just need to set up SSO for OBIEE that is hosted on WebLogic - do I need to go through both links/steps or only the second one?
  • 6. Re: OBIEE SSO WebLogic integration with or without extra software products
    Faisal Khan Expert
    Currently Being Moderated
    I had a quick look at the documentation

    SSO can be achieved in one of the two ways described below.

    ■ Through an HTTP header or HTTP cookie containing the username of the end user. The header
    can be any valid HTTP header or cookie name.

    ■ Or, by using one of the following server-side options:

    ■ When using a J2EE Application Server and the BI Presentation Services Plug-In (Java
    Servlet), from the getRemoteUser method of the
    javax.servlet.http.HttpServletRequest.getRemoteUser API.

    In this case, the SSO system must be able to integrate with the J2EE environment of choice
    and set up the framework such that the getRemoteUser method returns the username of the
    end user.
    ■ When using Internet Information Server (IIS) and the BI Presentation Services Plug-In
    (ISAPI Plug-in), from the REMOTE_USER server variable that is populated with the username
    of the end user.
    REMOTE_USER is a server variable queried through the use of the ISAPI Extension API
    GetServerVariable.

    If u consider the option of passing the users's information in an HTTP Header, then u need to develop a custom identity asserter for Weblogic, that would process those tokens. Also u wud require a user store.

    If u choose the option of passing the user information, then u will ahve to do the authentication programtically or chose a weblogic classes shown below.

    CallbackHandler callback = new CallbackHandler(userName,password);
    javax.security.auth.Subject subject = weblogic.security.services.Authentication.login(callback);

    -Faisal
    http://www.weblogic-wonders.com
  • 7. Re: OBIEE SSO WebLogic integration with or without extra software products
    msciwoj Newbie
    Currently Being Moderated
    Found similar info but no practical guidelines on how to implement it.
    The IIS variant is relatively simple, basically it requires to turn one option on (as described: http://www.clearpeaks.com/blog/oracle-bi-ee/configuring-obiee-to-work-in-single-sign-on-sso-environment-on-iis)

    So it looks like apart from using IIS and ISAPI BI Presentation Services Plug-In we have three options:
    -     HTTP header
    -     cookie
    -     getRemoteUser method

    The hints you sent before:
    configuring-kerberos-with-weblogic-server
    create-active-directory-authentication-provider-from-wlst
    which option are they related to and how?

    you mentioned custom identity asserter – what is this?
    is this asserter only for HTTP header option or for the cookie as well?
    what would such development involve?
    user store – what do you mean here - would I need to store each user login/passwords on the WebLogic separately? or this only affects impersonator user?

    how can I leverage the Active Directory LDAP to do the SSO in a similar way like it’s done for IIS – no user credentials needs to be stored on the Web App Server?
    could you throw some more light on this callbacks code – how this could be used? or again, what would such development involve?

    Thank you very much for your feedback. Those hints could be probably enough for someone with practical web development knowledge however since my area of expertise is different I would really appreciate some step-by-step instructions.

    So far I reckon the Active Directory LDAP based SSO for OBIEE on WebLogic is probably possible without the extra products like OID/OAM but it’s not as simple as the IIS variant and do require some additional programming (not sure about cookie scenario…)

    Another info around the matter I found is:
    http://cali97.blogspot.com/2010/05/obiee-101341-and-sso-oid-with-weblogic.html
    but unfortunately it hasn’t been followed and still would require OID

    and
    is it possible to link BIEE with SSO  without an application sever ?
    where Turribeach says:
    “you would want to know how to integrate Oracle SSO with a Web Application running in OC4J. As long as you can set the GetRemoteUser in your OC4J instance OBIEE will happily work in SSO mode (if configured correctly of course). Personally I wouldn't even use OC4J or Oracle SSO. We implemented our SSO solution using a custom Java SSO Web App deployed in JBOSS that reads the user credentials using the JCIFs library and re-validates them using NTLM. It then passes the user ID to OBIEE. It requires no SSO server, just a Windows Domain Controller.”
    Looks everything I need - I guess such Java SSO Web App could be deployed onto WebLogic but really no idea on how to do such development.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points